PSN Code of Connection

Version 1.32
September 2022
Organisation details

Date:
Organisation name:
Full postal address:

Company/Charity/
other registration
number (if applicable):

Point of contact details

Name:
Position:
Telephone no:
Email:
Address:

Overview
The PSN (Public Services Network) is a network operated by several suppliers for
government that provides a trusted, reliable, cost-effective solution to departments,
agencies, local authorities and other bodies that work in the public sector, which
need to share information between themselves.

This document is completed by any organisation wishing to connect to the PSN. It

outlines conditions that you need to meet and the information that you need to
provide. This information will be used to assess whether you may connect/continue
to connect to PSN.
The PSN team may also need to conduct an on-site assessment.

You must be in possession of a PSN connection compliance certificate before

you can connect to the PSN.
You need to submit the following material as your application (and re-submission):
● This document with all fields completed, including the signature of an authorised
signatory for your organisation. Who signs the commitments will differ depending
on the type of organisation. If you are a central government organisation with a
Senior Information Risk Owner (SIRO), your SIRO should sign the CoCo. If you
are a local authority or other public sector organisation, you should have your
chief executive sign the CoCo. If you are a supplier, the signatory should be a
board-level individual who is empowered to make legal commitments on behalf of
your organisation.
● An up-to-date network diagram.
● The Remediation Action Plan (RAP) from your most recent PSN compliance
assessment, if applicable, and evidence that the remedial work was carried out
as planned.
● A recent (within the last 12 months) IT Health Check (ITHC) report, plus a new
RAP to address issues found. We’ve published IT Health Check (ITHC):
supporting guidance to help organisations establish the scope and requirements
for preparing an ITHC as part of a PSN compliance submission. It provides a
minimum set of requirements that should be included.

PSN compliance applications, re-submissions and general compliance enquiries

should be sent via email to [email protected].

You are required to use PSN Standard Terms and Conditions in all supply
agreements between supplier and customer.

Please note that this document requires you to provide the unique identifying code
(formatted as SRV_xxxx) of any PSN services that are delivered from/hosted in your
environment. This code will be in the subject line of any emails you have received
from the PSN team relating to that service. If your environment hosts any services
belonging to another organisation you must find out the service code from them and
provide us with that information.

Please note that permitted traffic flows on PSN are as follows:

● Traffic shall flow from a PSNSP (either a Network Provider or a Service Provider)
to/from a DNSP but not directly to the GCN.
● Traffic shall flow from a DNSP to any other DNSP via the GCN.
● Traffic shall NOT flow from a DNSP to another DNSP other than via the GCN. eg
traffic shall not flow via a PSNSP connected to 2 DNSPs.
● Traffic shall not flow via a private connection between 2 DNSPs.
● Traffic shall NOT flow from a PSNSP to another PSNSP other than via a DNSP
or DNSPs and GCN(s).

Under no circumstance should traffic be directed by any other route across the PSN.
Your PSN environment
 Environment name:

Size estimates:
● number of users
● number of sites
● number of internal IP
addresses in scope
Unique identifying codes
(formatted as SRV_xxxx) of any
PSN services hosted within this
environment:

Please supply a network diagram detailing the infrastructure. Consult the supporting
guidance on what information should be included in this diagram.

IA conditions
These outline the minimum IA (Information Assurance) standard expected of
organisations connected to the PSN. If you cannot meet these, please get in touch
with the PSN team.

Where you are consuming cloud services from your PSN-connected infrastructure,
we expect that you will have conducted security assessments of these services
against the Cloud Security Guidance from the NCSC. You should be confident that
your use of any particular cloud service does not reduce your overall security state
below that required in the IA conditions below. Where use of a cloud service imposes
a specific security requirement, more detail has been provided below.

It is essential, where cloud services are employed (particularly with respect to IaaS
and PaaS), that you are absolutely clear (whether through contractual agreement or
other arrangements) whether the responsibility to carry out certain actions (ie
patching) lies with you or your cloud supplier. Note that in the case of an audit or site
visit you can expect PSN team assessors to check this.

We expect that the security of your End User Devices (EUDs) meets the relevant
standards below. Where a specific requirement applies to EUDs, more detail has
been provided below. The NCSC has published guidance on End User Devices
Security Guidance. Best practice information is also published on BYOD - Device
Security Guidance.

1. Operational security
An organisation will have appropriate policies, processes and procedures in place to
ensure the operational security of its infrastructure.

a. Vulnerability management (patch management)

You must ensure that any exploitable vulnerability is managed. You must have a
defined policy and supporting process to identify vulnerabilities, prioritise and
mitigate those vulnerabilities. Your policy will specify specific patch application
periods and a process for auditing compliance.

