SlideShare una empresa de Scribd logo

G-Cloud Accreditation Process

G-Cloud
G-Cloud

This presentation is a short guide to G-Cloud pan-government accreditation processes. More information on G-Cloud and HMG pan-government Accreditation is available on our website http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/

TecnologíaEmpresariales
1 de 29
#AccreditCamp 17 April 2013 G-Cloud Dave Denton & Mark Smitham UNCLASSIFIED
Agenda • Introductions • Programme Update • Accreditation • Why does G-Cloud conduct Pan-Government Accreditation? • Process • Scenarios • Where and when to find out more • Questions • References UNCLASSIFIED 2
Introductions http://gcloud.civilservice.gov.uk enquiries@gcloud.cabinet-office.gov.uk @G_Cloud_UK #AccreditCamp UNCLASSIFIED 3
Programme Update Phase 1 complete: 1st anniversary; open Our aim is to encourage the and competitive marketplace adoption of cloud-based 460 suppliers and 3,200+ services services across the Public MEs provide access to a much wider choice %S Sector 7 5for buyers We’ve made it a lot easier We’ve made it a lot easier for suppliers; we’re levelling the playing field for SME SME Sales SMEs Vol Sales We’re getting the message out; we’re changing the market for public sector IT £11m+ to 80% vol 70% of end of Feb of orders spend Giii – expect to see many more services UNCLASSIFIED But we need to improve and look to make it even easier…
G-Cloud Frameworks G-Cloud framework OJEU Commencement Close Gi 18/10/11 14/02/12 13/11/12 – Closed Gii 23/05/12 26/10/12 27/10/13 Giii 11/01/13 April 2013 April 2014 Service across 4 Lots: Gii Features: 11 Infrastructure as a Service (IaaS) •Framework 12 months 22 Platform as a Service (PaaS) •Framework value up to £100m 33 Software as a Service (SaaS) •Call offs up to 24 months 44 Specialist Cloud Services (SCS) UNCLASSIFIED 5
What is Accreditation for? • Government must make sure the information systems we use will protect the information they handle, and function as and when they need to. Accreditation is the formal assessment of the system against it’s information assurance requirements. • Security accreditation is required for services which will hold information assessed at Business Impact Level profiles 1-1-x/2-2-x, 33x and above (often described as IL1, IL2 & IL3) • IL0 services and most Lot 4 services do not need accreditation UNCLASSIFIED 6
Why Pan-Government Accreditation? • Central accreditation results in a service which can be procured by multiple customers • We want to do it once, get it right first time, and share the benefits across government • For suppliers this will mean a reduced time to market and lower cost of accreditation if multiple customers buy the service • G-Cloud SIRO and PSN SIRO authorise the work of the Public Sector Accreditation Board (PSAB) and Pan Government Accreditors (PGAs) UNCLASSIFIED 7
Buying services with Pan-Gov Accreditation • Consuming department still own the information risk, but can rely on the work of trusted IA teams (minimising re-work on accreditation) • IA team in the Public Sector consuming organisation to be given RMADS and RRS. Remaining documentation available from the supplier • Any service procured without pan government accreditation is purchased at risk to the customer. A supplier can sell an unaccredited service, but not to all customers for all requirements UNCLASSIFIED 8
Process UNCLASSIFIED 9
Initiation of Accreditation • To initiate accreditation suppliers must complete a scoping template for each service requiring accreditation • You should also complete, if relevant, our Data Protection Act (DPA) checklist. • These can be submitted for programme deadlines at 6pm on the second Wednesday of each month – next on 8 May 2013. • All services with templates completed to the necessary quality will be put into a pool ready for submission to the Pan Government Accreditation service at CESG.  We will look to prioritise submissions to the PGAs from this pool based on a number of factors, including demand from central HMG departments. UNCLASSIFIED 10
Scoping • Once your service has been submitted to the Pan Government Accreditation service you will work with an assigned PGA to agree the scope of your accreditation. • Once this is agreed a version of your scoping template with list of required evidence will be signed off by supplier and accreditor UNCLASSIFIED 11
BIL2-2-x Services • Accreditation of BIL2-2-x services centred on a suitably scoped ISO/IEC 27001 certified service – Scope agreed with the PGA – Scope must be unambiguous and includes all elements of the service, e.g. onward supply chain and follow-the-moon and follow-the sun operations – Certification through bodies recognised by UKAS, or agreed to be equivalent to UKAS (see note on EA MLA) – Expected to follow sound commercial security practice – ‘x’ for availability must be defined by Supplier UNCLASSIFIED 12
BIL3-3-x Services • Accreditation of BIL3-3-x services uses UK Government IA Standards and Guidance – Scope agreed with the PGA – Detailed IA guidance already available for BIL3 services – Expected to be delivered to the Public Sector through the PSN – Implementation of technical controls at BIL3-3-x will require higher standard to those at BIL2-2-x, including more robust compliance – Specific guidance on geographical location; protection of communications and data in transit; data at rest, storage and object re-use; clearance and checking of staff; site inspections – ‘x’ for availability must be defined by Supplier UNCLASSIFIED 13
Data Protection Act and Offshoring • DPA checklist for suppliers, e.g. – guarantees that staff are trained or vetted, wherever they are based – facilities for rectification, blocking, erasure, destruction – guarantees about location of personal data – ensure high data protection standards even if data in a country with weak or no data protection law • G-Cloud IA requirements use CIO Council paper on offshoring and international sourcing available on the Cabinet Office gov.uk website UNCLASSIFIED 14
Is your Service ready to be submitted? • Before any formal assurance activity is undertaken your service design must be in a mature design state or at least developed to a state than means any security testing carried out is on a design that represents the final service • If you are unsure about this contact us to discuss before submitting your scoping template. UNCLASSIFIED 15
