Toplevel GCloud eForms service enables organisations to create online digital services which can be used to improve customer service and accessibility in line with the ‘Digital by Default’ drive mandated by government. The vast majority of data is classified at OFFICIAL under the Government Security Classifications Policy introduced in April 2014 and, as such, demands a stringent level of protection and assurance.
Toplevel had been considering PGA for a number of years. It would demonstrate that our products and services have achieved a high level of security assurance so public sector organisations and associated agencies can be confident that the solutions are pre-approved, removing the onus from government buyers to independently verify and assess security claims. PGA removes the need for public sector bodies to perform their own internal comprehensive risk assessments and consider the security assurances of the provider, helping to make the process of selecting and committing to a solution more straightforward and less time consuming.
When the Home Office supported its request for certification, Toplevel began its journey to accreditation.
A DAUNTING PROSPECT
Mark Jaggard, Technical Services Manager at Toplevel explains, “We were under no illusion that this was a daunting prospect. It would be technically complex across our IT landscape – from architecture to hardware to software and security – but more than that, it would, by necessity, need to incorporate our internal processes and the skills of our people as well as co-ordinating outside specialists. PGA requires substantial investment and commitment and the process can take several months to complete. It was a massive commitment.
“I have worked on and led a number of high-profile, sensitive IT projects within multi-nationals in the past, and I realise the importance of having the right people, with the right skills around you in order to make projects a success.
“Although we knew, at a high level, that achieving PGA was a complex undertaking,” Mark continues, “we didn’t know the specifics of what would be involved. We knew we needed to work alongside specialists, and we turned to our partner, PRISM Infosec to help us understand what we needed to achieve and how we should approach it. We needed to prove to the security arm of GCHQ, CESG, what we already believed: that we were equipped to deliver OFFICIAL sensitive services. Together, we established a detailed project plan that spanned our infrastructure, our hardware, our software and all our security. As we write our own software to develop our products, we had a unique set of requirements to adhere to.”
“It isn’t a case of simply mapping the new cloud security principles against a set of best practice recommendations. There are thirteen security controls – from physical, to personnel, to access, to data in transit – to adhere to.
“This meant providing independent evidence through independent testing from a recognised, respected and authorised security partner. With their experience, PRISM could provide insight into what the PGA accreditors were looking for so that we could present the best options possible as we moved towards accreditation.”
STARTING FROM A FOUNDATION OF FACT
“We defined the scope of the work – the types of testing that needed to be carried out in order to satisfy the PGA accreditors that the claims we had originally made in our application could be validated by a third party, independent specialist.”
Mark continues, “We built a new isolated testing environment using a base set of images that represented day zero. Once we had established all the critical elements of the solution architecture, both at a hardware and software level, we embarked on a process of adding, changing and bolstering the solution to ensure that any environment subject to testing would surpass the necessary requirements. As part of this process we also researched and brought in the latest, cutting- edge technology tools - to assist our technical teams with the background management of the solutions. We embarked on a rigorous testing process both internally and then independently by our CLAS consultant to ensure that any weaknesses were identified and rectified. Our aim was for a clean bill of health that we could submit to the accreditors.
“We left no stone unturned.”
Mark explains, “While we were certain that our technology met the requirements outlined by PGA, one of our challenges was articulating it. We worked to demonstrate exactly how we found what we did, how we fixed any issues and how they were remediated. It was important that we worked with the accreditors to agree the format and the level of detail required and responded – to the point with no ambiguity.
“The accreditation process entailed rigorous risk assessment and penetration testing, which provides public sector organisations and associated agencies with the assurance afforded by a pre-approved solution.
“We showed the technology itself, and the type of tests conducted. We explained why those tests were selected and how that type of test satisfied a particular requirement of the accreditation. We demonstrated the services compliance against the cloud security principles, how they were applied and at what point in the architecture.
“The independent report that was created was submitted to a body of GCHQ auditors before being presented to a committee. They were satisfied that our claims had been proven with clear evidence and Toplevel achieved formal PGA accreditation in June 2015.”
“This has been a rigorous and stringent process, requiring considerable investment in time and effort, not to mention money.” Mark reflects “It requires independent verification that our service meets the high level of security demanded by government bodies.
“Our services deal with government data. “Of course, any client data has to be handled with utmost care, but for the public sector, this is a particularly sensitive issue and specific guidelines and requirements are in place to ensure the security of systems and protection of information. We are accredited to handle OFFICIAL data, removing the need for our customers to perform their own costly and time-consuming internal comprehensive risk assessments.
“The Government Digital Service (GDS) has since announced it has stopped accepting accreditation submissions making PGA certification a highly prized differentiator on the GCloud platform. We believe that it demonstrates an aspirational level of security that goes beyond selfcertification. In the future, buyers will be required to assess suppliers that do not hold the accreditation, adding further cost and complexity to the procurement process.
“As a direct result of achieving PGA accreditation, we developed our Protect+ SaaS service, a cloud offering available only to government organisations, given the unique requirements of the public sector to protect sensitive data. It is being used by organisations such as the Home Office, Her Majesty’s Passport Office and the Legal Aid Agency, all of which demand additional assurance around data security. Protect+ employs advanced segregation techniques together with increased authentication security for remote support and management. Ultimately, the online services serve to improve efficiency and cut costs in delivering services in a secure environment.
“For us, achieving PGA means our customers can be sure that we’re not just saying their data’s safe with us: we’ve proven that to be the case.”
BENEFITS OF PGA
Public sector customers will benefit from the following security assurances in eForms following PGA compliance:
Service assurance – provides prospective public sector customers with the assurance of an established security accreditation. Saves in-house accreditors time and resource as it removes the need to independently validate the service.
Technical assurance – involves the completion of a series of penetration tests, which have been independently viewed and corroborated by the pan government accreditor. Provides additional assurance in remediation of security risks.
Process assurance – comprises the assessment of the working practices used to deliver and manage the service and an appraisal of these processes formally documented in a residual risk statement as part of the accreditation.
Associated assurance – in addition to eForms, other services hosted on Toplevel’s GCloud platform; eCase, eApply, aClaim, eAudit, eGrant, eDiary and eCourse also benefit by association because all eight services use the same robust secure products and processes including Outreach case management.
Outreach eForms is available as a Software-as-a-Service (SaaS) solution via the Digital Marketplace.