This typically will be of the order of: Critical vulnerabilities patched within 14 days,
important vulnerabilities should be patched within 30 days and all others patched
within 60 days.
Where you know that a vulnerability is being actively exploited then mitigating action
(eg patch applied) should be taken immediately.

Where a patch is not deployed (or available) within the timescales above then there
must be alternative mitigating action, such as disabling or reducing access to the
vulnerable service.

b. Secure configuration
You must ensure that all IT systems, software and services are appropriately
configured to reduce the level of inherent vulnerability. In particular, you will have
ensured that applications, services, processes and ports not required are disabled by
default. Default passwords will be changed, especially for any administrative
functions.

You will keep configuration control of applications installed and technology that you
use. All changes and new applications will be recorded and managed (including a
formal approval and documentation process) by the enterprise.

You will ensure that devices, systems and services have the capability to detect,
isolate and respond to malicious software.

c. Physical security
You will ensure that appropriately secure accommodation and appropriate policies
and practices governing its use are in place to protect personnel, hardware,
programs, networks and data from loss, damage or compromise.

d. Protective monitoring and intrusion detection

You will collect and retain event data and undertake activities that will help you
detect actual or potential security incidents. You must have a protective monitoring
policy that describes the use cases you are aiming to detect, which can be used to
define event data collection.
Your policy must include both detection of technical attacks as well as important
abuses of business processes. These conditions do not describe any specific events
to collect or incidents to detect. The requirement is that the business has thought
about and documented its collection and analysis requirements and that this has led
to your approach to protective monitoring and intrusion detection.

If you are using cloud services: Cloud Security Principle 5.2 Protective Monitoring
should be factored into your overall monitoring strategy. Note that a cloud service will
only provide monitoring with respect to the service provisioned. If you consume
Infrastructure as a Service (IaaS) or Platform as a Service (PaaS), you are
responsible for monitoring of capability deployed onto the infrastructure. If you are
consuming Software as a Service (SaaS), you should consider how you will be able
to monitor for any potential abuse of business process or privilege.

End user devices: The capability associated with EUD Security Principle 10 Provide
security logging, alerting and monitoring capabilities should form part of your overall
monitoring strategy.

e. Security incident response

Even within well-secured and well-managed IT Services, incidents will happen. You
must be prepared for incidents so that when they do occur you act quickly to contain
the incident, limit harm, ensure appropriate escalation and learn lessons for the
future.

You must have a security incident management plan, which you should test
periodically. This will include named responsible owners and pre-defined processes
to respond to common forms of attack.

For incidents that impact on the PSN, you must report them to the PSN team and
other entities (NCSC, for example) as required.

In the event of an incident, and where it is appropriate to do so, you will provide the
PSN team with audit logs holding user activities, exceptions and information security
events to assist in investigations.

End user devices: EUDs must form part of the incident response plan. Mobile
devices especially will get lost or stolen and your response plans should include how
to manage (eg remotely wipe) such devices. Refer to EUD Security Principle 12
Incident Response.

2. Authentication and access control

Accounts must be provisioned with privileges appropriate for the user need.
Administrator (or other high privilege) accounts should only be provisioned to users
who need those privileges. Administrators must not conduct ‘normal’ day-to-day
business from their high privilege account. Privileges should be periodically reviewed
and removed where no longer required.

Users must identify and authenticate to devices and services. For passwords, you
must:

1. ensure that ALL passwords are changed from defaults

2. not allow password/account sharing
3. ensure that high-privilege users (ie administrators) use different passwords for
their high-privilege and low-privilege accounts
4. combine passwords with some other form of strengthening authentication, such
as lockouts, throttling or two-factor authentication
5. ensure that passwords are never stored as plain text, but are (as a minimum)
hashed using a cryptographic function capable of multiple iterations and/or a
variable work factor. It is advisable to add a salt before hashing passwords.

NCSC has published best practice in its Password policy: updating your approach
document

End user devices: Users will identify and authenticate to devices and services.
Additionally only appropriately authorised devices will be provided with access to
services. Device Security Guidance Security Principle 2: Support appropriate
authentication.

If an organisation is using cloud services: Users, administrators and service

providers must identify and authenticate to all services. See Principle 10, Identity and
authentication

3. Boundary protection and interfaces

You will ensure that your network has appropriately configured boundary protection
between your network/services and the internet or any other network.

Network traffic, services and content should be limited to that required to support
your business need (for example, by setting effective firewall rule sets).

Services presented outside of the protected enterprise (online services for staff,
mobile working etc), should be delivered from an appropriate architecture, with
access to any core information or services constrained.