Process UNCLASSIFIED 16
Is your Service ready to be submitted? • Before any formal assurance activity is undertaken your service design must be in a mature design state or at least developed to a state than means any security testing carried out is on a design that represents the final service • If you are unsure about this contact us to discuss before submitting your scoping template. • How long does pan-government accreditation take? Time to provide Evidence Set... make your preparations early! • What will it cost? G-Cloud process is free, the costs incurred are to provide evidence set and take any necessary remedial actions. UNCLASSIFIED 17
Evidence Set • You will be required to gather and submit a set of evidence requested by the PGA. This could include at minimum: Lightweight RMADS required for BIL 22x / Full RMADS required for 33x RMADS Required for both IL22x and IL33x systems/services Residual Risk Statement Required for both IL22x and IL33x systems/services Risk Register Required for IL22x systems/services ISO/IEC 27001 Certificate, report & improvement notice Required for both IL22x and IL33x systems/services Security Operating Procedures (relevant to the consumer and/or supplier) Required for both IL22x and IL33x systems/services Other Security Related documentation such as IA conditions consumers are expected to meet Required for both IL22x and IL33x systems/services Statement on personal data and a completed DPA questionnaire Required for both IL22x and IL33x systems/services, though the extent will be less for the ITHC (scope and results) and other evidence of assurance (e.g. CPA IL22x systems/services. certificate) UNCLASSIFIED 18
Evidence Set • All information to be seen by the Pan Government Accreditor (PGA) and their advisors: – Risk Management and Accreditation Document Set (RMADS), – Residual Risk Statement (RRS), – Risk Register, – ISO27001 certification documentation • RRS presented to PSAB and part or all of the remaining documentation if needed UNCLASSIFIED 19
IA and Accreditation Approach • Use a layered, modular, approach to accreditation with maximum re-use of IA activities – E.g. suppliers can re-use FISMA evidence within ISO/IEC 27001 certification • Use assured products where appropriate • Monitoring of on-going implementation of security controls UNCLASSIFIED 20
Accreditation Scenarios A service with accreditation from a central HMG department and not pan-government yet • The existing scope and or List X scope may be a good start for pan-government accreditation if it covers the scope and evidence set for PGA. A service with no previous accreditation or PSN connectivity that is now targeting IL3 pan-government accreditation • HMG strongly encourages PSN connectivity A service with no previous accreditation that is now targeting IL2 pan-government accreditation • Industry best practice underpinned by ISO27001 can be a good start, especially if the scope of certification covers PGA scope too. UNCLASSIFIED 21
Accreditation Scenarios A G-Cloud SaaS offering on another suppliers PaaS or IaaS service • The SaaS supplier would need to consider what reliance they’re placing on the PaaS/IaaS service, and then demonstrate that all information risks have been managed appropriately (including consideration of off-shoring). A SaaS supplier hosting their service with a supplier that has ISO 27001 certification for their data centre. • The SaaS supplier will also need to have their own ISO 27001 certification. In the scope of their certification they can include the assurance they are getting from the IaaS provider. UNCLASSIFIED 22
Accreditation Scenarios Lot 4 services requiring accreditation • The majority of Lot 4 Specialist Cloud Services do not require accreditation. Suppliers of IL3 services requiring National Security Vetting • Supplier staff with access to sensitive material on an IL3 service must have completed Baseline Personnel Security Standard (BPSS) as part of National Security Vetting (NSV). UNCLASSIFIED 23
Questions for Suppliers to consider • Can you adequately scope your service (follow-the-sun, follow-the- moon services, location to country/legal framework)? – What is the ‘Service’? – Retain principle of information risk ownership – Do you need assured products and services – Think in layers and endpoints – Be sure you are clear on the difference between the scope of each service UNCLASSIFIED 24
Questions for Suppliers to consider • What level of assurance can you provide in your service, including security products within the service? • Who can you use to provide independent assurance (UKAS certified bodies for ISMSs)? • How will you demonstrate compliance with the DPA in a cloud service operating as a Data Processor? • How will you assist the consumer with accounting and audit and forensic readiness? UNCLASSIFIED 25
Advice that G-Cloud can provide • Pan-government Accreditation – G-Cloud IA Guidance – PSN RMARD – HMG IA Policy & Guidance, HMG IA Standards • Access to Reference Material – Good Practice Guides: please approach CESG Enquiries in the first instance • Design Review – Triggered by HMG PGA accreditor if necessary to agree scope after submission to G-Cloud and allocation to PGA. • National Security Vetting – Only possible in exceptional circumstances where a supplier does not have sponsorship from another government authority and is already providing G-Cloud services to government. UNCLASSIFIED 26
Where & when to find out more • All guidance and templates available on the G-Cloud website accreditation page • G-Cloud IA Guidance covers:- – Governance structures – Assurance and accreditation approach, re-accreditation triggers – Data Protection Act and Offshoring (outside of UK and EEA) – Distribution of IA evidence, NDAs – Specific Guidance on BIL 2-2-x and 3-3-x services – Accreditation scoping template – Data Protection Act (DPA) Checklist for Suppliers • To be updated this summer UNCLASSIFIED 27
Questions ? UNCLASSIFIED 28
Contacts http://gcloud.civilservice.gov.uk enquiries@gcloud.cabinet-office.gov.uk @G_Cloud_UK #AccreditCamp UNCLASSIFIED 29

