Joined Up Gov Security Threatens Local Authorities With Exclusion

There could be plenty of room for security VARs in the public sector before local authorities link up to central government next March.

Earlier this year, the Cabinet Office sent shock waves through the public sector when it announced  it would show “zero-tolerance” to organisations that could not demonstrate full compliance and would immediately disconnect non-compliant networks. This would have widespread financial implications for any offenders as use of the PSN would be mandatory for many financial channels between local government and government offices.

Socitm steps in

The public services professional body Socitm has told its ICT management members to brief their teams on the continuing dialogue between local government and the Cabinet Office over security requirements for connecting to the public service network (PSN) and the implications of non-compliance.

According to a briefing paper issued by Socitm, PSN: Public Services Network, or Perfectly Secure Network?, the seriousness of failure to comply would impact working practices so severely it would require public sector IT chiefs to answer some difficult questions from the highest levels of the local authority management.

The PSN platform for shared services has been designed to provide a single secure network connecting all branches of UK public sector organisations. Individual authorities or partnerships have been charged with connecting their own networks to it to form what the Cabinet Office has called the “network of networks”. The aim is to substantially reduce the cost of communications between the services and toenable new, “joined-up” and shared information-based public services for the benefit of citizens.

The requirement to transmit sensitive data, such as benefits claimants details, through the PSN in order to obtain reimbursement from the Department of Work and Pensions (DWP), effectively mandates many local authorities to fully test and secure their connection to the PSN from their own resources.

The continuing dialogue between the Cabinet Office and the Local Government PSN Seniors team has been critical to achieving a balanced approach to the changes. A Secure Solutions Advisory Group (SAG) is being commissioned and the situation is developing on a “weekly basis”, the briefing said. The SAG will help broker future changes to PSN compliance as risks change and technical solutions mature.

The security issue has overshadowed a five-year initiative from Socitm highlighting the benefits of the PSN to its members.

Before joining the PSN, the Socitm briefing explained, an annually renewable certificate of security compliance to government standards will be required. Although Local Authorities have always had a responsibility to safeguard citizens’ information the PSN requirements have to be fed into these existing measures that already satisfy the authorities’ IT auditors.

This would carry considerable additional costs associated with attaining, demonstrating and maintaining compliance with the information security standards, principally in employee time but possibly in implementing technical changes, , the briefing pointed out.

PSN compliance can also impose restrictions on the sort of flexible working, including “bring your own device” (BYOD) arrangements that has become routine in many local authorities. For example, the briefing says that current practices for many local authorities enable field workers to use mobile devices. Under the new PSN regulations, use of their own devices may no longer be permitted because of the risk of these “unsecured endpoints” allowing unauthorised access to the PSN’s secure assets.

To combat this potential cause of disconnection from the nationwide network, a fix for many authorities would be to create separate networks for PSN-facing systems and their everyday business systems, although Socitm has pointed out that this would be unlikely to remain viable in the long term.

With the end-of-March deadline for compliance looming, there is concern that some local authorities will be unable to make the necessary arrangements in time, or, even if they are, the Cabinet Office will be unable to process their certification in time to prevent disconnection.

An initiative between Socitm , the Local Public Services CIO Council, and the Local Government Association and Solace, has led to a revised compliance regime – although zero-tolerance remains – and further support from the Cabinet Office for local authorities seeking connection. This revision focuses on the culture, communications and processes of PSN to provide a balance of risk and agility within the system

Socitm president Steve Halliday commented, “At the Socitm 2013 conference, the round table session on PSN had 25 times as many attendees as the national superfast broadband session, running at the same time. This is an indicator of the level of concern that local digital leaders have in relation to the impact of PSN compliance.

“It is of the utmost importance to get the PSN story re-focused on the business benefits of the PSN’s core offer; an infrastructure for efficiencies, shared services and collaborative outcomes. It is my hope and optimistic belief that the compliance storm will pass and the benefits will then flow,” he added.

PSN: Public Services Network, or Perfectly Secure Network? is available free of charge to Socitm Insight subscribers.