The architecture will include services to identify malware at the gateway. Where
encryption prevents this, the organisation shall implement an equivalent level of
protection at the end point.

If you are using cloud services: You may consider procurement of services which
respond to different business needs and therefore have different security attributes.
It is important that any interfaces between services are within scope.

Unmanaged devices: must not have access to the PSN. Where a corporate service
contains information that has been sent over the PSN, you should have the data
owner’s permission before allowing unmanaged devices to access that data.
Additionally, you must ensure that an unmanaged device:

● Is not able to use the corporate service to access the PSN in an unmediated
fashion
● Accesses the corporate service through an appropriately secured connection
● For example, at the network layer via a VPN, or at the application layer via a
protocol that implements TLS.
● Is authenticated prior to the information being accessed with a mechanism that
does not solely rely on a username and password.

4. Protecting data at rest and in transit

Data will be protected by default whilst at rest and in transit. Protection can take
many forms ranging from physical protection (eg when hosted within a secure data
centre) to encryption (eg when data is vulnerable at rest or in transit).

Where data is released via vulnerable channels (eg unprotected email, or removable
media) the user must make an active decision and pay due regard to any applicable
handling instructions for that information.

5. User and Administrator separation of data

Appropriate separation should exist between multiple users of corporate IT services.
There should be capability to mediate user access to data and limit access to
sensitive data (such as personal data) to the minimal amount necessary to support
the business. There should be separation (however it is achieved) between users
who have access to information sent over the PSN and users with no access to that
information.

If you are using cloud (or shared) services: Separation should exist between
consumers of the service to prevent a malicious or compromised user from affecting
another. See Principle 3 Separation between consumers. Separation techniques
ensure a customer's service can't access or affect the service (or data) of another.
See also Cloud Security Principle 9 Secure Consumer Management

6. Users
For users who have administrative privileges (for example, users who are able to
reconfigure your network or system administrators) you should implement pre-
employment checks which are aligned with the Baseline Personnel Security
Standard (BPSS).
Your users should be trained to understand their obligations with regards to system
security, data handling, and acceptable use.

7. Testing your security

You must implement regular IT Health Checks (ITHCs) to seek evidence that any
security mechanisms put in place are ongoing and effective and identify any current
vulnerability. ITHCs should normally be conducted annually, but the PSN team may
specify a different frequency of ITHCs where appropriate.

It is important that issues identified in the ITHC (including systemic issues) are
addressed. Critical and High risks (CVSS 3 or 3.1 scoring 7.0 and above) should be
addressed normally closed through upgrade or removal of an unsupported system or
a vulnerability addressed using the pen-testers recommendations. Medium and Low
risks may be accepted or subject to remedial action plans.

Security gaps
If you are not meeting any of the IA conditions above, please provide details below.
Please also provide details where you are not meeting any of the IA conditions 1 to 7
but are mitigating the associated risk with an alternate arrangement.

Commitment Statement of Information Assurance

By signing this, you agree to the obligations spelled out in this document in order to
be connected to the PSN. If you are unable or unwilling to meet any of these, you
should inform the PSN team immediately.

You agree to meet the IA conditions outlined in the Code of Connection (CoCo),
subject only to those exceptions specifically identified in your Security Gaps
(above), and will submit the CoCo to the PSN team for a compliance assessment
annually, or less frequently as required by the PSN team. If you have a concern that
the IA conditions are not being met by other customers or suppliers, you have a
responsibility to notify the PSN team.
Upon receipt of a compliance warning notice, you must respond within five working
days. You’ll undertake suitable remedial action as directed by and agreed with the
PSN team. If the PSN team rescinds your compliance certificate, you’ll disconnect
from the PSN in the timeframe specified.

Should the PSN team initiate a compliance review, you’ll allow reasonable access to
your site(s) and personnel within 25 working days of receiving notice of the review.
In the event of an incident, you must:

● conduct initial diagnosis of the incident to determine which service is the cause
(or most likely cause of the incident)
● raise the incident to the service provider/customers with whom you have a PSN
supply agreement for the affected service
● if required, inform the PSN team and complete actions assigned by the PSN
team in an agreed timeframe to support resolution of the incident
● if the PSN team contacts you to help resolve an incident or problem, you must
respond as you would for one of your own customers or users
● depending on the nature of the incident, provide audit logs holding user activities,
exceptions and information security events to assist in investigations.
● where your organisation holds the supply agreement for PSN services on behalf
of other PSN customers you should manage incidents received from those
customers on their behalf
● notify other PSN customers with whom you share a PSN service of any incident
that has been communicated to you by the provider

Authorised signatory

Name:
Position:
Telephone no:
Email:
Address:

Date:

Signed: