IT Heath Check Scoping guidance ALPHA DRAFT

IT Heath Check Scoping guidance

ALPHA DRAFT

Version 0.1

November 2014

Document  Information  

Project Name: ITHC Guidance

Prepared By: Mark Brett CLAS Consultant Document Version No: 0.1 Title: ITHC Guidance Document Version Date: 10/11/2014

Reviewed By: Review Date:

Version  History  

Ver.

No.

Ver. Date Revised By Description Filename

0.1 Nov 2014 Mark Brett Initial draft ITHC Guidance Alpha Draft

1. Table of Contents

1.

2.

2.1.

2.2.

3.

4.

5.

5.1.

5.2.

5.3.

5.4.

5.5.

5.6.

5.7.

5.8.

5.9.

6.

6.1.

6.2.

7.

Annex A: References ... 13

Annex B: Glossary and Abbreviations ... 14

2. Introduction

2.1. Purpose and Scope

This document provides clarification and ‘good practice’ guidance for performing IT Health Checks (ITHCs) at OFFICIAL for PSN. This includes expectations on ITHC service providers, their scope of work and the quality/structure of any deliverables produced as part of PSN compliance evidence.

This will further assist the Corporate information Governance Group and support the remedial action plan (RAP). Furthermore this will greatly assist the PSNA compliance team to be able normalise and understand the ITHC reports received, which vary greatly in their content, style and value.

The majority of Public Sector Networks are currently accredited to handle protectively marked information at OFFICIAL, but some customers may have a requirement to test their network at higher levels. This guidance apply to the ITHC testing at OFFICIAL , based around the ISO/IEC 27001 standard [8].

It is a technical standards document written under the PSN banner, and is intended to support compliance with the corresponding conditions contained in the PSN Code Template [1].

Consequently, the only baseline current requirements identified in this document are those currently contained in the PSN Code Template [1].

Moreover, it should be noted that this standard does not explicitly provide a description of any ITHC requirements for those organisations bound by the HMG Security Policy Framework (SPF) [2]; such organisations must still continue to comply with HMG IA Policy, including relevant controls from the Baseline Countermeasure Set (BCS) and supporting CESG guidance publications.

Similarly, other community-specific requirements (e.g. IGSoC for NHS) should also be followed in those communities in addition to those defined in the PSN Code Template [1].

2.2. Document Structure

This document is structured as follows:

• Section 1 (this section) – the introduction;

• Section 3 – requirements and guidance for ITHC service providers;

• Section 4 – requirements and guidance for ITHC scopes of work;

• Section 5 – requirements and guidance for ITHC deliverables;

• Annex A – the references cited in this document;

• Annex B – abbreviations and glossary of terms;

3. Requirements

The IT Health Check is more than a vulnerability scan , The check is to cover the scope of the consuming and connected network, clearly identifying and testing all relevant network equipment and facilities. This must cover the physical security aspects, equipment rooms, racks and offices, where the PSN is connected and consumed.

The ITHC is required by the customer, to provide an overview highlighting deficiencies and those areas which require improvement. The ITHC is also required by GDS, as part of the IA Compliance documentation set. The ITHC is used by the PSN compliance team as an objective overview of the organisations physical and technical protection of the PSN connections and interfacing to the customers corporate network.

The ITHC needs to cover the entire range of network segments which interface with the PSN, not just individual IP addresses. The scope of the ITHC, should be defined by the scope of the network diagram under control DIA.1. We need to clearly see ITHC results for all components on the diagram.

CHE1. Requires that a technical vulnerability assessment, which covers all of the customer equipment, that means, the from the connection of the CPE (Customer Premises Equipment, to the PCs, laptop and mobile devices, all network equipment, interfacing between the PSN connected corporate network and ant web connections into the PSN connected network are all in scope.

Any boundary devices (routers, gateways and firewalls at the boundary are in scope. Network equipment and devices on the other side of the boundary devices are out of scope. The diagram and ITHC need to clearly show the scope and exclusions.

PSN IA conditions controls:

Condition No.

Subject Obligation

DIA

Network Diagrams &

Scope

DIA.1 Network

Diagrams &

Scope

A high level logical network schematic shall be provided to accompany this IA Conditions document. The diagram shall be used to describe the scope for the IA Conditions it is therefore important to include where possible the following information:

- Diagrammatical representation of services and functionality in place including defining which ones are PSN services and those that are not.

- Onward connectivity including remote access services and connectivity overseas/offshore

-Gateway/boundaries functionality - Third party connectivity

CHE Compliance

Checking

CHE.1 Compliance

Checking

Organisations shall implement an annual programme of IT Health Checks to validate equipment not provided as part of a PSN service that interacts with PSN services.

4. Service Providers

It is not necessary for an ITHC testing organisation to be CHECK approved to perform an ITHC OFFICIAL ICT infrastructure.

However, PSN has an expectation that such organisations should deploy testers who are CREST or TIGER SCHEME accredited, with have a proven track record in this field. We would also urge organisations to seek example reports to ensure that the scope, format and deliverables will be suitable for meeting the PSN IA Conditions at OFFICIAL. They should be able to demonstrate this through reference sites and redacted customer reports.

We would recommend;

Clear executive summary.

Clearly annotated network diagram (provided by the customer per control DIA1.), this will have the 10 ToI’s listed and colour coded annotation showing: RED: Deficient AMBER: Deficient but simple fix GREEN: Compliant.

Clearly prioritised list of deficiencies with a non-technical explanation. (RED/AMBER)

Clear diagrams to and charts to support the customer and the PSN Compliance team in GDS.

A remedial action plan to meet the deficiencies (RED/AMBER).

