System Interconnect Security Policy (“SISP”)
UKCloud provides an infrastructure to enable clients to host data and applications in a secure and resilient manner. The UKCloud platforms are designed to host data within environments suitable for both OFFICIAL and OFFICIAL SENSITIVE data (as per the Government Security Classification Policy) and will meet the accreditation and assurance requirements associated with data at these levels.
The nature of cloud services is such that there are distinct separations of ownership of the overall environment. Essentially, UKCloud provides and owns the infrastructure that supports the applications and data, whilst the clients themselves own and have responsibility for their individual applications, system configurations and their associated data.
This separation of ownership also includes a separation of security ownership, accountability and responsibility. The UKCloud environment will meet the specifications of the Baseline Control Set (BCS) and the recommendations of the current Security Policy Framework (SPF) as well as achieving applicable accreditations, certifications and supporting assurance validations. To meet these criteria, it is necessary to identify the overall security requirement and then to agree the ownership, accountability and responsibility boundaries between UKCloud and its clients.
This System Interconnect Security Policy (“SISP”) is the formal top-level security document that identifies those aspects that are within the remit of the UKCloud Security Officer and those that are within the remit of the data-owning client’s Security Officer or SIRO. More specific information can be found within the SyOPs sections of the appropriate RMADS issued for each individual UKCloud service.
Acceptance of this SISP is agreement to and compliance with the separation of security requirements and responsibilities.
2.1 The SISP, while being the overarching security policy for the UKCloud environment, does not address individual security requirements in detail. UKCloud shall provide corresponding security documentation for the infrastructure and the client shall provide similar documentation for their individual applications and data.
2.2 UKCloud has communicated the detailed security requirements of its IT services within the RMADS documentation of each service. The RMADS documentation is made available to the client prior to their deployment and consumption of the UKCloud service, and the client remains at all times responsible for full compliance with the requirements of the SyOPs contained within the corresponding RMADS documentation.
2.3 Each party (UKCloud and the end client) shall make the other party aware of any salient aspects of their own security policy.
2.4 The SISP and UKCloud Security Policy shall be reviewed annually as a minimum, and in the event of any security incident. Changes, if required, shall be informed to the client. It is expected that the client shall also review their security policy at least annually and any relevant changes will be informed to UKCloud promptly.
3.1 UKCloud shall have designated Risk Owners and Security Officers with an overall Responsible Individual designated to own the security regime of each. The client shall have their own designated personnel in the relevant roles to own and co-ordinate their own security activities.
3.2 Formal processes shall exist between UKCloud and its partners to co-ordinate their security activities. The client shall ensure that relevant co-ordination exists with their areas of responsibility. Liaison and co-ordination between the client and UKCloud shall be agreed as part of the formal contract using this System Interconnect Security Policy.
3.3 The initial configuration and composition of the overall system shall be agreed between UKCloud and the client. Any subsequent changes or additions to the system will be addressed through a formal Change Management Process and agreed with the applicable accreditation authority, as applicable. UKCloud shall not make any changes to technology that it has responsibility for other than those that are known, approved and scheduled, or those considered necessary to complete emergency maintenance or address a serious security incident. The client shall ensure that any changes to their existing applications or data processing arrangements will be subject to the documented requirements of their own approved change management process.
3.4 The protective monitoring of the UKCloud Management Platform environments shall be implemented to identify and manage security incidents. UKCloud shall contact the relevant authorities (e.g. GovCERT, Information Commissioner’s Office) in the event of any such incident as well as invoking the defined Incident Management Process. Clients shall be informed in the event of any such incidents in accordance with the agreed Incident Management Process, and using the client contacts notified within the Security Incident Reporting Matrix (UKC-GEN-56).
3.5 The client shall be responsible for complying with all applicable reporting requirements with respect to their applications and data.
3.6 The client shall promptly inform UKCloud when they detect any Security Incidents in accordance with the Incident Management Process. This shall include proactive notifications of current ongoing security incidents, and reactive notifications for previous security incidents.
3.7 UKCloud and the client shall agree with the relevant accreditation and certification bodies the frequency of review of any accreditation or certification status (if applicable).
3.8 UKCloud services have been assessed for risk using HMG IS1 and an asset-based risk methodology which supports its ISO27001:2013, ISO27017:2015 and ISO27018:2014 certifications. Risk assessments shall be reviewed annually to ensure that the risk situation is current and valid. There shall be additional assessments in the event of any major security incident. Any changes to the risk profile shall be informed to the client. The client shall conduct their own IS1/ISO27001 risk assessments and shall review these at least annually, informing UKCloud of any identified changes to their own risk profile.
