evince - information managed

Upcoming dates:

evince blog

The duty 12 solution for Families Information Services

Register interest in evince

evince passes security audit

Posted by Giles Thurston on June 10th, 2008 5:23 pm

Good news is always an excuse to write a blog post and the fact that evince has successfully passed its external security audit with flying colours is just such an occasion.

To get an external perspective we employed the services of Redweb to carry out a full security audit of the evince application. Redweb have experience of working with a number of government agencies, including the Home Office on the Identity and Passport Service, making them the obvious choice to carry out the test.

Following a scan and analysis of the entire application, we successfully passed with flying colours! No medium, high or critical security issues were identified and only nine low or informational issues were raised. These were then passed to our technical teams who reviewed and actioned them where relevant.

Data Centre

Obviously the infrastructure that the application runs on has a significant impact on the security available. As an organisation we have been managing and running a secure data centre for a number of years, primarily to support the ChildcareLink contract. In addition to the hosted versions of iChIS, we also support the dissemination of Ofsted data out to all local authorities in England, not to mention the ChildcareLink website itself.

As an organisation we take security very seriously, as all providers should. This was clearly demonstrated by our commitment to achieving the ISO27001 accreditation, which we successfully passed at the first attempt during 2007. On a personal note it was pleasing to see that there was little we needed to change in terms of our internal processes to support this, a great testament to the excellent work our technical teams have been doing over the years.

In terms of data security, all our databases are protected behind secure firewalls ensuring that users can only access their data through the application. As with iChIS, every local authority has their own dedicated evince database, ensuring that the security is not only applied at the application level but at the database level as well.

Another concern is that as evince is browser based, all the information is passed over the internet prior to being displayed on the users machine. To protect against this threat, the majority of content is secured using 128bit encryption prior to transmission, the same security technology used by on-line banking and e-commerce websites.

Finally we employ an external company to run a full penetration test on our infrastructure twice a year. This provides us with an independent review of the processes and technology we have in place and ensures we are up to date with all the latest threats that may exist.

You can read more detailed information about our technical infrastructure on the evince-online website.

Escrow

Although not strictly application security, as evince is a purely a hosted solution, a couple of local authorities have asked whether evince will be placed in Escrow. The answer to this is yes and we already have an agreement in place.

A complete copy of the source code will be placed into Escrow with the NCC Group on an annual basis. Local authorities are then able to take out a registration against this, for a small annual fee, if they wish.

Conclusion

In this quick overview I have tried to give you a flavour of the main security processes and procedures we have in place with regards to evince.

News , , , ,

« previous post
next post »

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Viewing 3 Comments

    • ^
    • v
    I would like to point out the fact that no source code will be held with "National Computing Centre" and we are a little unhappy/concerned that you do not seem to be aware or know who you are storing your source code with. The escrow company you refer to has not been part of our organisation for nearly 10 years and can no longer be mandated for as they have no connection to central or local government.
    • ^
    • v
    Overlooking escrow services in the procurement
    process can be risky now that business continuity and
    sustainability are high on the agenda. For the last 20
    years, there has been no effective specialist ICT
    escrow provider to compete with NCC Group.
    However, recent changes have acted as a catalyst:
    the NCC Group has been transformed from a quasi-
    government body to a privatised plc, becoming fully
    listed on the London Stock Exchange in July 2007.
    Since NCC is now a private company you can no
    longer mandate for its use and most standard form
    government contracts are now prescribing “a
    reputable escrow provider” as opposed to specifying
    NCC Group. OGC guidance is that NCC Group must
    now be treated as any other private organisation and
    as such must not be stipulated in public contracts. So
    now we have a choice, but in a recent survey 95% of
    local authorities and software companies were
    unaware of any escrow providers other than NCC.
    Where can you go for an alternative? Your software
    supplier may have an existing multi-user agreement
    with the NCC and initially may be reluctant to set up a
    new one, though the same survey found 95% of
    clients and software companies would be open to
    using an alternative escrow provider.
    Some organisations opt for using a bank, but this
    rarely provides more than a vault service. Checks that
    the media are readable and material is complete are
    essential if the escrow is to have any real value.
    We have identified several possible alternative
    suppliers. As you would expect in a market which
    was effectively a monopoly until very recently, new
    entrants are competing both on price and on service.
    One alternative supplier, for example, offers an online
    management system and claims it has a strong
    following in local government because of its ability to
    cover key local government software applications.
    In the context of on-going financial pressures it is
    worth re-considering existing escrow arrangements
    too. One alternative supplier claims that an authority
    holding five to ten software applications in escrow
    could save around £3,000 without risk of detriment to
    service levels. It is also important to check that any
    escrow provider has sufficient professional indemnity
    cover, just in case.
    For more information on how Socitm Consulting
    can help you in this area, please email us at
    consulting@socitm.gov.uk or call 0845 450 0904.
    Escrow Services - choice is now compulsory
    • ^
    • v
    Stefan,

    Thanks very much for clarifying this. I have to point out that this wasn't Giles' mistake, but one I introduced upon proofing which I'm sure I will not hear the end of in the office!

    OL has worked with NCC to hold the iChIS source code over the past few years, and are very happy with the service which is why we've worked with them to provide this facility for evince. Howvere, as both comments have pointed out, should a customer require an alternative provider of escrow services we are happy to meet this requirement and you should make sure you're totally happy with any service offered before ticking the escrow box in your procurement.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus
Creative Commons Attribution-ShareAlike 2.0 UK: England & Wales
Creative Commons Attribution-ShareAlike 2.0 UK: England & Wales