This guide provides an overview of PSN compliance, why it is important and how you can go about applying for and achieving it.
The purpose of PSN compliance
The PSN uses a ‘walled garden’ approach, which enables access to Internet content and shared services to be controlled. This is because the security of any one user connected to the PSN affects both the security of all other users and the network itself. The PSN compliance process exists to provide the PSN community with:
- confidence the services they use over the network will work without problems
- assurance that their data is protected in accordance with suppliers’ commitments
- the promise that if things do go wrong they can be quickly put right.
Holding a valid PSN compliance certificate gives you our permission to interact with the PSN in a specific, pre-agreed way.
Public sector information carried across the PSN is rated at OFFICIAL under the Government Security Classification Policy (GSC). Our requirements are designed to defend against common threats such as opportunistic hackers and abuses of business processes, while remaining proportionate and aligned with wider business goals.
PSN compliance and security
PSN compliance is a way to report your security arrangements. It is how you demonstrate to us that your organisation’s security arrangements, policies and controls are sufficiently rigorous for us to allow you to interact with the PSN and those connected to it.
PSN compliance is not a way to deliver security across your business. Directing your resources towards simply meeting our requirements is no substitute for engaging in ongoing risk assessment, management and mitigation across your business.
Our requirements are not intended to be an exhaustive list of every security condition your organisation should fulfil. Our requirements provide a balanced and proportionate baseline that can be applied across the entire range of PSN customers and suppliers that handle information and provide services at OFFICIAL. Many organisations will want to exceed our stated baseline.
Whether it’s a MoU with a data owner, the Security Policy Framework (if you’re in central government) or the Data Protection Act, you’re likely to be operating under a number of different obligations on the way you handle and use information. The PSN compliance requirements are designed to protect the network and won’t ensure that information sent across the PSN remains secure once it’s left the network. It’s your responsibility to make sure that you’re meeting all your obligations, not just the ones that we’ve set in the PSN compliance process.
The PSN compliance model
If you want to consume services over PSN or provide services to customers connected to PSN you will need to have a valid PSN compliance certificate. To obtain a certificate you’ll need to meet our requirements, which are different depending on how you want to use the PSN. There are three ways your organisation can use the PSN:
You want to get a PSN connection compliance certificate so you can connect to the PSN and send and receive information over it.
You want to get a PSN service provision compliance certificate so you can provide services or applications over the PSN to PSN customers.
You want to get a PSN or GCN connectivity connectivity service compliance certificate so you can provide a component, product or service that enables PSN-connected organisations to obtain intra- and inter-organisation IP data transmission.
This includes those services which cause or enable the PSN to operate as a network. For example, services such as the GCN itself, direct networks (networks connected directly to the GCN), networking services which extend the reach of direct networks, network gateways and other core services such as DNS and NTP services.
Applying these definitions
Here are some examples that will help you understand how the definitions apply to you organisation:
- if you’re a telecommunications provider and you want to connect a physical network directly to the GCN so that you can sell PSN connections to other organisations, you need to apply for PSN connectivity service compliance certificate and meet the connectivity service compliance requirements.
- if you’re a local authority and you want to connect to the PSN so that you can receive benefits data from DWP, you need to apply for a PSN connection compliance certificate and meet the connection compliance requirements.
- if you’re an IT solutions provider and you want to use the PSN to provide a secure email service to several public sector organisations, you’ll need to apply for PSN connection compliance certificate and meet the connection compliance requirements first so you can access the PSN. You’ll then need to apply for PSN service provision compliance certificate for each service and meet the service provision compliance requirements so you can deliver your service to PSN customers.
- if you’re an IT solutions provider and already have a valid PSN connection compliance certificate and you want to use the PSN to provide a secure email service to several public sector organisations, you’ll need to apply for a PSN service provision compliance certificate and meet the service provision compliance requirements.
If it’s not obvious from these examples where you fit in, please email us at firstname.lastname@example.org and we’ll help.
Getting your PSN compliance certificate
Use the above examples to understand which PSN compliance certificate you want to get, then follow these links to get detailed guidance that will help you prepare your PSN compliance application.