3.9 UKCloud has responsibility for ensuring that the cloud infrastructure provides the relevant level of security, including protective monitoring (for the UKCloud Management Platform) and Incident Management. UKCloud shall also ensure that all personnel who have access to the infrastructure have obtained and retain the relevant levels of security clearance.
3.10 The client shall have responsibility for ensuring that their applications and data are provided with the relevant level of security and that access to those applications and their data is restricted to those who require such access and who have the relevant security clearance.
4.1 The UKCloud infrastructure comprises a number of separate environments, each designed for different sectors and employing different security controls. All elements of each environment shall be inventoried and classified to meet the stated requirements of the sector and data classification. All environments shall be assessed for security control effectiveness in relation to data Confidentiality, Integrity and Availability.
4.2 The client shall identify all of their assets to be used within and to access the UKCloud environment and will assess them to ensure their suitability with regards to data Confidentiality, Integrity and Availability.
4.3 UKCloud shall label and handle all management information assets that they have control of and responsibility for, in accordance with the sensitivity and/or protective marking of each asset.
4.4 The client shall have sole responsibility for the labelling and handling of their information assets, and any other assets associated with their applications, and for the formal communication of protective marking and/or data classification information to UKCloud. The client shall also be responsible for assessing and complying with their own data aggregation requirements, and for advising UKCloud if this aggregation affects their defined security levels.
4.5 UKCloud shall be responsible for assessing the overall implications of aggregation of data across its cloud infrastructure.
5.1 UKCloud shall have responsibility for ensuring that all physical and environmental controls are in place in those areas where the infrastructure, or management access to that infrastructure, is made. They are also responsible for ensuring that the relevant level of physical access controls to such areas is in place.
5.2 The client shall have responsibility for ensuring that the relevant security and physical access controls are in place at all locations where access to their data is made from.
5.3 UKCloud shall provide appropriate training, guidance and security controls to its personnel who are to undertake their duties within secure areas. The client shall be responsible for providing any training, guidance or security controls needed for its personnel working in secure areas where access to their applications and data is made from.
5.4 UKCloud shall be responsible for the siting and protection of equipment within the data centre environment. The client shall be responsible for the siting and protection of equipment within their own environment(s) which is used to provide access to their applications and data.
5.5 UKCloud shall maintain all equipment within their control. Such maintenance shall be conducted in a secure manner by suitably security cleared personnel. The client shall be responsible for the maintenance of the equipment they use to access the UKCloud cloud environment, and for the suitability and security clearance of personnel who conduct maintenance on their equipment.
5.6 UKCloud shall ensure the security of off-site infrastructure (such as laptop computers and mobile devices) and the information that may be contained on them. Client data stored on UKCloud services shall not be stored on off-site equipment. Appropriate protection will be provided for any transportable media.
5.7 The client shall be responsible for ensuring that any remote working or use of transportable media carrying their data is secure.
5.8 UKCloud shall ensure the secure disposal of any equipment within their control that requires replacement. The client shall be responsible for the secure disposal or re-use of any equipment within their control that is used to hold or access secure data.
5.9 UKCloud shall ensure that the appropriate physical security is applied to prevent the removal of equipment or assets within their control. The client shall be responsible for the physical security of their equipment and information assets.
6.1 UKCloud shall produce specific procedures for their function of the Management Platforms. These shall be combined into documented UKCloud operational procedures.
6.2 The client shall be responsible for the production of operating procedures for their use of the applications and data. These procedures shall be made available as part of the accreditation documentation. The client shall be responsible for ensuring that such documentation is compliant with the SyOPs detailed within the RMADS of the UKCloud service which is to be consumed.
6.3 UKCloud shall ensure that only its personnel have access according to their role within the Management Platforms and that no potential conflict exists in the allocation of these roles. The client shall be responsible for ensuring that, where appropriate, the relevant segregation of duties is enforced within their own environment.
6.4 The client shall be responsible for correctly procuring and configuring their systems, such that any test or development environments they have associated with their applications or data are suitably separated from their live operational environment.
6.5 UKCloud shall continually manage and monitor the services provided by their business partners to the UKCloud Management Platforms through a protective monitoring system. The client shall be responsible for ensuring that any services (including the protective monitoring thereof) provided by their third parties are regularly managed, audited and assessed.
6.6 The services provided by UKCloud third parties shall be contractually defined. Any subsequent changes to these services shall be via Change Management and shall be informed to the client. Significant changes shall be notified to and authorised by the appropriate accreditor or certification body, if applicable. The client shall be responsible for managing changes to the services provided by their third-parties and ensuring that UKCloud and, where relevant, their accreditor or certification body is informed.
