For G-Cloud 6 there is a new approach for the security of each service. Suppliers will need to select the most appropriate Security Assertions to a set of questions, derived from CESG’s Cloud Security Guidance.
As part of our effort to make the process clear and help suppliers prepare, we are sharing the current questions that you will be required to answer in a .csv format via github. The answers are pre-defined and more than one multiple choice can be selected. The questions may be subject to some amendments prior to the OJEU opening.
The Security Assertions are meant to provide better information to buyers when making their evaluations and suppliers will be able to update their Security Assertions at any time during the life of the framework.
Making security clearer
The new Security Approach is a more transparent way for suppliers to assert how they are securing their services, and the methods of supporting assurance they are using. There is no wrong answer. This approach is designed to enable buyers to select services with an informed view as to the status of the security of that service.
It is up to the supplier as to what supporting approach they take and the level of evidence they wish to provide to assure their Assertion. Suppliers can chose if this is provided by themselves or by an independent 3rd party. Suppliers can use Third Party certifications as their independent validation of Assertions.
To ensure that suppliers provide the correct information, it will be a condition of acceptance onto G-Cloud 6 that they agree to complete the Security Assertions truthfully. To support this approach, random audits will be conducted on Suppliers and services.
In addition, buyers will be able to report any suppliers or services found to be over represented, and these will then be audited. In any incidents where Suppliers Assertions are incorrect, the supplier will be asked to update their assertions and supporting approach immediately. If a supplier fails to update their information within a set timescale, they can be removed from the G-Cloud framework.
It is a stated aim of the Government Security Classifications and the Cloud Security Principles, that government organisations are to use pragmatic, proportionate, risk based assessments as to the level of security required in relation to that organisation’s data. Government organisations have always been responsible for assessing the capability and security of services they are looking to consume, this has not changed.
The risk appetite of an organisation and the Security Classification of their information is outside the scope of the G-Cloud framework. Please refer to the Security Policy framework and the Government Security Classifications.
Leading the way
This approach is making security easier for buyers to review. It has been developed for the G-Cloud framework. Other frameworks such as the Public Services Network (PSN) are in the process of being reviewed to see if a similar approach can be taken on.