Understanding PSN IT Requirements

How to bring your network and data into compliance with the PSN Information Assurance Conditions

Background

The Public Services Network (PSN) Information Assurance (IA) Conditions compliance is a set of controls that must be met by any Public Sector organisation that is required to access the PSN network. A UK government funded programme, the PSN is one large communications network where public service agencies can efficiently access various types of data from one repository.

PSN IA Conditions Compliance’s purpose is to ensure that information is available to the right people and that the integrity of that information is up-to-date. Organisation that are IA compliant convey confidence to the general public that they are appropriately and safely managing their data.

These controls also address the following requirements, where appropriate:

  • Data Protection Act (see BSI BIP 0012)
  • Human Rights Act (Right to privacy)
  • HMG Security Policy Framework
  • Accountability of users (Computer Misuse Act also see BSI BIP 0008 and BS 10008)
  • Risk management (See HMT Orange Book and ISO/IEC 27005)
  • Corporate Governance (Audit commission Report on Corporate Governance in the Public Sector)
  • Official Secrets Act (with regard to Protectively Marked information)
  • ISO/IEC 27001 (Information Security Management System Requirements)
  • Local Government Data Handling Procedures

Who Needs to Comply

If you are a UK Public Sector organisation you need to have access to the Public Services Network, therefor you will need to meet PSN IA Conditions Compliance.

How Varonis Applies to the Public Services Network Information Assurance Conditions Compliance

Varonis provides a comprehensive system for meeting the information protection controls as they apply to unstructured and semi-structured data, that is, the contents of file servers, email systems, and intranets. In particular, Varonis solutions ensure that access and use of sensitive and important personal sensitive data residing on these servers are automatically ratcheted down to need-to-know, and that use of sensitive data is continuously monitored so that organizations have an accurate audit of data use and user access behavior at all times.

Key Requirements

The following is a table containing sections of the PSN IA’s Conditions, where applicable is an explanation describing how Varonis solutions can help meet these controls.