6.7 UKCloud shall monitor and manage the capacity of the UKCloud Management Platforms. The client shall be responsible for monitoring and managing the specific capacity requirements of their own systems hosted on UKCloud infrastructure.
6.8 UKCloud shall ensure that the relevant controls against the introduction of viruses and malicious code are in place for its Platforms. The client shall be responsible for ensuring that they have appropriate and relevant controls to protect their environments and data from viruses and malware in place to prevent malicious code being introduced to their data.
UKCloud shall ensure that a GPG13 aligned protective Monitoring service is in operation to provide protection to the UKCloud Management Platforms. Clients shall ensure that their “Elevated” (formerly IL3) environments are similarly protected by a protective monitoring service which aligns with the protective monitoring controls contained within the former NCSC document GPG13. Whilst this shall not be a mandatory requirement for client “Assured” (formerly IL0-IL2) environments, it is nonetheless recommended that it should be in place.
6.9 UKCloud shall ensure that a data backup service and appropriate infrastructure is made available and supported so that clients can back up their data if required. The client shall be responsible for the selection and configuration of the data backup tools which are required to address their specific data backup requirements.
6.10 UKCloud shall ensure that the relevant security controls are in place on the UKCloud Management Platform networks. The client shall be responsible for ensuring that their network, up to the point of accessing the UKCloud managed networks, has the relevant security controls (a) as identified by their own IS1 risk assessment activities, and (b) which align with the client requirements documented within the SyOPs of the RMADS for the UKCloud service which is to be consumed. Additionally, the client’s use of an assured security gateway to access the UKCloud environment shall be managed and operated strictly in accordance with the corresponding latest set of “Security Procedures” issued by NCSC.
6.11 UKCloud shall ensure that appropriate security controls are in place to protect any media within its control, including the disposal of media that is no longer serviceable or which is no longer required, and the secure cleansing or destruction of any data on such media. The client shall be responsible for the proper management and secure deletion of their data which is located within the UKCloud hosted environment.
6.12 UKCloud shall ensure that appropriate information exchange policies, agreements and procedures are in place within the Management Platforms. The client shall be responsible for establishing and implementing information exchange policies, agreements and procedures with respect to their own applications and data, which align with the client requirements documented within the SyOPs of the RMADS for the UKCloud service which is to be consumed.
6.13 UKCloud shall ensure that all user activity within the Management Platforms are audited and logged. Any anomalous behaviour shall be investigated. The client shall be responsible for the audit of user activity of their applications and data.
6.14 UKCloud shall monitor system use of the Management Platforms as part of any incident response or investigation. The client shall be responsible for monitoring system use as part of an incident response or investigation into the applications and data.
6.15 UKCloud shall be responsible for the protection of audit logs. The client shall be responsible for the protection of audit logs under their control relating to access to and use of their data.
6.16 UKCloud shall be responsible for the audit logs of users within the Management Platforms. The client shall be responsible for audit logs under their control which record activities relating to users of the data.
6.17 Any system faults shall be logged and, depending on the category of faults, reviewed at defined intervals by UKCloud. The client shall be responsible for logging and reviewing faults associated with their applications.
7.1 UKCloud shall not access client data or applications, unless specifically requested to do so by the client, and having received prior formal written approval for this access from the client. Access to the Management Platforms shall be defined according to the function of the individual UKCloud employee. The client shall be responsible for managing and controlling access to their data.
7.2 UKCloud shall be responsible for implementing a user registration procedure for personnel who access the Management Platforms, and for undertaking reviews of the privileges and access rights of personnel who have such access. The client shall be responsible for implementing a user registration procedure for personnel who are to access their data and applications, and for undertaking regular reviews of the privileges and access rights of personnel who are to access them.
7.3 UKCloud shall be responsible for ensuring (a) the security of unattended user equipment, (b) the security of Personal Electronic Devices (PEDs) and (c) the implementation of a clear desk and clear screen policy within UKCloud environments. The client shall be responsible for ensuring (a) the security of unattended user equipment, (b) the security of Personal Electronic Devices (PEDs) and (c) the implementation of a clear desk and clear screen policy within their own environment.
7.4 UKCloud shall not access client data or applications, unless specifically requested to do so by the client, and having received prior formal written approval for this access from the client. The client’s protective monitoring system shall identify any specific access to “Elevated” client data or applications that it has been requested to report. The client shall be responsible for identifying such activities which are to be monitored and reported.