We do not consider output from automated testing tools, without a clear business led explanation to be sufficient or appropriate.

CREST: http://crest-approved.org/

TIGERSCHEME: http://www.tigerscheme.org

5. Scope of Work

5.1. Introduction

The requirement is to meet the relevant controls detailed in the PSN IA Requirements pertaining to services at OFFICIAL.

The ITHC will include an external penetration test for all Internet facing IP addresses and internal network hosts.

We recognise each customer site has a different network infrastructure and varying requirements, so that it will be necessary to construct a ‘modular’ pricing structure which will be based on the elements of the Scope of Work

5.2. We have suggested the principal test targets below. A generic modular network diagram should be developed, to test against each target. Location of Internal Network Testing

Internal network testing should be completed from within the client’s principal locations, and also, where specified from Public Access locations such as Libraries, contact centres etc.

The principal Targets of Interest (ToI) for testing should include:

ToI1 External Firewall, Gateway and Boundary Security Assessment

ToI2 External Network Penetration Test (websites, access control, remote access, VPN Servers, DMZ servers)

ToI3 Onsite Network Penetration Test (Intranet, email gateways, router and firewall access.

access control)

ToI4 Operating System Assessment (Patching, configuration and malware protection), of key servers affecting PSN services and network.

ToI5 Mobile Device Security Assessment ToI6 SSL VPN Assessment

ToI7 Wireless Infrastructure Assessment ToI8 IDS/IDP Assessment

ToI9 Application Security Assessment (including websites and Intranets/Extranets) ToI10 Physical security assessment server room and network equipment racks.

5.3. Network Penetration Test

This will be conducted from outside the client’s network, with the intention of assessing the vulnerabilities which an unauthenticated attacker could use to penetrate the network. Typically, this will be on the public facing elements of the network, e.g. web servers. Remote access gateway and wireless networks.

both manual and automated security testing techniques to identify vulnerabilities within desktops, servers and network infrastructure, which could be exploited from within the organisation.

The Network Vulnerability Assessment, will also report, where appropriate, on the organisation’s fire- walled connection to the Public Services Network (PSN), IA Conditions especially in relation to remote, home and mobile connections.

5.5. Web Application Security Assessment

This will measure the resilience of an application to withstand attack from unauthorised users and the potential for valid users to abuse their privileges and access rights. This must include all websites, which draw their data and responses from infrastructure within the PSN ITHC scope.

5.6. Server Security Assessment

The Server Security Assessment will provide information as to the resilience of a server system to withstand attack from unauthorised users and the potential for valid users to abuse their privileges and access rights. This will also include the configuration and server patching regime.

5.7. Mobile Device Security Assessment

This will establish the resilience of mobile devices which connect to the client network, i.e.

authentication, resident applications and security software, to withstand attack from unauthorised users and the potential for valid users to abuse their privileges and access rights. The organisations policy covering mobile device usage and access to the PSN network and services should be included.

5.8. Wireless Security Assessment

This will assess the client network’s wireless infrastructure to identify potential vulnerabilities within the wireless network, and therefore any internal wired networks, against unauthorised access, whilst maintaining appropriate access control for authorised users.

5.9. Home Office / Small Office Assessment

This will assess the suitability and security vulnerabilities of access to the client network from home offices and small remote locations, typically using ADSL. This will include checking the policy and the patching regime for end point devices.

6. Deliverables

6.1. High Level Network Schematic

As part of PSN compliance evidence, there should be a high level network schematic. This should contain enough detail to enable a compliance assessor to understand the customers network environment, which is either connected to or consuming a PSN connection or service.

The scope of the diagram will be the PSN connected or consuming environment and the interfaces and inter-connected network boundaries. We would ask the ITHC report annotates the network diagram prepared as part of control DIA1. To show which components and ranges were tested and referenced against the findings to help the customer and the PSN Compliance Team.

6.2. ITHC Reports

The ITHC is expected to produce the following:

• A colour annotated network heat map diagram showing the principal targets of interest (ToI), described previously and their determined status. This should be consistent with the High Level Network Schematic.

• An executive summary that gives a business level summary of the findings and their impact

• A technical summary that prioritises the key areas of risk found

• An analysis of the findings against relevant security good practice

• Details of all testing conducted and the tools and techniques used

• Detailed descriptions of findings for all vulnerabilities identified and an indicative level of risk to the client and/or system assessed along with recommended remedial action

• Additionally screenshots and tool outputs and other supporting evidence for each vulnerability could be included as an appendix to the report.

• Each component will then at the end of the test be colour coded to give an instant visual and numeric representation of the network as a heat map, to assist the SIRO and senior management in understanding the current network status,

• All outputs from testing tools are to be separately provided as annexes, not part of the main report.

7. Example Heat Map showing identified vulnerabilities,

by control number from the ITHC report.

Annex A: References

The following references are used in this document:

[1] PSN Code Template for Code of Interconnection, Code of Practice, Code of Connection [2] HMG Security Policy Framework

[3] PSN Operating Model

[4] PSN Document Management and Change Control [5] PSN Compliance

[6] PSN Security Model

[7] HMG Information Assurance Standards No. 1 and 2 (IAS1&2), Information Risk Management [8] ISO/IEC 27001, Information Security Management Systems – Requirements

Annex B: Glossary and Abbreviations

CESG The National Technical Authority for Information Assurance

ITHC IT Health Check

GCN Government Conveyance Network

GDS Government Digital Service

IA Information Assurance

IAS Information Assurance Standard

ICT Information and Communications Technology

IGSoC Information Governance Statement of Compliance

IL Impact Level

ISMS Information Security Management System

ISO International Standards Organisation

MOD Ministry of Defence

NHS National Health Service

PSN Public Services Network