Recomendados

ICANN 52: Global Domains Division (GDD) Update
ICANN 52: Global Domains Division (GDD) UpdateICANN 52: Global Domains Division (GDD) Update
ICANN 52: Global Domains Division (GDD) UpdateICANN
 
Resume_Mohit_Panwar
Resume_Mohit_PanwarResume_Mohit_Panwar
Resume_Mohit_PanwarMohit Panwar
 
Ready for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsReady for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsAcmePacket
 
V i d e o M a n a g e d S e r V i c e S
V i d e o M a n a g e d S e r V i c e SV i d e o M a n a g e d S e r V i c e S
V i d e o M a n a g e d S e r V i c e SVideoguy
 
ETSI NFV#13 NFV resiliency presentation - ali kafel - stratus
ETSI NFV#13 NFV resiliency presentation - ali kafel - stratusETSI NFV#13 NFV resiliency presentation - ali kafel - stratus
ETSI NFV#13 NFV resiliency presentation - ali kafel - stratusAli Kafel
 
CV Nicki Baxter - General
CV Nicki Baxter - GeneralCV Nicki Baxter - General
CV Nicki Baxter - GeneralNicki Baxter
 
Outsourcing – case study of Connectis company, Manfred Meier, S&T
Outsourcing – case study of Connectis company, Manfred Meier, S&TOutsourcing – case study of Connectis company, Manfred Meier, S&T
Outsourcing – case study of Connectis company, Manfred Meier, S&TS&T GROUP
 
Монетизация сетевой инфраструктуры
Монетизация сетевой инфраструктурыМонетизация сетевой инфраструктуры
Монетизация сетевой инфраструктурыBAKOTECH
 

Recomendados

ICANN 52: Global Domains Division (GDD) Update
ICANN 52: Global Domains Division (GDD) UpdateICANN 52: Global Domains Division (GDD) Update
ICANN 52: Global Domains Division (GDD) UpdateICANN
 
Resume_Mohit_Panwar
Resume_Mohit_PanwarResume_Mohit_Panwar
Resume_Mohit_PanwarMohit Panwar
 
Ready for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsReady for the Evolution: LTE Session delivery requirements
Ready for the Evolution: LTE Session delivery requirementsAcmePacket
 
V i d e o M a n a g e d S e r V i c e S
V i d e o M a n a g e d S e r V i c e SV i d e o M a n a g e d S e r V i c e S
V i d e o M a n a g e d S e r V i c e SVideoguy
 
ETSI NFV#13 NFV resiliency presentation - ali kafel - stratus
ETSI NFV#13 NFV resiliency presentation - ali kafel - stratusETSI NFV#13 NFV resiliency presentation - ali kafel - stratus
ETSI NFV#13 NFV resiliency presentation - ali kafel - stratusAli Kafel
 
CV Nicki Baxter - General
CV Nicki Baxter - GeneralCV Nicki Baxter - General
CV Nicki Baxter - GeneralNicki Baxter
 
Outsourcing – case study of Connectis company, Manfred Meier, S&T
Outsourcing – case study of Connectis company, Manfred Meier, S&TOutsourcing – case study of Connectis company, Manfred Meier, S&T
Outsourcing – case study of Connectis company, Manfred Meier, S&TS&T GROUP
 
Монетизация сетевой инфраструктуры
Монетизация сетевой инфраструктурыМонетизация сетевой инфраструктуры
Монетизация сетевой инфраструктурыBAKOTECH
 
Apply camp june 2012
Apply camp june 2012 Apply camp june 2012
Apply camp june 2012 G-Cloud
 
Buycamp london 12th april - PPTX
Buycamp london 12th april - PPTXBuycamp london 12th april - PPTX
Buycamp london 12th april - PPTXG-Cloud
 
Buycamp london 12th april - PDF
Buycamp london 12th april - PDFBuycamp london 12th april - PDF
Buycamp london 12th april - PDFG-Cloud
 
UK G-Cloud: The First Instantiation of True Cloud?
UK G-Cloud: The First Instantiation of True Cloud?UK G-Cloud: The First Instantiation of True Cloud?
UK G-Cloud: The First Instantiation of True Cloud?Skills Matter
 
G-Cloud #AccreditCamp
G-Cloud #AccreditCamp G-Cloud #AccreditCamp
G-Cloud #AccreditCamp G-Cloud
 
Accredcamp
AccredcampAccredcamp
AccredcampG-Cloud
 
G cloud presentation accreditcamp ii v2
G cloud presentation accreditcamp ii v2G cloud presentation accreditcamp ii v2
G cloud presentation accreditcamp ii v2G-Cloud
 
G-Cloud #AccreditCamp - London 16Jul2013
G-Cloud #AccreditCamp - London 16Jul2013 G-Cloud #AccreditCamp - London 16Jul2013
G-Cloud #AccreditCamp - London 16Jul2013 G-Cloud
 
G-Cloud | ABC's
G-Cloud | ABC'sG-Cloud | ABC's
G-Cloud | ABC'sMark CRADDOCK
 
G-Cloud: where we are, where we're going
G-Cloud: where we are, where we're going G-Cloud: where we are, where we're going
G-Cloud: where we are, where we're going Eduserv
 
G cloud - what is it?
G cloud - what is it?G cloud - what is it?
G cloud - what is it?Andy Powell
 
Next generation e-government: G-Cloud and beyond
Next generation e-government: G-Cloud and beyondNext generation e-government: G-Cloud and beyond
Next generation e-government: G-Cloud and beyondoleg2030
 
Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceChristian Torres
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossCloudSecurityAllianceAustralia
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCloudSecurityAllianceAustralia
 
MomentumNI Flash Event 10 Jul 14 - Irish GCSC
MomentumNI Flash Event 10 Jul 14 - Irish GCSCMomentumNI Flash Event 10 Jul 14 - Irish GCSC
MomentumNI Flash Event 10 Jul 14 - Irish GCSCBill McCluggage
 
Applycamp 12 feb 2013_final
Applycamp 12 feb 2013_finalApplycamp 12 feb 2013_final
Applycamp 12 feb 2013_finalG-Cloud
 
Iveda (OTCQB:IVDA) - Investor Presentation
Iveda (OTCQB:IVDA) - Investor PresentationIveda (OTCQB:IVDA) - Investor Presentation
Iveda (OTCQB:IVDA) - Investor PresentationRedChip Companies, Inc.
 
Iveda Investor Presentation
Iveda Investor PresentationIveda Investor Presentation
Iveda Investor Presentationivedasolutions
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Amazon Web Services
 
Blue planet Networks Overview
Blue planet Networks OverviewBlue planet Networks Overview
Blue planet Networks OverviewJohn Hammond
 

Más contenido relacionado

Destacado

Apply camp june 2012
Apply camp june 2012 Apply camp june 2012
Apply camp june 2012 G-Cloud
 
Buycamp london 12th april - PPTX
Buycamp london 12th april - PPTXBuycamp london 12th april - PPTX
Buycamp london 12th april - PPTXG-Cloud
 
Buycamp london 12th april - PDF
Buycamp london 12th april - PDFBuycamp london 12th april - PDF
Buycamp london 12th april - PDFG-Cloud
 
UK G-Cloud: The First Instantiation of True Cloud?
UK G-Cloud: The First Instantiation of True Cloud?UK G-Cloud: The First Instantiation of True Cloud?
UK G-Cloud: The First Instantiation of True Cloud?Skills Matter
 
G-Cloud #AccreditCamp
G-Cloud #AccreditCamp G-Cloud #AccreditCamp
G-Cloud #AccreditCamp G-Cloud
 
Accredcamp
AccredcampAccredcamp
AccredcampG-Cloud
 
G cloud presentation accreditcamp ii v2
G cloud presentation accreditcamp ii v2G cloud presentation accreditcamp ii v2
G cloud presentation accreditcamp ii v2G-Cloud
 
G-Cloud #AccreditCamp - London 16Jul2013
G-Cloud #AccreditCamp - London 16Jul2013 G-Cloud #AccreditCamp - London 16Jul2013
G-Cloud #AccreditCamp - London 16Jul2013 G-Cloud
 
G-Cloud: where we are, where we're going
G-Cloud: where we are, where we're going G-Cloud: where we are, where we're going
G-Cloud: where we are, where we're going Eduserv
 
G cloud - what is it?
G cloud - what is it?G cloud - what is it?
G cloud - what is it?Andy Powell
 
Next generation e-government: G-Cloud and beyond
Next generation e-government: G-Cloud and beyondNext generation e-government: G-Cloud and beyond
Next generation e-government: G-Cloud and beyondoleg2030
 

Destacado (12)

Apply camp june 2012
Apply camp june 2012 Apply camp june 2012
Apply camp june 2012
 
Buycamp london 12th april - PPTX
Buycamp london 12th april - PPTXBuycamp london 12th april - PPTX
Buycamp london 12th april - PPTX
 
Buycamp london 12th april - PDF
Buycamp london 12th april - PDFBuycamp london 12th april - PDF
Buycamp london 12th april - PDF
 
UK G-Cloud: The First Instantiation of True Cloud?
UK G-Cloud: The First Instantiation of True Cloud?UK G-Cloud: The First Instantiation of True Cloud?
UK G-Cloud: The First Instantiation of True Cloud?
 
G-Cloud #AccreditCamp
G-Cloud #AccreditCamp G-Cloud #AccreditCamp
G-Cloud #AccreditCamp
 
Accredcamp
AccredcampAccredcamp
Accredcamp
 
G cloud presentation accreditcamp ii v2
G cloud presentation accreditcamp ii v2G cloud presentation accreditcamp ii v2
G cloud presentation accreditcamp ii v2
 
G-Cloud #AccreditCamp - London 16Jul2013
G-Cloud #AccreditCamp - London 16Jul2013 G-Cloud #AccreditCamp - London 16Jul2013
G-Cloud #AccreditCamp - London 16Jul2013
 
G-Cloud | ABC's
G-Cloud | ABC'sG-Cloud | ABC's
G-Cloud | ABC's
 
G-Cloud: where we are, where we're going
G-Cloud: where we are, where we're going G-Cloud: where we are, where we're going
G-Cloud: where we are, where we're going
 
G cloud - what is it?
G cloud - what is it?G cloud - what is it?
G cloud - what is it?
 
Next generation e-government: G-Cloud and beyond
Next generation e-government: G-Cloud and beyondNext generation e-government: G-Cloud and beyond
Next generation e-government: G-Cloud and beyond
 

Similar a G-Cloud Accreditation Process

Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceChristian Torres
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
MomentumNI Flash Event 10 Jul 14 - Irish GCSC
MomentumNI Flash Event 10 Jul 14 - Irish GCSCMomentumNI Flash Event 10 Jul 14 - Irish GCSC
MomentumNI Flash Event 10 Jul 14 - Irish GCSCBill McCluggage
 
Applycamp 12 feb 2013_final
Applycamp 12 feb 2013_finalApplycamp 12 feb 2013_final
Applycamp 12 feb 2013_finalG-Cloud
 
Iveda (OTCQB:IVDA) - Investor Presentation
Iveda (OTCQB:IVDA) - Investor PresentationIveda (OTCQB:IVDA) - Investor Presentation
Iveda (OTCQB:IVDA) - Investor PresentationRedChip Companies, Inc.
 
Iveda Investor Presentation
Iveda Investor PresentationIveda Investor Presentation
Iveda Investor Presentationivedasolutions
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Amazon Web Services
 
Blue planet Networks Overview
Blue planet Networks OverviewBlue planet Networks Overview
Blue planet Networks OverviewJohn Hammond
 
Proposal to supply, installation and testing of CCTV Camera
Proposal to supply, installation and testing of CCTV Camera Proposal to supply, installation and testing of CCTV Camera
Proposal to supply, installation and testing of CCTV Camera Denis kisina
 
Cloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloud
Cloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloudCloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloud
Cloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloudCharles Bedard
 
Cloud financials benefits the ROI business case
Cloud financials benefits the ROI business case Cloud financials benefits the ROI business case
Cloud financials benefits the ROI business case Charles Bedard
 
How Do You Make a Success of G-Cloud?
How Do You Make a Success of G-Cloud? How Do You Make a Success of G-Cloud?
How Do You Make a Success of G-Cloud? mastekUK
 
Managed Services: Yielding Excellent Results at Videocon
Managed Services: Yielding Excellent Results at VideoconManaged Services: Yielding Excellent Results at Videocon
Managed Services: Yielding Excellent Results at VideoconComverse, Inc.
 