7.5 UKCloud shall be responsible for ensuring that its personnel working remotely will only be able to do so in accordance with relevant controls. The client shall be responsible for identifying any remote working function it may have and producing the relevant security procedures.
7.6 UKCloud shall be responsible for ensuring that its personnel access its Management Platforms using only accredited and/or approved technologies which are required by the classification of the data concerned. The client shall be responsible for ensuring that external connectivity into their services(s) is undertaken using only accredited and/or approved technologies which are required by the classification of their data, and as specifically noted within the SyOPs of the RMADS which supports the service being consumed.
8.1 UKCloud shall operate an Information Security Incident Management Policy which details the management, investigation and reporting of potential or actual breaches of the confidentiality, integrity or availability of a company information asset (or a client data asset where the company is engaged in a contractual agreement to protect the client data) or of a supporting asset (upon which the security of information assets depend).
8.2 The client shall be responsible for the management and reporting of potential or actual information security breaches to their data and applications to their own relevant external bodies. The client shall be required to immediately notify UKCloud of all such incidents.
8.3 The client shall be responsible for ensuring that their personnel details recorded within the Security Incident Reporting Matrix (UKC-GEN-56) are regularly checked for accuracy, and for the prompt reporting to UKCloud of any personnel changes that need to be made.
8.4 UKCloud shall operate an Information Security Incident Management Policy which details the requirement to identify report and act upon any known or suspected weaknesses to information or supporting assets within the UKCloud Management Platforms. Such weaknesses may also be identified by periodic security assessments, including technical checks, penetration tests etc.
8.5 The client shall be responsible for the identification and reporting of known or suspected weaknesses within their applications, and for promptly reporting these to UKCloud.
8.6 UKCloud shall operate an Information Security Incident Management Policy which details the roles, responsibilities and procedures required for managing, reporting and resolving information security incidents. The client shall be responsible for defining roles and responsibilities and implementing procedures for the reporting, management and resolution of information security incidents arising within their applications and/or data.
8.7 UKCloud shall maintain overall responsibility for the management and operation of the UKCloud Management Platforms. It shall be fully monitored and protected by a protective monitoring service, which includes the collection and retention of log files and user activity data which can be used within any subsequent forensic investigation. The client shall be responsible for the identification of information relating to their applications and data which needs to be retained and made available for any subsequent forensic investigation.
9.1 UKCloud shall operate Business Continuity policies and procedures which ensure that the Management Platforms will continue to operate in the event of an unplanned business interruption. These shall be validated either by the design of the Platforms, or in some cases by focussed testing activities. The client shall be responsible for implementing business continuity arrangements to address any unplanned business interruptions which are directly and solely attributable to a failure of their applications, and any consequential unavailability of their data.
10.1 UKCloud shall identify all applicable legislation, regulation and guidance relevant to its operations, including NCSC Good Practice Guides, and is committed to full compliance with these. The client shall be responsible for identifying and complying with all applicable legislation and regulations that are appropriate for their own business.
10.2 UKCloud shall identify and implement controls to protect its intellectual property rights, including, but not limited to its systems, software, designs, configurations and documentation. The client shall be responsible the appropriate protection of the intellectual property rights associated with their applications and data.
10.3 UKCloud shall operate a Data Protection Policy and related procedures to ensure that personal information and personally identifiable information is at all times protected in accordance with the UK Data Protection Act 2018 (encompassing the requirements of the EU General Data Protection Regulation 2016/679). The client shall be responsible for full compliance with the prevailing data protection legislation in respect of personal data introduced into the UKCloud environment.
10.4 The client shall remain responsible for undertaking a Privacy Impact Assessment or Data Protection Impact Assessment of their data which is to be processed by or stored within the UKCloud environment.
10.5 UKCloud shall operate an Acceptable Use Policy, provides training to its personnel on the acceptable use of information systems, and shall retain log files and user activity data to ensure that such systems are only used for authorised purposes in an acceptable way. The client shall be responsible for ensuring that their authorised users do not misuse information processing facilities.
10.6 UKCloud shall be responsible for ensuring that network access to its Management Platforms is protected by the use of appropriate encryption technologies, determined by the classification of the data concerned. The client shall be responsible for ensuring that external connectivity into their services(s) is undertaken using appropriate encryption technologies, determined by the classification of their data, and as specifically noted within the SyOPs of the RMADS which supports the service(s) being consumed.
10.7 UKCloud shall have periodic (no less than annual) reviews of compliance with their security policies, processes and procedures. The client shall be responsible for assessing compliance with their own policies and for informing UKCloud and the accreditor of the results.
|Date of Version Release||20.03.2019|