GSI IT SECURITY HEALTH CHECK Probation

PURPOSE
Part of the GSI Accreditation Programme involves local visits to conduct IT
Security Health Checks. Feedback is required from probation areas to
Circular
minimise operational impact. REFERENCE NO:
28/2005
ACTION
Areas should provide dates during which IT Security Health Check visits ISSUE DATE:
should not be scheduled (for operational reasons) during the months of May 20 April 2005
and June. Please be aware that this work forms a critical part of the NPS
accreditation programme. IMPLEMENTATION DATE:
20 April 2005
SUMMARY
The GSI Accreditation Project will be sending a CHECK IT security test team EXPIRY DATE:
to a number of area data centres (to be decided) to carry out local security
July 2005
assessments of centrally (Steria) managed systems and any aspects such as
locally managed servers, the PIX firewalls, case management systems etc.
TO:
Chairs of Probation Boards
RELEVANT PREVIOUS PROBATION CIRCULARS
N/A Chief Officers of Probation
Secretaries of Probation Boards
CONTACT FOR ENQUIRIES
Piers Wilson, NPD IMTU (NOMS OIS) CC:
Tel: 0207 2170671 / 07971 566579 Board Treasurers
Email: piers.wilson@insight.co.uk Regional Managers
IT/System/Security Managers

AUTHORISED BY:
Bob Nicholls, NOMS Offender
Information Services

ATTACHED:
N/A

National Probation Directorate

Horseferry House, Dean Ryle Street, London, SW1P 2AW General Enquiries: 020 7217 0659 Fax: 020 7217 0660

Enforcement, rehabilitation and public protection

DETAIL

As part of the migration from the GSX network community to the GSI community later this year (hopefully mid-late
summer) a full IT security health check is planned to be undertaken across the service by CESG CHECK security testers.
(This will be a similar activity to the network security review that was undertaken a couple of years back.)

A large amount of this work will take place at the Hemel data centre. However, it will be necessary to visit a reasonable
proportion (we are aiming at around 20-25) of the area data centres. The decision on which areas are to be visited will be
based upon their particular characteristics so as to get as broad a spread as possible in terms of size, firewall
configurations, locally managed systems, case management platforms etc.

We expect each visit to take place within a single full day, so the health check team will need greeting, showing into the
data centre, somewhere to sit/work, advised about local systems and also it would be useful to have a member of local IT
support available (not necessarily present at all times). We plan to have a Steria representative on site to give access to
STEPS/Steria managed systems and to enable network connectivity etc.

Initially I would like to ask that you inform us of any time periods/dates during May to July when it will NOT be possible to
accommodate these visits. Note that not all areas will be visited. However, we may not finally know which areas will be
visited until we have the information about availability (and also completion of some aspects of the security improvement).
An early response to this PC will enable us to schedule visits to minimise service impact.

We are planning on making an initial selection of suggested dates for visits – but due to the geographic spread, number
of people involved and the timescales these may need to be rearranged following the information we receive regarding
availability.

Although dates of visits can be moved it is in your interest to advise us now of any periods when these visits cannot be
accommodated.

Please would all areas/IT managers respond with unacceptable dates (during May to July) and also local points
of contact (if different to the above names) by the end of 29 April. We expect to formulate and publish the
schedule on or about 3 May and commence the visits on 9 May.

PC28/2005 - GSI IT Security Health Check 2