We want to share the new security approach process and draft questions that suppliers will need to answer prior to submissions for G-Cloud 6 opening. As this is still an alpha, we welcome your comments and feedback as we continue to make improvements.
Assure, Choose, Reuse
The change to the new Government Security Classification scheme provides an opportunity to refine the security assurance process for G-Cloud services. It’s no longer appropriate to use ‘Impact Levels’ to describe the security properties and assurance of different services. Instead we’ll be adopting the Cloud Security Principles as a fundamental part of G-Cloud security assurance to help buyers make pragmatic decisions based on relevant, transparent and available information.
Due to the increasing number of services and suppliers entering onto the G-Cloud frameworks, and the future inclusion of other digital frameworks under the Digital Marketplace, it’s become unsustainable to process all the submitted services through Pan Government Accreditation.
Responsibility to understand their own security requirements (and therefore which cloud security principles apply) will lie with the buyers. By providing a framework that clearly presents the security attributes of services, and adopting a mantra of Assure, Choose, Reuse we’ll enable increased choice and market availability.
Assure
Suppliers will complete statements asserting how their services meet the Cloud Security Principles. These statements will be used as part of the G-Cloud service description on Digital Marketplace. A number of approaches can be used by the suppliers to support the assertions and provide buyers with confidence. To enforce a consistent approach in completing the statements, a range of predefined assertions have been given. An additional menu provides suppliers with a predefined list of supporting approaches.
Choose
Buyers will have greater awareness of the security detail of the services in Digital Marketplace. This will improve service comparison and enable pragmatic choice.
Reuse
Suppliers can use existing supporting security assurance evidence, while using additional approaches when new evidence is available. Suppliers will be able to develop an up-to-date portfolio of supporting evidence over the lifetime of the service. Buyers can use the security assurance evidence, according to their business-driven appetite for risk, as part of their own Accreditation and Risk Management process. It’s the intention that qualified risk managers within buying organisations can reuse the risk management work of other buyers to reduce time and effort.
The Process
- When a supplier is accepted on to a G-Cloud framework, they’ll be given secure access to their service descriptions on Digital Marketplace
- For each service, the supplier will need to complete all the security questions. To do this, they must select the relevant pre-defined assertion
- Suppliers must select the appropriate supporting approach to each assertion. The supporting approach must reflect the mechanism and evidence the supplier will use
- Suppliers will be able to update their service description security assertions at any time during the lifespan of the related G-Cloud Framework. Any changes to the security of the service must be reflected in the assertions immediately
Pre-defined assertion answers
To ensure a common level of quality across suppliers and to allow search result filtering on the Digital Marketplace, consistent and relevant assertion statements are required. The supplier assertion statements have predefined answers which are in the form of either yes/no or a short menu of predefined assertion statements.
Quality checks
As with the commercial quality checks that are part of the G-Cloud Framework on-boarding process, a number of random sample checks will be conducted on supplier assertion statements and the corresponding supporting approaches.
For the G6 Framework and onwards, the supplier assertions will be mandatory and considered a declaration as part of the G-Cloud Framework on-boarding process. Any suppliers found maliciously in breach of their assertions can, following investigation by the G-Cloud Authority, be disqualified from the G-Cloud Framework. Any buyers who are consuming the service will be alerted to the breach, and will be advised to move to a new supplier or accept the risk.
Suppliers already on G4 and G5 Frameworks, though not mandated to provide assertions, will have the opportunity to add suppliers assertions to their existing service descriptions.
16 comments
Comment by Andy Powell posted on
As far as I can tell, you are proposing to ask 56 questions? And to get 56 answers for each service being listed.
From a suppliers perspective, that is do-able - pretty tedious but definitely do-able. Whether the 56 questions capture everything a buyer needs to know about the service, whether suppliers are capable of answering coherently (honestly?) and whether buyers understand how to interpret the answers is, of course, another matter.
So, for example... I haven't looked at the list in detail but a question like "Do you conduct protective monitoring and analysis to identify suspicious activity?" is not usefully answered with Yes or No without a greater level of precision in the question because the phrase 'protective monitoring' is massively open to interpretation.
Setting that to one side... I can see that, from the data gathering side of things, you have a way forward. Your challenge, is allowing buyers to make use of those 56 data points in a coherent way through the Digital Marketplace UI in order to make informed and appropriate buying decisions. It strikes me that that problem is non-trivial in the extreme. The solution will presumably involve some kind of filtering on search results. Can you provide any detail about how this might work?
Comment by Alan Everitt posted on
Hi Tony
Just sharing with our Compliance Manager. You set yourself any timeframe for end of feed-back?
Comment by Raphaelle Heaf posted on
An initial time frame for feedback is the 23 September in time for G-Cloud 6. Feedback will however be continuously considered as part of user research and to regularly improve the service.
Comment by chris farthing posted on
will the SSP allow an initial response with the Security Assertion questions answered to be cloned for same security level services on different Service Descriptions to save having to input the same answer repeatedly on multiple submissions?
Comment by Raphaelle Heaf posted on
At this stage we are not looking to having answers cloned across services as this may not be the case. In future we will consider features to help make the process clearer, simpler and faster.
Comment by Chris farthing posted on
Thanks Raphaelle. Apologies for the tardy response I only just checked back! So to be clear, if i for example have 15 service descriptions to submit all variations of IAAS at Official I am going to have to respond to each question 15 times? That's a lot of extra unnecessary (IMHO) work for an SME.
Chris
Comment by Trevor Wills posted on
Some of the questions are subjective e.g. 'Do the datacentres where your consumer data is located, have suitable physical security?' What is 'suitable'? If the approach is a simple yes/no dropdown list approach then the questions do need to be specific but may lead to many more questions.
Comment by Ian posted on
It's a positively progressive approach and makes for an interesting read. Taking a step back from the compliance detail itself, how will the commercials allow protection for the customer in the case of an error on the Suppliers behalf where they have made a mistake in their declaration and the service actually has a higher risk profile to the customer than expected and as a result the service is not suitable. Additionally what measures will be taken against a supplier who has supplied a service that doesn't meet their self declaration and can a customer request a third party audit against a suppliers declaration if they have doubts or concerns and who would then audit this or be liable for the expense to do so (either prior to contracting the service or while the service is in place)
Comment by Richard Handley posted on
"When a supplier is accepted on to a G-Cloud framework, they’ll be given secure access to their service descriptions on Digital Marketplace"
This suggests that the 56 security Q's per service are going to be able to be answered post award....please can you confirm that is the case and not during the very short ITT window.
Comment by Raphaelle Heaf posted on
These questions will form part of the submission. However certain queries will be editable after services go live.
Comment by Simon Greig posted on
A few thoughts from having a quick look at the list:
- Some of these questions could have multiple answers. For example: Data Centre location, it could be UK or EU or Safe Harbor. Depending on the service and context it might be that multiple answers apply. For example someone might have one DC in the UK and another in EU. Therefore if you don't want DR then UK is fine, if you need DR then you need DR and EU as an option. How do you differentiate this? Do we have to create separate services to do the differentiation?
- To echo the comment from Andy Powell above, some of these are quite subjective. For example "Do the datacentres where your consumer data is located, have suitable physical security?" What is the definition of "suitable"? One person's assertion might be that locking the door to the server room and putting the key in a combination key safe is suitable physical security whereas someone else might have 24hr CCTV, audited biometric access and guard dog patrols around a dedicated secure data centre. Both suppliers will say "yes" but the buyers will still need to fully audit and review the detail before they make a decision won't they?
- Anywhere it mentions "adequate" or "necessary" needs clarification on what is 'good enough'.
- The availability of the service is going to be hard to differentiate. Everyone could quite correctly say that their target availability is "100% excluding maintenance windows". There needs to be some tighter questions to differentiate those whose maintenance windows are 3 minutes a week from 3 hours every night. Also without some sort of service credit then there is nothing stopping people aiming for 100% availability regardless of their ability to meet that in practice. It is the right question but it needs expanding out a lot more I think.
Broadly though, these look like the right sorts of questions although are very infrastructure oriented.
Also, for anyone who struggled to read the CSV of questions I have created an Excel formatted version here: https://dl.dropboxusercontent.com/u/12483570/G-Cloud-Security-Assertions-Questions-v1.xlsx
Comment by Nick Carter posted on
In the time gap between PGA ceasing and this being published, we generated our own set of questions based on the cloud security principles. These are aimed at suppliers & buyers to complete co-operatively, at the point the buyer wishes to complete a purchase. The questions will shortly be incorporated into our online accreditation tool, as a 'G-Cloud module'. It's noticeable that our questions (and possible answers) are I would suggest, much more detailed and comprehensive than those published here. I suspect that the question set published here may help towards answering our questions, but would not provide the 'fuller picture' that we would like to see for accreditation purposes.
Comment by Andy Powell posted on
Hi Tony,
Where you are asking for feedback I think it would be helpful to 1) be clear what the timescale is (I know this has now been given in the comments but would have been nice to have it up front) and 2) be clear what form you want comments in.
In this case, there are a lot of questions, so feedback is quite detailed. It can't easily be done via comments on a blog post.
In my case, my general feedback is at http://www.eduserv.org.uk/blog/2014/09/22/feedback-on-the-new-g-cloud-security-approach/
My detailed comments on the questions are at https://docs.google.com/a/andypowe11.net/spreadsheets/d/1m7ptdMT-lXt5AC7QlrSze0dJ1KzE235mrlt0KhacdwY/edit?pli=1#gid=0
I wonder if you could have used Ideascale for this process, one 'idea' per question? http://ideascale.com/
This would have allowed people to comment on and vote up/down the different questions, as well as suggesting their own.
Just a thought...
Best
Andy
Comment by Suresh posted on
Where can I download the security assertion questions (csv?) format? Thanks in advance, Suresh
Comment by Raphaelle Heaf posted on
The security questions are incorporated in the questions available here https://github.com/alphagov/supplier-submission-portal/tree/master/conf.
Please can you direct any further queries through the Crown Commercial Service eSourcing portal as part of clarification https://crowncommercialservice.bravosolution.co.uk/web/login.shtml
Comment by Paul posted on
As part of the old security scheme going via the PGA to get the right level of BIL part of that was to have a good ISO27001 certification.
Can the fact that if companies are audited on a regular basis for on going ISO27001 certification be used for an Indepoendent Validation of assetion if that particular area is audited.
Many thanks for any assitance
Regards
Paul