Content uploaded by Mark Brett
Author content
All content in this area was uploaded by Mark Brett on Nov 21, 2014
Content may be subject to copyright.
IT Heath Check Scoping guidance
ALPHA DRAFT
Version 0.1
November 2014
Page 3 of 14
Document)Information)
Project Name:
ITHC Guidance
Prepared By:
Mark Brett CLAS Consultant
Document Version No:
0.1
Title:
ITHC Guidance
Document Version Date:
10/11/2014
Reviewed By:
Review Date:
Version)History)
Ver.
No.
Ver. Date
Revised By
Description
Filename
0.1
Nov 2014
Mark Brett
Initial draft
ITHC Guidance Alpha Draft
Page 4 of 14
Page 5 of 14
1. Table of Contents
1.!Table of Contents .......................................................................................................................................... 5!
2.!Introduction .................................................................................................................................................... 6!
2.1.!Purpose and Scope .............................................................................................................................. 6!
2.2.!Document Structure ............................................................................................................................. 6!
3.!Requirements ................................................................................................................................................ 7!
4.!Service Providers .......................................................................................................................................... 8!
5.!Scope of Work ............................................................................................................................................... 9!
5.1.!Introduction .......................................................................................................................................... 9!
5.2.!We have suggested the principal test targets below. A generic modular network diagram should be
developed, to test against each target. Location of Internal Network Testing .................................... 9!
5.3.!Network Penetration Test ..................................................................................................................... 9!
5.4.!Network Vulnerability Assessment ....................................................................................................... 9!
5.5.!Web Application Security Assessment ............................................................................................... 10!
5.6.!Server Security Assessment .............................................................................................................. 10!
5.7.!Mobile Device Security Assessment .................................................................................................. 10!
5.8.!Wireless Security Assessment ........................................................................................................... 10!
5.9.!Home Office / Small Office Assessment ............................................................................................ 10!
6.!Deliverables ................................................................................................................................................. 11!
6.1.!High Level Network Schematic .......................................................................................................... 11!
6.2.!ITHC Reports ..................................................................................................................................... 11!
7.!Example Heat Map showing identified vulnerabilities, by control number from the ITHC report. ............... 12!
Annex A: References .......................................................................................................................................... 13!
Annex B: Glossary and Abbreviations ................................................................................................................ 14!
Page 6 of 14
2. Introduction
2.1. Purpose and Scope
This document provides clarification and ‘good practice’ guidance for performing IT Health Checks
(ITHCs) at OFFICIAL for PSN. This includes expectations on ITHC service providers, their scope of
work and the quality/structure of any deliverables produced as part of PSN compliance evidence.
This will further assist the Corporate information Governance Group and support the remedial action
plan (RAP). Furthermore this will greatly assist the PSNA compliance team to be able normalise and
understand the ITHC reports received, which vary greatly in their content, style and value.
The majority of Public Sector Networks are currently accredited to handle protectively marked
information at OFFICIAL, but some customers may have a requirement to test their network at higher
levels. This guidance apply to the ITHC testing at OFFICIAL , based around the ISO/IEC 27001
standard [8].
It is a technical standards document written under the PSN banner, and is intended to support
compliance with the corresponding conditions contained in the PSN Code Template [1].
Consequently, the only baseline current requirements identified in this document are those currently
contained in the PSN Code Template [1].
Moreover, it should be noted that this standard does not explicitly provide a description of any ITHC
requirements for those organisations bound by the HMG Security Policy Framework (SPF) [2]; such
organisations must still continue to comply with HMG IA Policy, including relevant controls from the
Baseline Countermeasure Set (BCS) and supporting CESG guidance publications.
Similarly, other community-specific requirements (e.g. IGSoC for NHS) should also be followed in
those communities in addition to those defined in the PSN Code Template [1].
2.2. Document Structure
This document is structured as follows:
• Section 1 (this section) – the introduction;
• Section 3 – requirements and guidance for ITHC service providers;
• Section 4 – requirements and guidance for ITHC scopes of work;
• Section 5 – requirements and guidance for ITHC deliverables;
• Annex A – the references cited in this document;
• Annex B – abbreviations and glossary of terms;
Page 7 of 14
3. Requirements
The IT Health Check is more than a vulnerability scan , The check is to cover the scope of the
consuming and connected network, clearly identifying and testing all relevant network equipment and
facilities. This must cover the physical security aspects, equipment rooms, racks and offices, where
the PSN is connected and consumed.
