• Home
• About Us
  • Services
  • Case Studies
  • Clients
  • Framework Agreements
  • Certifications and Accreditations
  • Memberships
  • History
  • Contact Us
• In Focus
  • Improving Data Handling
  • UK National Security Strategy
  • UK Cyber Security Strategy
  • Information Superiority
  • Information Sharing
  • Information Exploitation
  • London 2012 Olympic and Paralympic Safety and Security Strategy
  • Managing Efficiency
  • Connecting to Secure Government Networks
  • Acquisition Reform
  • Through Life Capability Management (TLCM)
  • Business Continuity Planning and Management
  • Addressing Sustainability
• Services
  • Understanding the Enterprise
  • Exploiting Technology
  • Securing Cyberspace
  • Assuring Programme Delivery
• Markets
  • Defence
  • Security
  • Civil Government
  • Transport
• Newsroom
  • Press Releases
  • Events
  • Media Contacts
• Publications
  • White Papers
  • Case Studies
  • Brochures
• Careers
  • Opportunities and Development
  • Our value to clients
  • VEGA People
  • Consultants
  • Career Events
  • Vacancies
  • Cyber Security Job Opportunities
  • Careers Contacts
• Contact Us

VEGA's five points for success in gaining compliance and connection to Secure Government Networks such as GSI and GCSX

“The world is changing around us at an incredible pace due to remarkable technological change.  This process can either overwhelm us, or make our lives better and our country stronger. What we can't do is pretend it is not happening.”  Prime Minister Tony Blair on commissioning the Transformational Government strategy.

Transformational Government concerns how to best serve UK citizens; providing joined up Government services where and when required whilst providing value-for-money. To survive in this era of accelerating technological change, and to implement the edicts of the Transformational Government strategy, every public sector organisation will have to undergo fundamental technology-enabled change. This article provides a five-point check list for senior managers responsible for developing and delivering a successful Transformational Government change programme.

Ensuring that an organisation can satisfy the necessary information security requirements to enable it to be an intergral part of joined-up government, requires informed analysis and consideration that can reshape organisational policies, processes and procedures, redefine culture and working practices, and inform budget and strategy.

As a guide to those responsible for their organisation’s information assurance (and consequential furtherance) of the Transformation Government agenda, James Henry, a consultant at VEGA Consulting Services Ltd (VEGA), provides a five-point check list to provide a basis for ICT-enabled organisational change.

Point 1 – Be fully appraised of current Government policy and strategy

Evolving UK Government policy and strategy is leading public service organisations through a significant period of change to achieve efficiency gains through streamlined citizen-centric, ICT-enabled, secure shared services.

Understanding current UK Government policy and strategy will assist you in:

• Understanding measures you should take to deliver ICT-enabled business change
• Identifying expected business benefits
• Identifying costs
• Identifying scope of change
• Identifying and manage risks.

A list of the key sources of UK Government policy and strategy can be found in the thought leadership section of the VEGA website.

Point 2 – Ensure board level buy-in and understanding

A board level information assurance champion should be appointed to act as Senior Information Risk Owner (SIRO) for your organisation. This is one of the key recommendations within HMG Security Policy Framework (SPF) V1.0 (refer to mandatory requirement 3).

Your SIRO must agree to terms of reference which clearly define their role and responsibilities with regard to the information assurance of your organisation. Additionally, your SIRO should meet regularly with your organisation’s senior management team and security staff to discuss security policy and develop and maintain a risk managed approach to information assurance. This ensures that information assurance and governance is a recognised board level responsibility which includes the protection and utilisation of all of your organisation’s assets (information, personnel and physical).

Point 3 – Manage your stakeholders

Obtaining stakeholder buy-in to your organisation’s information assurance strategy is critical to its success. Good stakeholder management creates awareness, provides the framework for supporting delivery and assists you in securing budget where resource is scarce and competition is fierce.

Develop a stakeholde communications plan which identifies:

• Desired buy-in outcomes
• Audience of stakeholders (internal and external)
• How to best engage stakeholders
• How messages are to be communicated
• Ownership of responsibility for maintaining communications
  Frequency of communications.

Stakeholders should subsequently be plotted on a stakeholder map prioritised by power and interest. This will assist you in grouping them. Your communications strategy can then focus on key stakeholders whilst ensuring other stakeholders are engaged to the level required.

Failure to gain buy-in from key stakeholders has sealed the fate of many information assurance projects.

Point 4 –  Involve the experts

When pursuing an information assurance strategy, you should seek advice from recognised Government and industry experts. Such organisations have faced the same challenges as you, and have valuable lessons and knowledge to share. This will save you time and money, whilst ensuring that the information assurance solutions you plan to implement are fit for purpose and proven across Government.

The organisations you may wish to contact include:

• Office Government and Commerce Buying Solutions (OGCBS)
• Communications-Electronics Security Group (CESG)
  • Government Computer Emergency Response Team (GOVCERT)
• Central Sponsor for Information Assurance (CSIA)
• Centre for the Protection of National Infrastructure (CPNI)
  • Warning, Advice and Reporting Point (WARP)
• Information Commissioners Office (ICO)
• Public sector organisations similar to your own
• Society of IT Managers (SOCITM)
• Security Consultants (e.g. as identified by within Buying Solutions)
• Consultancies with expertise in enabling Transformational Government change programmes

Point 5 – Achieving and evidencing compliance

Recent data losses and public security breaches across Government have placed an increased focus on information assurance. Public sector organisations must comply with centrally defined security policy (e.g. HMG SPF) which defines mandatory minimum security measures.

To connect to a secure Government network (such as GSI, GSE, GSX or GCSX), your organisation must comply with mandatory security controls. Depending on the security impact level of the secure network, your organisation will either have to complete a Code of Connection (CoCo) or produce a Risk Management and Accreditation Document Set (RMADS).

To answer the requirements of a CoCo you should treat each control like an exam question (answer the question with relevant evidence), and sell your strengths, if you comply with standards such as ISO/IEC27001:2005 or PCI DSS.

The completion of a RMADS is much more involved. Unless your organisation has significant experience, you should involve a CESG Listed Advisor from the CESG Listed Advisor Scheme (CLAS).

Connection to a secure network will only be authorised once the relevant governing security authority is content that your organisation meets the information assurance requirements of the network you wish to connect to. This ensures that the risk your organisation poses to other organisations on the network is managed.

Once your organisation’s has been authorised and is connected, you should expect regular audits to ensure that the level of information assurance your organisation has achieved is maintained and, where necessary, improved.

These five points will hopefully act as an aide memoiré when your organisation starts to consider its connection to a secure government network. The most important thing to understand is that information security is not just about technology; it is the catalyst for organisational change that encompasses people, training, policy and procedures.

There are many lessons to be learned from previous experience and many opportunities to realise significant improvements with minimal investment. VEGA has been involved in the development of secure Government networks for the past decade, and continues to work across all tiers of Government to deliver secure IT-enabled business change. VEGA has recently supported the Government Connect Programme to assist Local Authorities across England and Wales in gaining GCSX compliance.

James Henry was writing on behalf of VEGA.

VEGA is a professional services company that delivers technology-enabled change in complex environments, often where security and resilience are key.

VEGA is a member of the CESG Listed Advisor Scheme (CLAS), as well as a registered CHECK service provider. VEGA has an established track record of working across Government providing strategic advice and technological expertise to help secure public sector information through the implementation and use of secure Government networks.

More information on VEGA’s work on information assurance-driven organisational change can be found in the In Focus section of this website.

Contact VEGA to help you achieve compliance and connect to Secure Government Networks