Workplace Technology Devices (WTD) Initiative
Workplace Technology Devices (WTD) InitiativeWorkplace Technology Devices (WTD) Initiative
Workplace Technology Devices (WTD) InitiativeKBIZEAU
 
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonDOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonGene Kim
 
Agile Development with Agile Contract
Agile Development with Agile ContractAgile Development with Agile Contract
Agile Development with Agile ContractNUS-ISS
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?QualiQuali
 

Similar a G-Cloud Accreditation Process (20)

Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-service
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA Framework
 
MomentumNI Flash Event 10 Jul 14 - Irish GCSC
MomentumNI Flash Event 10 Jul 14 - Irish GCSCMomentumNI Flash Event 10 Jul 14 - Irish GCSC
MomentumNI Flash Event 10 Jul 14 - Irish GCSC
 
Applycamp 12 feb 2013_final
Applycamp 12 feb 2013_finalApplycamp 12 feb 2013_final
Applycamp 12 feb 2013_final
 
Iveda (OTCQB:IVDA) - Investor Presentation
Iveda (OTCQB:IVDA) - Investor PresentationIveda (OTCQB:IVDA) - Investor Presentation
Iveda (OTCQB:IVDA) - Investor Presentation
 
Iveda Investor Presentation
Iveda Investor PresentationIveda Investor Presentation
Iveda Investor Presentation
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
 
Blue planet Networks Overview
Blue planet Networks OverviewBlue planet Networks Overview
Blue planet Networks Overview
 
Proposal to supply, installation and testing of CCTV Camera
Proposal to supply, installation and testing of CCTV Camera Proposal to supply, installation and testing of CCTV Camera
Proposal to supply, installation and testing of CCTV Camera
 
Cloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloud
Cloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloudCloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloud
Cloud financialsbenefitstheroi businesscaseandoptionsforfaooutsourcinginthecloud
 
Cloud financials benefits the ROI business case
Cloud financials benefits the ROI business case Cloud financials benefits the ROI business case
Cloud financials benefits the ROI business case
 
How Do You Make a Success of G-Cloud?
How Do You Make a Success of G-Cloud? How Do You Make a Success of G-Cloud?
How Do You Make a Success of G-Cloud?
 
Managed Services: Yielding Excellent Results at Videocon
Managed Services: Yielding Excellent Results at VideoconManaged Services: Yielding Excellent Results at Videocon
Managed Services: Yielding Excellent Results at Videocon
 
Workplace Technology Devices (WTD) Initiative
Workplace Technology Devices (WTD) InitiativeWorkplace Technology Devices (WTD) Initiative
Workplace Technology Devices (WTD) Initiative
 
Disaster Recovery best practices
Disaster Recovery best practicesDisaster Recovery best practices
Disaster Recovery best practices
 
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at VerizonDOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
DOES SFO 2016 - Ross Clanton and Chivas Nambiar - DevOps at Verizon
 
Agile Development with Agile Contract
Agile Development with Agile ContractAgile Development with Agile Contract
Agile Development with Agile Contract
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
 

Último

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Último (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

