#AccreditCamp

G-Cloud

Agenda

• Welcome & introductions• G-Cloud overview• What is accreditation for?• The process• Are you ready for accreditation?• Scoping• Accredation and recommendation• Scenarios• Questions

#accreditcamp

@g_cloud_uk

gcloud.civilservice.gov.uk

enquiries@gcloud.cabinet-office.gov.uk

G-Cloud overviewG-Cloud Framework-  Intention to award notifications have been issued-  Around 1700 services from just under 300 suppliers-  Currently in standstill period

CloudStore-  The catalogue of services and suppliers on the framework will launch later this week

#Buycamp-  2pm 1/3/12 HM Treasury Building, for potential consumers of G-Cloud services

Assurance of commercial, service management and functional aspects of the services is ongoing

Concept of operations

What is accreditation for?

Government must make sure the information systems we use will protect the information they handle, and function as and when they need to.  We need to manage the risk to our information assets.

Accreditation is the formal assessment of the system against its information assurance requirements.

Why?

Central accreditation will result in a service which can be procured by multiple customers.

We want to do it once, get it right first time, and share the benefits across government.

For suppliers this will mean a reduced time to market and higher return on investment if multiple customers procure the service.

The process

Stop!  Is your service ready for accreditation?

Before any formal assurance activity is undertaken the service design is expected to be in a mature design state or at least developed to a state that means any security testing carried out is on a design that represents the final service.

If your service is not ready let us know.  You will not be penalised; we will get back in touch when you are ready.

ScopingWe will request completion of a 'Security Accreditation Scope' document from suppliers

• Same on-boarding for services across all impact levels• Ensures supplier and government resources are not

engaged when the service is not ready• Allows PGAs to agree the appropriate/proportionate scope

of your accreditation activities

Suppliers will be contacted in tranches.  When we make contact you should respond within 10 working days, or your service will be moved down the programme work queue.  This is so we can manage our work and maximise use of the CESG team.

Security Accreditation Scope (p1)

Scoping

Accreditation & recommedation

Scenarios    

1.  An IL3 service which has been already accredited (but not by PGAs)

2.  An IL3 service with no accreditation

3.  IL2 service, not previously accredited

Questions:  

1. Does the data need to be UK hosted?

See the Government ICT Offshoring (International Sourcing) Guidance. There is nothing that prohibits the off-shoring of IL2 information, but there a number of areas for CIOs to consider when reaching their decisions such as DPA compliance. Such areas will be considered during the accreditation process.

2. Does our datacentre really need to be inspected - will an

independent audit certificate do? 

IL2:  The expectation is that the only site visits required will be as for the ISO/IEC27001 audit and certification.  Any site visits and audit by the PGA or their agents at IL22x will only be used when absolutely required and it is intended that these will be very much the exception rather than the rule.

At IL3 site visits by the accreditor will be required.

In both cases, the aim is to reduce the requirement and need for multiple public sector organisations to carry out such site visits but this cannot be excluded as a possibility.   

?

References    

• G-Cloud IA guidance (will be available on the supplier zone)• Scoping template• PSN RMARD• Government ICT Offshoring (International Sourcing)

Guidance