What is an IT Health Check (ITHC)
An ITHC (IT Health Check) is a series of tests to ensure that your organisation is impenetrable to unauthorised persons. Specifically, organisations or individuals conduct an ITHC to confirm that they meet key requirements for PSN compliance.
Direct from the ITHC supporting guidance:
“Your ITHC should aim to provide assurance that your organisation’s external systems are protected from unauthorised access or change, and they do not provide an unauthorised entry point into systems that consume PSN services.
The internal systems should be tested to provide further assurance that no significant weaknesses exist on network infrastructure or individual systems that could allow one internal device to intentionally or unintentionally impact on the security of another.”
Just to make sure we’re all up to speed, the PSN (Public Services Network) is a UK government network which was established to enable public-sector organizations to share resources easily. It is also used by commercial service providers to sell services so that they can be accessed safely and securely by public-sector organisations.
For obvious reasons, it’s extremely important to ensure that this network cannot be breached, which is why any person or organisation who wishes to access the PSN must first demonstrate that they meet all the requirements for PSN compliance.
The ITHC will check your internal and external systems for significant weaknesses and potential entry points, and review your security configurations.
During the ITHC, your internal network should be scanned and manually analysed.
Consider the following:
- The build and configuration of all devices: laptops, desktops, phones, tablets.
- Don’t forget to factor in employees personal devices.
- Consider also, people external to your organisation who may have access to your internal systems, such as clients.
- The configuration of your wireless network
- Check that your OS, applications and firmware are updated with appropriate patches.
- Review network management security and internal security gateway configuration (including PSN)
Your ITHC should also entail scanning and analysing online systems such as:
- Email servers
- Web servers
- Any systems you have in place to allow staff to connect into your organisation remotely, including VPN.
Passwords – your first line of defence
PSN Code of Connection (CoCo) compliance requires you to demonstrate that you have systems in place to secure password protected entry points.
With CoCo: 2. Authentication and access control, these include:
- Ensuring all passwords are changed from defaults
- Stopping password/account sharing
- Ensuring that high-privilege users such as administrators use different passwords across accounts
- Strengthen authentication by combining passwords with some other form of authentication, such as two-factor.
- Never store passwords as plain text, but ensure they are hashed using a cryptographic function capable of multiple iterations and/or a variable work factor. See how to change the Active Directory password hash method.
For a quick win to highlight the extent of the password problem in your organisation, it is recommended to audit your Active Directory users and passwords.
One simple method to complete this is with Specops Password Auditor, a free tool enabling you to export in a detailed or high level summary accounts identified with password vulnerabilities, including expired passwords, identical passwords or blank passwords, and compares password hashes on your systems against a regularly updated list of breached passwords so that you can alert affected users to update their password as soon as possible.
Find an appropriately certified ITHC testing partner
Central government customers must choose a partner who is accredited by the CHECK scheme. Non-government customers can also choose testing partners with CREST-approved ITHC services or the Cyber Scheme.
Work with your ITHC testing partner to resolve any issues that arise and you’ll not only meet PSN compliance, but crucially, you’ll be protecting your own organisation, your clients, and your employees.
Contributed by Jason Hart, Cyber Security Expert