The UK Government’s initiative to prescribe a security standard to any organization accessing the Government Connect Secure Extranet is a move designed to keep government organisations one step ahead of the inexorable increase in security threats. There have been too many high profile data thefts and losses by Government organizations, highlighting both the risk to, and the importance of, ICT Security and the governance of citizens’ data.
The result is the Government Connect Secure Extranet (GCSx). HM Government has mandated the way in which public authorities and government departments can securely transfer data between each other.
So, for example, how does a local authority needing Housing Benefits data access the Department for Works and Pensions (DWP) database? Via the GCSx of course! Similarly, Job Centre Plus communications with local authorities will only accept communications via the GCSx, and likewise, communications with the Police and the NHS will only be provided through this connection.
The concept is a “community of trust” and the GCSx is one of a number of secure Government extranets, including GSx, GSi and GCJx. See our Glossary of Terms at the end for details of these other networks.
So how does a district council access the GCSx? Via a secure connection, the security of which is governed by the Code of Connection, or ‘CoCo’.
The GCSx CoCo
In England and Wales it is referred to as the GCSX Code of Connection (CoCo). In Scotland it is referred to as the GSX Code of Connection (CoCo). Through GCSx, local authorities can connect to the Government Secure Extranet (GSX) and Intranet(GSI), the National Health Service (NHS), Criminal Justice Extranet (CJX), and the Police National Network (PNN). The Code of Connection takes into consideration how best to protect the “community of trust” taking into account all potential threats, including Attack from the GCSx itself Attack from the Internet Mobile data theft and loss Attack from the internal user
Code of Connection (CoCo) for the Government Secure Intranet (GSI) and GCSx, Memorandum Number 22. According to CESG Infosec Memorandum Number 22, protective monitoring has traditionally been the most underrated and least effectively used security measure. The scope of the GCSx Code of Connection can be summarised as follows Physical Security and Access Control, restrict and control access to the GCSx, including use of Firewalls, Intrusion Protection technology and with particular focus on Mobile/Remote Worker security Policies and Procedures, in particular Change Management Processes, approvals and documentation. Configuration ‘hardening’, to ensure that known threats and vulnerabilities are eliminated from all systems, with a zealous patch management process combined with anti-virus technology, regularly tested and verified as secure. Strong Monitoring for security incidents and events, with all event logs being retained for 6 months