Requirement Description Varonis Product/Feature
RIS.1 Information Risk Management The connecting organisation shall demonstrate a risk management and standards-based approach to the assurance of their connected network. Varonis reduces risk in the following ways: Data mistakenly exposed is identified and locked down safely, including sensitive and regulated content Access controls are much more restricted; employees have access to only what they need Data owners with knowledge of their data assets are in control; the right people review data access and group memberships Every file and email touch is captured and analyzed All use is monitored Automatic activity baselines are created for every user and deviations are detected Abuse is detected and real-time alerts are triggered
RIS.2 Information Risk Management RIS.2 Information Risk Management DatAdvantage helps identify who should be responsible for each data set (i.e., data owners). DataPrivilege helps organizations define the policies that govern who can access and who can grant access to unstructured data, and puts access control decisions in the hands of people with context about what they’re managing: data owners. Data owners can review access, grant and revoke access, and ensure compliance, ultimately reducing risk.
EDU.1 User Education All employees of the organisation and, where relevant, contractors and third party users shall receive commensurate awareness training and awareness updates in organisational (not central PSN) policies and procedures relevant for their job function. Training shall include elements of physical, personnel and electronic security guidance. Varonis staff are also avid learners and educators. Here are some of the educational opportunities we offer and provide: Professional Services: ensures Varonis customers can effectively assess and remediate risks and maintain a secure environment. Varonis Blog: learn more about security, privacy, IT Operations and more on our blog. We post approximately 3-4 blog posts per week Office Hours: 1 free hour one-on-one live web session with your local Engineer to discuss operational and security questions.
RES.2 Incident Response Information, physical and personnel Security Incidents shall be reported through commensurate internal management channels managed by the organisation’s Security Officer in accordance with the organisation’s incident management policy. Varonis DatAdvantage collects a rich audit trail of access activity from file systems, email servers, Active Directory, and SharePoint. It baselines every user’s normal access behavior and can generate alerts when behavior becomes abnormal. Custom real-time alerts can be configured via DatAlert based on corporate policy. Alerts can be delivered via SMS, email, piped into an incident response system, or trigger an action (such as disabling an offending user).
CON.4 Configuration Users shall use accounts with the least privilege required to perform their roles. Varonis DatAdvantage recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. DatAdvantage generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced. Varonis DataPrivilege provides a mechanism via a web-based application by which data owners can monitor and administer (allow/deny) group membership requests and all access requests to unstructured data. Data owners may also be automatically prompted to review and recertify access on a regular basis.
ACC.1 Access Control It shall be possible for user activity to be correlated to a user via the use of a unique user identifier. The Organisation shall assign each user of the PSN connected network a unique user ID to be used for authentication of that individual user DatAdvantage helps organisations examine and audit active and inactive user accounts, and the use of privileged access accounts to detect and prevent abuse. With a continual audit record of all file, email, SharePoint, and Directory Services activity, DatAdvantage provides visibility into administrative users’ actions. The log can be viewed interactively or via email reports.
ACC.2 Access Control The customer shall implement an organizational access control policy that is deemed sufficient to manage the risk that the organisation is exposed to. This policy shall cover remote/mobile solutions where appropriate. DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business. Through DataPrivilege, membership in administrative groups can be tightly controlled, audited and reviewed. DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs. Varonis DataPrivilege provides a mechanism via a web-based application by which to monitor, administer (allow/deny) all access requests to unstructured data. Re: remote/mobile – see below.
MAL.2 Malware Protection The organization shall identify and isolate malicious software (at least viruses, macros, dangerous file types, mobile code and spyware) DatAdvantage’s audit trail and behavioral alerts can help detect when malware or viruses are accessing files, mailboxes, or SharePoint sites. For example, Varonis customers have used DatAdvantage to quickly isolate and successfully halt the spread of the Cryptolocker virus in their environment. This was how one customer described the above: “Within DatAdvantage I ran a query on that specific user and realized that there were over 400,000 access events that had been generated from that user’s account. It was at that point that we knew it was a virus… Once we had identified the second user, we went back to DatAdvantage to identify the files they had accessed. There were over 200,000 access events generated from this user’s account.” DatAdvantage enabled our customer to quickly identify corrupt files and helped the organization reduce the impact of the virus on the environment and user downtime. In addition, it allowed them to maximize their time and resources by only having to restore the data that was affected
MOB.1 Mobile/Home Working Any mobile/remote and/or home working solution that accesses PSN services/networks shall be operated in accordance with the organization’s remote/mobile working policy that identifies and mitigates the risks of using mobile/remote access solutions. This policy shall include the adoption of electronic, personnel and physical security measures. DatAnywhere instantly enables mobile, remote and home access, file synchronization, and secure 3rd party sharing for your existing file shares. Files can stay exactly where they are—on existing SMB file servers or NAS.
MOB.2 Mobile/Home WorkingMOB.3 Mobile/Home Working The organisation must be able to show appropriate control and management of the technical environment of any device that has access to PSN services/networksAny mobile/remote device that has access to PSN services/networks shall be considered by the organizational lockdown and configuration management policies. DatAnywhere benefits: Definitive copies of files are always stored on corporate storage No one gets permissions to shared data unless they already have it Users authenticate to Active Directory or LDAP and there is no need to reconfigure or replicate permissions IT controls speed, availability, and security
PRO.1 Protective Monitoring PRO.2 Protective Monitoring PRO.3 Protective Monitoring PRO.4 Protective Monitoring PRO.5 Protective Monitoring Organisations shall apply protective monitoring controls commensurate to their environment and data processing requirements. Subject to legal constraints, the organisation will provide the PSNA and it’s authorized bodies with information, and where it is appropriate to do so, make available audit logs holding user activities, exceptions and information security events to assist in any investigations Within legal constraints audit logs shall be retained for a minimum of six months. Organisations shall have a consistent time source and be synchronised across all PSN accessing devices. The time source applied shall support effective log analysis and be from the time source of their PSN Service Provider. To support audit and accounting it shall be possible to match server activity to a specific server. Please see:GPG13

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767