Customer Service Direct (CSD), a joint venture partnership between Suffolk County Council, Mid Suffolk District Council and majority stakeholder BT (80%) has turned to a Cloud-based risk management approach from SureCloud.
The move is designed to be a cost effective way to maintain and prove its ongoing regulatory compliance with the GCSx Code of Connection (GCSx CoCo) security standards governing access to the Government Connect Secure Extranet (GCSx) network which it relies upon to deliver its services.
Helping local government, the local education authority and charitable organisations to deliver effective amenities for their customers, CSD provides critical services such as ICT operations, HR and payroll services, finance services and a public access contact centre for the two councils.
CSD faced limited budgets and the added pressure of fines from the Information Commissioner’s Office (ICO) in the event of non-compliance. It was paramount for CSD to be able to demonstrate that private citizen data passing across the single, merged wide area network shared by both council and district was protected to approved information assurance standards at all times.
One of the core regulatory requirements of GCSx is an annual IT health check. CSD opted for the Collaborative Compliance Platform, a Software-as-a-Service solution from Reading-based SureCloud, as a convenient and cost-effective tool to help them with this process. The solution promoted continual security improvement and comprised of four component modules: vulnerability scanning, security information and event management (SIEM), wireless intrusion detection (IDS) and configuration auditing. To start with just two of the services – vulnerability management and penetration testing – were deployed focusing on external threats.
To begin with CSD used the SureCloud technology to scan its whole network four times a year and perform the annual audit. This has expanded since as awareness of the potential risk from internal sources has grown. The original solution is now supplemented with even greater information assurance with the addition of device scanning and ad hoc consultancy services.
Discussing the project with publictechnology.net Philip Barbrook, CSD Enterprise Architect made the following recommendations:
1. Protect against internal threats, not just external ones
“We found there is huge value in knowing what is going on internally across your network. As local government awareness of what was needed from information assurance we quickly recognised that there were potential threats internally as well as externally. As such we decided to use our initial SureCloud solution as a doorway to even greater information assurance.”
2. Take a step by step approach
“The big benefit of taking a Software-as-a-Service solution like SureCloud is that it is allows us to gradually evolve our information assurance instead of trying to make everything happen at once.”
3. Use a solution that allows you to add new services on demand
“Having a single integrated tool rather than of multiple point solutions allows us to add to our protection, scanning for PCI compliance for example, whenever we are ready.”
4. No substitute for expert advice
“It’s really helpful when to have expert advice on the different methods of information assurance when you are looking at potential solutions.”