Hitting a moving target?

Opinion by Andrew Gilhooley

On 1st February the UK government removed all GSi Code of Connection (GCSx) Connectivity from the GCF catalogue. On 7th February, The European Digital Directive was published' - so how can CISOs ensure that their organisations remain compliant when the targets keep moving?

On 1st February the UK government removed all GSi Code of Connection (GCSx) Connectivity from the GCF catalogue. On 7th February, The European Digital Directive was published' - so how can CISOs ensure that their organisations remain compliant when the targets keep moving?

Public Service Network (PSN) Code of Connection (CoCo) compliance has now replaced the previous GCSx. All central and local government bodies and blue light services and their customer organisations will have to transition to PSN.

The goal of PSN is to join up all public sector organisations: allowing them to access a new marketplace of ICT services offered from a range of new providers, including G-Cloud. The government claims that PSN will make public services more efficient and streamlined, shaving £500 million a year off the current annual ICT spend of £16.5 billion.

However, there is also a security driver behind the transition to PSN CoCo. GCSx required public sector organisations to secure everything at Impact Level 3 (IL3). This adds cost. However, not all data and communications require this level of protection.

The government guidance states: “PSN at IL2 delivers appropriate protocols for protection of public personal data that local authorities and other GCSx customers are handling."

However, the document includes the caveat: “You must continue to ensure data is protected by adhering to GSi CoCo version 4.1, or PSN CoCo and MOU document handling measures you have in place today."

More change from PCI DSS?
Having been a PCI DSS QSA for six years, I anticipate that requirement Zero will be
formalised this year. Essentially, this requires private and public sector organisations to
prove that payment card data is only stored in the correct areas of the defined cardholder data environment.

I would like to see changes to the controls surrounding wireless network assessment. Wireless scanning adds significant costs to compliance programmes, particularly for merchant organisations with hundreds of outlets.

The current requirement is that merchants must either deploy a device to monitor wireless networks, or conduct manual wireless assessments every quarter. A quick glance through three issues of SC Magazine indicates how much the threat landscape changes within a twelve week period. Is a quarterly wireless assessment still appropriate?

The new Point-to-Point Encryption (P2PE) terminals should mitigate these controls, as merchant outlets should be taken out of the scope of PCI-DSS if P2PE is deployed correctly.

EU Cybersecurity Plan:
On 7th February the European Digital Agenda was published, outlining plans to create common standards of online security and mandatory disclosure of serious breaches for all 27 member states, in order to share information on new cyber threats. The proposals have provoked a reaction from European countries, including Ireland, prompting calls to slow the implementation of new European cyber security laws.


The new laws will have to be accepted by the Council and European Parliament, after which CISOs operating within any European country will have 18 months to comply.

In my view, compliance frameworks such as this should always be at least one step behind the proactive CISO. This type of legislation is designed to force the hands of those who have limited focus on information security, so that their omissions do not impact on the confidentiality, integrity or availability of information assets owned by others.


We have witnessed similar proposals with the ‘online bill of health'; ‘Web Passport' and ‘Internet Driver's Licence,' mooted by organisations including Microsoft and Kaspersky, as a means of blocking infected PCs from accessing the web; being exploited by botnets and spreading malware and spam

Going through the tick box exercise of any compliance framework will make an organisation relatively secure against the threats and risks that the framework was designed to address. Anything outside that framework will not be secured.

It is important to recognise that compliance does not necessarily equate to security. The threat landscape is constantly evolving and proactive CISOs continually adapt their policies, processes and controls in order to maintain a secure posture.


Compliance frameworks change in response to new threats, but they take a long time to be introduced. The diligent CISO should always be one step ahead of compliance requirements, creating controls to mitigate the impact of new threats as soon as they appear. There should be very few surprises within any new compliance framework because, by their nature, these offer general purpose information security controls, rather than controls that are tailored to a particular environment.

The bottom line is that true security is an ongoing process of awareness, education and change and not a tick-box exercise.



Andrew Gilhooley is a principal consultant and qualified security assessor with RandomStorm


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events