G-Cloud Accreditation Process

  • 1. #AccreditCamp 17 April 2013 G-Cloud Dave Denton & Mark Smitham UNCLASSIFIED
  • 2. Agenda • Introductions • Programme Update • Accreditation • Why does G-Cloud conduct Pan-Government Accreditation? • Process • Scenarios • Where and when to find out more • Questions • References UNCLASSIFIED 2
  • 4. Programme Update Phase 1 complete: 1st anniversary; open Our aim is to encourage the and competitive marketplace adoption of cloud-based 460 suppliers and 3,200+ services services across the Public MEs provide access to a much wider choice %S Sector 7 5for buyers We’ve made it a lot easier We’ve made it a lot easier for suppliers; we’re levelling the playing field for SME SME Sales SMEs Vol Sales We’re getting the message out; we’re changing the market for public sector IT £11m+ to 80% vol 70% of end of Feb of orders spend Giii – expect to see many more services UNCLASSIFIED But we need to improve and look to make it even easier…
  • 5. G-Cloud Frameworks G-Cloud framework OJEU Commencement Close Gi 18/10/11 14/02/12 13/11/12 – Closed Gii 23/05/12 26/10/12 27/10/13 Giii 11/01/13 April 2013 April 2014 Service across 4 Lots: Gii Features: 11 Infrastructure as a Service (IaaS) •Framework 12 months 22 Platform as a Service (PaaS) •Framework value up to £100m 33 Software as a Service (SaaS) •Call offs up to 24 months 44 Specialist Cloud Services (SCS) UNCLASSIFIED 5
  • 6. What is Accreditation for? • Government must make sure the information systems we use will protect the information they handle, and function as and when they need to. Accreditation is the formal assessment of the system against it’s information assurance requirements. • Security accreditation is required for services which will hold information assessed at Business Impact Level profiles 1-1-x/2-2-x, 33x and above (often described as IL1, IL2 & IL3) • IL0 services and most Lot 4 services do not need accreditation UNCLASSIFIED 6
  • 7. Why Pan-Government Accreditation? • Central accreditation results in a service which can be procured by multiple customers • We want to do it once, get it right first time, and share the benefits across government • For suppliers this will mean a reduced time to market and lower cost of accreditation if multiple customers buy the service • G-Cloud SIRO and PSN SIRO authorise the work of the Public Sector Accreditation Board (PSAB) and Pan Government Accreditors (PGAs) UNCLASSIFIED 7
  • 8. Buying services with Pan-Gov Accreditation • Consuming department still own the information risk, but can rely on the work of trusted IA teams (minimising re-work on accreditation) • IA team in the Public Sector consuming organisation to be given RMADS and RRS. Remaining documentation available from the supplier • Any service procured without pan government accreditation is purchased at risk to the customer. A supplier can sell an unaccredited service, but not to all customers for all requirements UNCLASSIFIED 8
  • 10. Initiation of Accreditation • To initiate accreditation suppliers must complete a scoping template for each service requiring accreditation • You should also complete, if relevant, our Data Protection Act (DPA) checklist. • These can be submitted for programme deadlines at 6pm on the second Wednesday of each month – next on 8 May 2013. • All services with templates completed to the necessary quality will be put into a pool ready for submission to the Pan Government Accreditation service at CESG.  We will look to prioritise submissions to the PGAs from this pool based on a number of factors, including demand from central HMG departments. UNCLASSIFIED 10
  • 11. Scoping • Once your service has been submitted to the Pan Government Accreditation service you will work with an assigned PGA to agree the scope of your accreditation. • Once this is agreed a version of your scoping template with list of required evidence will be signed off by supplier and accreditor UNCLASSIFIED 11
  • 12. BIL2-2-x Services • Accreditation of BIL2-2-x services centred on a suitably scoped ISO/IEC 27001 certified service – Scope agreed with the PGA – Scope must be unambiguous and includes all elements of the service, e.g. onward supply chain and follow-the-moon and follow-the sun operations – Certification through bodies recognised by UKAS, or agreed to be equivalent to UKAS (see note on EA MLA) – Expected to follow sound commercial security practice – ‘x’ for availability must be defined by Supplier UNCLASSIFIED 12
  • 13. BIL3-3-x Services • Accreditation of BIL3-3-x services uses UK Government IA Standards and Guidance – Scope agreed with the PGA – Detailed IA guidance already available for BIL3 services – Expected to be delivered to the Public Sector through the PSN – Implementation of technical controls at BIL3-3-x will require higher standard to those at BIL2-2-x, including more robust compliance – Specific guidance on geographical location; protection of communications and data in transit; data at rest, storage and object re-use; clearance and checking of staff; site inspections – ‘x’ for availability must be defined by Supplier UNCLASSIFIED 13
  • 14. Data Protection Act and Offshoring • DPA checklist for suppliers, e.g. – guarantees that staff are trained or vetted, wherever they are based – facilities for rectification, blocking, erasure, destruction – guarantees about location of personal data – ensure high data protection standards even if data in a country with weak or no data protection law • G-Cloud IA requirements use CIO Council paper on offshoring and international sourcing available on the Cabinet Office gov.uk website UNCLASSIFIED 14
  • 15. Is your Service ready to be submitted? • Before any formal assurance activity is undertaken your service design must be in a mature design state or at least developed to a state than means any security testing carried out is on a design that represents the final service • If you are unsure about this contact us to discuss before submitting your scoping template. UNCLASSIFIED 15
  • 17. Is your Service ready to be submitted? • Before any formal assurance activity is undertaken your service design must be in a mature design state or at least developed to a state than means any security testing carried out is on a design that represents the final service • If you are unsure about this contact us to discuss before submitting your scoping template. • How long does pan-government accreditation take? Time to provide Evidence Set... make your preparations early! • What will it cost? G-Cloud process is free, the costs incurred are to provide evidence set and take any necessary remedial actions. UNCLASSIFIED 17
  • 18. Evidence Set • You will be required to gather and submit a set of evidence requested by the PGA. This could include at minimum: Lightweight RMADS required for BIL 22x / Full RMADS required for 33x RMADS Required for both IL22x and IL33x systems/services Residual Risk Statement Required for both IL22x and IL33x systems/services Risk Register Required for IL22x systems/services ISO/IEC 27001 Certificate, report & improvement notice Required for both IL22x and IL33x systems/services Security Operating Procedures (relevant to the consumer and/or supplier) Required for both IL22x and IL33x systems/services Other Security Related documentation such as IA conditions consumers are expected to meet Required for both IL22x and IL33x systems/services Statement on personal data and a completed DPA questionnaire Required for both IL22x and IL33x systems/services, though the extent will be less for the ITHC (scope and results) and other evidence of assurance (e.g. CPA IL22x systems/services. certificate) UNCLASSIFIED 18
  • 19. Evidence Set • All information to be seen by the Pan Government Accreditor (PGA) and their advisors: – Risk Management and Accreditation Document Set (RMADS), – Residual Risk Statement (RRS), – Risk Register, – ISO27001 certification documentation • RRS presented to PSAB and part or all of the remaining documentation if needed UNCLASSIFIED 19
  • 20. IA and Accreditation Approach • Use a layered, modular, approach to accreditation with maximum re-use of IA activities – E.g. suppliers can re-use FISMA evidence within ISO/IEC 27001 certification • Use assured products where appropriate • Monitoring of on-going implementation of security controls UNCLASSIFIED 20
  • 21. Accreditation Scenarios A service with accreditation from a central HMG department and not pan-government yet • The existing scope and or List X scope may be a good start for pan-government accreditation if it covers the scope and evidence set for PGA. A service with no previous accreditation or PSN connectivity that is now targeting IL3 pan-government accreditation • HMG strongly encourages PSN connectivity A service with no previous accreditation that is now targeting IL2 pan-government accreditation • Industry best practice underpinned by ISO27001 can be a good start, especially if the scope of certification covers PGA scope too. UNCLASSIFIED 21
  • 22. Accreditation Scenarios A G-Cloud SaaS offering on another suppliers PaaS or IaaS service • The SaaS supplier would need to consider what reliance they’re placing on the PaaS/IaaS service, and then demonstrate that all information risks have been managed appropriately (including consideration of off-shoring). A SaaS supplier hosting their service with a supplier that has ISO 27001 certification for their data centre. • The SaaS supplier will also need to have their own ISO 27001 certification. In the scope of their certification they can include the assurance they are getting from the IaaS provider. UNCLASSIFIED 22
  • 23. Accreditation Scenarios Lot 4 services requiring accreditation • The majority of Lot 4 Specialist Cloud Services do not require accreditation. Suppliers of IL3 services requiring National Security Vetting • Supplier staff with access to sensitive material on an IL3 service must have completed Baseline Personnel Security Standard (BPSS) as part of National Security Vetting (NSV). UNCLASSIFIED 23
  • 24. Questions for Suppliers to consider • Can you adequately scope your service (follow-the-sun, follow-the- moon services, location to country/legal framework)? – What is the ‘Service’? – Retain principle of information risk ownership – Do you need assured products and services – Think in layers and endpoints – Be sure you are clear on the difference between the scope of each service UNCLASSIFIED 24
  • 25. Questions for Suppliers to consider • What level of assurance can you provide in your service, including security products within the service? • Who can you use to provide independent assurance (UKAS certified bodies for ISMSs)? • How will you demonstrate compliance with the DPA in a cloud service operating as a Data Processor? • How will you assist the consumer with accounting and audit and forensic readiness? UNCLASSIFIED 25
  • 26. Advice that G-Cloud can provide • Pan-government Accreditation – G-Cloud IA Guidance – PSN RMARD – HMG IA Policy & Guidance, HMG IA Standards • Access to Reference Material – Good Practice Guides: please approach CESG Enquiries in the first instance • Design Review – Triggered by HMG PGA accreditor if necessary to agree scope after submission to G-Cloud and allocation to PGA. • National Security Vetting – Only possible in exceptional circumstances where a supplier does not have sponsorship from another government authority and is already providing G-Cloud services to government. UNCLASSIFIED 26
  • 27. Where & when to find out more • All guidance and templates available on the G-Cloud website accreditation page • G-Cloud IA Guidance covers:- – Governance structures – Assurance and accreditation approach, re-accreditation triggers – Data Protection Act and Offshoring (outside of UK and EEA) – Distribution of IA evidence, NDAs – Specific Guidance on BIL 2-2-x and 3-3-x services – Accreditation scoping template – Data Protection Act (DPA) Checklist for Suppliers • To be updated this summer UNCLASSIFIED 27
  • 28. Questions ? UNCLASSIFIED 28