The ITHC is required by the customer, to provide an overview highlighting deficiencies and those
areas which require improvement. The ITHC is also required by GDS, as part of the IA Compliance
documentation set. The ITHC is used by the PSN compliance team as an objective overview of the
organisations physical and technical protection of the PSN connections and interfacing to the
customers corporate network.
The ITHC needs to cover the entire range of network segments which interface with the PSN, not just
individual IP addresses. The scope of the ITHC, should be defined by the scope of the network
diagram under control DIA.1. We need to clearly see ITHC results for all components on the diagram.
CHE1. Requires that a technical vulnerability assessment, which covers all of the customer
equipment, that means, the from the connection of the CPE (Customer Premises Equipment, to the
PCs, laptop and mobile devices, all network equipment, interfacing between the PSN connected
corporate network and ant web connections into the PSN connected network are all in scope.
Any boundary devices (routers, gateways and firewalls at the boundary are in scope. Network
equipment and devices on the other side of the boundary devices are out of scope. The diagram and
ITHC need to clearly show the scope and exclusions.
PSN IA conditions controls:
Condition
No.
Subject
Obligation
DIA
Network
Diagrams &
Scope
DIA.1
Network
Diagrams &
Scope
A high level logical network schematic shall be provided to accompany this
IA Conditions document. The diagram shall be used to describe the scope
for the IA Conditions it is therefore important to include where possible the
following information:
- Diagrammatical representation of services and functionality in place
including defining which ones are PSN services and those that are not.
- Onward connectivity including remote access services and connectivity
overseas/offshore
-Gateway/boundaries functionality
- Third party connectivity
CHE
Compliance
Checking
CHE.1
Compliance
Checking
Organisations shall implement an annual programme of IT Health Checks to
validate equipment not provided as part of a PSN service that interacts with
PSN services.
Page 8 of 14
4. Service Providers
It is not necessary for an ITHC testing organisation to be CHECK approved to perform an ITHC
OFFICIAL ICT infrastructure.
However, PSN has an expectation that such organisations should deploy testers who are CREST or
TIGER SCHEME accredited, with have a proven track record in this field. We would also urge
organisations to seek example reports to ensure that the scope, format and deliverables will be
suitable for meeting the PSN IA Conditions at OFFICIAL. They should be able to demonstrate this
through reference sites and redacted customer reports.
We would recommend;
Clear executive summary.
Clearly annotated network diagram (provided by the customer per control DIA1.), this will have the 10
ToI’s listed and colour coded annotation showing: RED: Deficient AMBER: Deficient but simple fix
GREEN: Compliant.
Clearly prioritised list of deficiencies with a non-technical explanation. (RED/AMBER)
Clear diagrams to and charts to support the customer and the PSN Compliance team in GDS.
A remedial action plan to meet the deficiencies (RED/AMBER).
We do not consider output from automated testing tools, without a clear business led explanation to
be sufficient or appropriate.
CREST: http://crest-approved.org/
TIGERSCHEME: http://www.tigerscheme.org
Page 9 of 14
5. Scope of Work
5.1. Introduction
The requirement is to meet the relevant controls detailed in the PSN IA Requirements pertaining to
services at OFFICIAL.
The ITHC will include an external penetration test for all Internet facing IP addresses and
internal network hosts.
We recognise each customer site has a different network infrastructure and varying requirements, so
that it will be necessary to construct a ‘modular’ pricing structure which will be based on the elements
of the Scope of Work
5.2. We have suggested the principal test targets below. A generic modular network
diagram should be developed, to test against each target. Location of Internal
Network Testing
Internal network testing should be completed from within the client’s principal locations, and also,
where specified from Public Access locations such as Libraries, contact centres etc.
The principal Targets of Interest (ToI) for testing should include:
ToI1 External Firewall, Gateway and Boundary Security Assessment
ToI2 External Network Penetration Test (websites, access control, remote access, VPN Servers,
DMZ servers)
ToI3 Onsite Network Penetration Test (Intranet, email gateways, router and firewall access.
access control)
ToI4 Operating System Assessment (Patching, configuration and malware protection), of key
servers affecting PSN services and network.
ToI5 Mobile Device Security Assessment
ToI6 SSL VPN Assessment
ToI7 Wireless Infrastructure Assessment
ToI8 IDS/IDP Assessment
ToI9 Application Security Assessment (including websites and Intranets/Extranets)
ToI10 Physical security assessment server room and network equipment racks.
