GSI IT SECURITY HEALTH CHECK

PURPOSE
Part of the GSI Accreditation Programme involves local visits to conduct IT Security Health Checks. Feedback is required from probation areas to minimise operational impact.

Probation Circular
REFERENCE NO: 28/2005 ISSUE DATE: 20 April 2005 IMPLEMENTATION DATE: 20 April 2005 EXPIRY DATE: July 2005 TO: Chairs of Probation Boards Chief Officers of Probation Secretaries of Probation Boards CC: Board Treasurers Regional Managers IT/System/Security Managers AUTHORISED BY: Bob Nicholls, NOMS Offender Information Services ATTACHED: N/A

ACTION
Areas should provide dates during which IT Security Health Check visits should not be scheduled (for operational reasons) during the months of May and June. Please be aware that this work forms a critical part of the NPS accreditation programme.

SUMMARY
The GSI Accreditation Project will be sending a CHECK IT security test team to a number of area data centres (to be decided) to carry out local security assessments of centrally (Steria) managed systems and any aspects such as locally managed servers, the PIX firewalls, case management systems etc.

RELEVANT PREVIOUS PROBATION CIRCULARS
N/A

CONTACT FOR ENQUIRIES
Piers Wilson, NPD IMTU (NOMS OIS) Tel: 0207 2170671 / 07971 566579 Email: piers.wilson@insight.co.uk

National Probation Directorate
Horseferry House, Dean Ryle Street, London, SW1P 2AW General Enquiries: 020 7217 0659 Fax: 020 7217 0660

Enforcement, rehabilitation and public protection

DETAIL
As part of the migration from the GSX network community to the GSI community later this year (hopefully mid-late summer) a full IT security health check is planned to be undertaken across the service by CESG CHECK security testers. (This will be a similar activity to the network security review that was undertaken a couple of years back.) A large amount of this work will take place at the Hemel data centre. However, it will be necessary to visit a reasonable proportion (we are aiming at around 20-25) of the area data centres. The decision on which areas are to be visited will be based upon their particular characteristics so as to get as broad a spread as possible in terms of size, firewall configurations, locally managed systems, case management platforms etc. We expect each visit to take place within a single full day, so the health check team will need greeting, showing into the data centre, somewhere to sit/work, advised about local systems and also it would be useful to have a member of local IT support available (not necessarily present at all times). We plan to have a Steria representative on site to give access to STEPS/Steria managed systems and to enable network connectivity etc. Initially I would like to ask that you inform us of any time periods/dates during May to July when it will NOT be possible to accommodate these visits. Note that not all areas will be visited. However, we may not finally know which areas will be visited until we have the information about availability (and also completion of some aspects of the security improvement). An early response to this PC will enable us to schedule visits to minimise service impact. We are planning on making an initial selection of suggested dates for visits – but due to the geographic spread, number of people involved and the timescales these may need to be rearranged following the information we receive regarding availability. Although dates of visits can be moved it is in your interest to advise us now of any periods when these visits cannot be accommodated. Please would all areas/IT managers respond with unacceptable dates (during May to July) and also local points of contact (if different to the above names) by the end of 29 April. We expect to formulate and publish the schedule on or about 3 May and commence the visits on 9 May.

PC28/2005 - GSI IT Security Health Check

2