Notas del editor

  1. UNCLASSIFIED
  2. http://gcloud.civilservice.gov.uk
  3. What have we done? Creating a marketplace We’ve made it a lot easier for buyers: no long procurement, no negotiations; Simplifying how we buy and deliver services Encouraging innovation – access to a wider choice Encouraging the shift from custom to commodity Changing the culture across the Public Sector http://gcloud.civilservice.gov.uk
  4. Framework Iterations – G-iii awards, G-iv this summer New CloudStore Sales total invoiced over £11m 59 Accredited services http://gcloud.civilservice.gov.uk
  5. http://gcloud.civilservice.gov.uk
  6. http://gcloud.civilservice.gov.uk
  7. On-demand self-service. A consumer can unilaterally provision a capability Broad network access. Capabilities are available over the network Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model Rapid elasticity. Capabilities can be rapidly and elastically provisioned Measured Service. Cloud systems automatically control and optimize resource Software as a Service (SaaS) Control: Not much! Not Control: Underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities Platform as a Service (PaaS) Control: Deployed applications and possibly application hosting environment configurations Not Control: Underlying cloud infrastructure including network, servers, operating systems, or storage.. Infrastructure as a Service (IaaS) Control: Operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) Not Control: Underlying cloud infrastructure
  8. Any questions What are the barriers for you? Who do we/you need to talk to in your organisation? What processes do you need to influence/tweak/develop to allow you to procure through the G-Cloud effectively? What channels/networks should we be exploring and taking advantage of to get the message out there? http://gcloud.civilservice.gov.uk
  9. http://gcloud.civilservice.gov.uk