Codes of Connection
A code of connection (often called “a coco”) is used when a formally accredited information system wishes to connect to another “unknown” information system (the connecting organisation). There are a variety of reasons for wishing to connect information systems together, but they usually involve a requirement to exchange data and information.
There are a variety of codes of connection, but some of the better known ones include:
The GSi Community:-
The Criminal Justice Community:-
A code of connection works by the accredited system stipulating a baseline set of controls to be implemented, or commented on, by the connecting organisation. These controls are usually selected from best practice (ISO 27002) or - more usually - various HMG Information Assurance requirements. The controls can be of a variety of types, but they can broadly be broken down into the following types:-
- Technical – Such as implementing an assured barrier between the two organisations or performing an IT Health Check;
- Procedural – Such as ensuring that all security incidents are reported to the partner organisation.
- Physical – Such as ensuring that physical security of assets is adequate.
- People – Such as ensuring that all staff involved have appropriate background and identity checks or appropriate education, training and awareness.
When the code of connection is completed, the accredited information system will take a view as to what threat the connecting organisation poses. If they believe that the risks are acceptable, they will authorise the connection.
How stringent a code of connection is depends on the level of assurance that is required between the participant organisations. It must be said, however, that rarely do the requirements for codes of connection remain static and they do tend to become more rigorous with every release. Security is rarely a static target.
To ensure that your organisation complies with the relevant code of connection, Sapphire has a proven methodology. This involves examining how your organisation measures up to the various controls within the code of connection, and then producing a Risk Treatment Plan that outlines exactly the work that is required to comply fully.
Sapphire’s consultants will assist in completing the relevant code of connection and can advise on the requirements for a formal risk assessment and accreditation.
- Support 0845 58 27999
- General 0845 58 27001
- Request a Call / Quote