5.3. Network Penetration Test
This will be conducted from outside the client’s network, with the intention of assessing the
vulnerabilities which an unauthenticated attacker could use to penetrate the network. Typically, this
will be on the public facing elements of the network, e.g. web servers. Remote access gateway and
wireless networks.
5.4. Network Vulnerability Assessment
This Assessment will identify the vulnerabilities within the client organisation’s internal network and is
typically conducted from within the Local Area Network or Wide Area Network. It will incorporate
Page 10 of 14
both manual and automated security testing techniques to identify vulnerabilities within desktops,
servers and network infrastructure, which could be exploited from within the organisation.
The Network Vulnerability Assessment, will also report, where appropriate, on the organisation’s fire-
walled connection to the Public Services Network (PSN), IA Conditions especially in relation to
remote, home and mobile connections.
5.5. Web Application Security Assessment
This will measure the resilience of an application to withstand attack from unauthorised users and the
potential for valid users to abuse their privileges and access rights. This must include all websites,
which draw their data and responses from infrastructure within the PSN ITHC scope.
5.6. Server Security Assessment
The Server Security Assessment will provide information as to the resilience of a server system to
withstand attack from unauthorised users and the potential for valid users to abuse their privileges
and access rights. This will also include the configuration and server patching regime.
5.7. Mobile Device Security Assessment
This will establish the resilience of mobile devices which connect to the client network, i.e.
authentication, resident applications and security software, to withstand attack from unauthorised
users and the potential for valid users to abuse their privileges and access rights. The organisations
policy covering mobile device usage and access to the PSN network and services should be
included.
5.8. Wireless Security Assessment
This will assess the client network’s wireless infrastructure to identify potential vulnerabilities within
the wireless network, and therefore any internal wired networks, against unauthorised access, whilst
maintaining appropriate access control for authorised users.
5.9. Home Office / Small Office Assessment
This will assess the suitability and security vulnerabilities of access to the client network from home
offices and small remote locations, typically using ADSL. This will include checking the policy and the
patching regime for end point devices.
Page 11 of 14
6. Deliverables
6.1. High Level Network Schematic
As part of PSN compliance evidence, there should be a high level network schematic. This should
contain enough detail to enable a compliance assessor to understand the customers network
environment, which is either connected to or consuming a PSN connection or service.
The scope of the diagram will be the PSN connected or consuming environment and the interfaces
and inter-connected network boundaries. We would ask the ITHC report annotates the network
diagram prepared as part of control DIA1. To show which components and ranges were tested and
referenced against the findings to help the customer and the PSN Compliance Team.
6.2. ITHC Reports
The ITHC is expected to produce the following:
• A colour annotated network heat map diagram showing the principal targets of interest (ToI),
described previously and their determined status. This should be consistent with the High
Level Network Schematic.
• An executive summary that gives a business level summary of the findings and their impact
• A technical summary that prioritises the key areas of risk found
• An analysis of the findings against relevant security good practice
• Details of all testing conducted and the tools and techniques used
• Detailed descriptions of findings for all vulnerabilities identified and an indicative level of risk
to the client and/or system assessed along with recommended remedial action
• Additionally screenshots and tool outputs and other supporting evidence for each vulnerability
could be included as an appendix to the report.
• Each component will then at the end of the test be colour coded to give an instant visual and
numeric representation of the network as a heat map, to assist the SIRO and senior
management in understanding the current network status,
• All outputs from testing tools are to be separately provided as annexes, not part of the main
report.
Page 12 of 14
7. Example Heat Map showing identified vulnerabilities,
by control number from the ITHC report.
Page 13 of 14
Annex A: References
The following references are used in this document:
[1] PSN Code Template for Code of Interconnection, Code of Practice, Code of Connection
[2] HMG Security Policy Framework
[3] PSN Operating Model
[4] PSN Document Management and Change Control
[5] PSN Compliance
[6] PSN Security Model
[7] HMG Information Assurance Standards No. 1 and 2 (IAS1&2), Information Risk Management
[8] ISO/IEC 27001, Information Security Management Systems – Requirements
Page 14 of 14
Annex B: Glossary and Abbreviations
CESG
The National Technical Authority for Information Assurance
ITHC
IT Health Check
GCN
Government Conveyance Network
GDS
Government Digital Service
IA
Information Assurance
IAS
Information Assurance Standard
ICT
Information and Communications Technology
IGSoC
Information Governance Statement of Compliance
IL
Impact Level
ISMS
Information Security Management System
ISO
International Standards Organisation
MOD
Ministry of Defence
NHS
National Health Service
PSN
Public Services Network