The National Technical Authority
for Information Assurance

FAQs


Academia

How are the ACEs-CSR being funded?

The recognition does not come with research funding. The Engineering and Physical Sciences Research Council is providing £50,000 to each ACE CSR over five years to help cover infrastructure costs associated with being an ACE CSR.​

How many ACEs-CSR do you want to establish?

We have no maximum number in mind. Any UK university that meets the criteria the will be recognised. The more that meet the criteria the better for the UK.​

Is there a limit on the number of universities that can become ACE-CSRs?

No. Any university that applies and meets the criteria will be recognised.​

What else is being done to advance cyber education and research in the UK?

In the pipeline are the following:

  • A scheme to recognise Academic Centres of Excellence in Cyber Security Education by focusing on masters degree courses
  • The certification of Masters degree courses in Cyber Security
  • A flexible system for assuring vocational training courses in Cyber Security.

What is an ACE-CSR?

An ACE-CSR is a UK university that has been judged by GCHQ as delivering excellent cyber security research.​

What is the difference between the Research Institute and the Academic Centres of Excellence in cyber security research? Isn’t this confusing?

The Academic Centres of Excellence scheme recognises institutions where there is a strong and broad capability in cyber security research. It does not involve any new funding for research. The Research Institute initiative on the other hand represents targeted investment in strategically important areas of research which need to be strengthened.​

What will closer liaison with GCHQ and the UK cyber community mean in practical terms for the ACE-CSR universities?

It is expected that ACE-CSRs would work closely with government stakeholders. To help facilitate effective interactions, any ACE-CSR that is recognised would have a senior technical person from GCHQ assigned as a liaison officer. An annual conference will take place to which representatives from ACE-CSRs, government and business will be invited. In addition, there may be opportunities for collaboration with other Academic Centres of Excellence overseas.​

When can other universities apply/reapply for ACE-CSR status?

It is expected that there will be further calls for ACE-CSRs in October 2013 and October 2014.​

Why are we doing all of this?

These initiatives will position the UK cyber research community as the pre-eminent environment in which to conduct leading edge research and in turn attract the best academics and research students.  This work will also:

  • Help make the UK government, business and consumers more resilient in cyberspace by extending knowledge and enhancing skills in cyber security. 
  • Allow leading academics in Cyber Security from across the UK to work together
  • Assist government and business to interact more effectively with the university sector both to gain insight into leading-edge university Cyber Security research and to help exploit it for the benefit of the UK
  • Enhance the UK’s cyber knowledge base through original research
  • Help shape future Cyber Security research requirements and provide a stimulus to enhance the quality and breadth of UK academic Cyber Security research
  • Drive up the level of innovation
  • Enable academia to have a better understanding of the range of Cyber Security problems faced by government and business
  • Provide top quality graduates in the field of cyber security.

Why is GCHQ putting money into academic research? Isn’t there already a lot of scientific research in Cyber Security?

Cyber Security is a very large field, and a rapidly evolving one. Some areas of research are well covered, but others less so. The two Research Institutes which are being funded both aim to develop areas of research which we want to strengthen.​

Will all the research be published?

Yes. This is an open initiative, and work will be published in journals and conferences etc in the normal academic way.​

Will the ACE-CSR universities be restricted in the research they undertake?

No.  Within the field of cyber security research the ACE-CSRs will be free to conduct research on any topic. Each ACE- CSR will be expected to continue to produce the exemplary level of cyber research evidenced in their application. ​

Back to top

Biometrics

Are there any UK-government approved biometrics applications?

Back to top

Certification

Can I apply for IA certification under the CESG Certified Professional (CCP) scheme?

IA professionals from both the public and private sector can apply for IA certification.

Can I be certified for more than one role?

Yes, if your evidence demonstrates that you meet the criteria.  There are 7 roles. The seventh role – the penetration tester role - is a recent addition to the portfolio and is slightly different for the other roles in that it has four levels of competence rather than three.​

Can I belong to more than one professional body?

Yes​

Do interviewers have the necessary skills for our level of accreditation?

Yes, all the CBs have well established processes for selecting and training assessors and interviewers. In addition, all CBs are monitored and regularly reviewed  and audited by CESG.​

Do we favour any one CB over any of the others?

No​

How do I get started on the process of certification?

You should consult the CESG Certification for IA Professionals (PDF) framework and the associated Guidance to CESG Certification for IA Professionals (PDF) to determine which IA role is appropriate for your current IA/Cyber security skills and experience.  The latest version of the standards and guidance is always available on CESG’s websites. 

You should also refer to the websites of the three Certification Bodies (CB) to select your CB of choice.​

How much time will it take to complete and process my application?

This can depend on the level of certification. It is likely to take at least half a day (you will have to provide evidence of 20+ skills and two bullets per skill). It might also depend on factors such as how soon your referees respond to providing evidence on your behalf.  As a guide, it takes between 6-8 weeks for the Practitioner level and between 10-16 weeks for Senior and Lead levels.  Senior and Lead levels can take longer because arrangements need to be made to interview the candidate.​

I’ve got lots of qualifications already, why should I apply?

What sets CCP apart is that it is not simply a qualification. It is a certification which is awarded to those who demonstrate their sustained ability to apply their skills (technical, business and people skills), knowledge and expertise in real-world situations.

Is CPD still applicable?

Yes, you are required to keep your IA/Cyber security skills up-to-date.  CPD is linked with recertification.​

My evidence may require special handling, what should I do?

CBs can handle applications up to OFFICIAL level and interviews at SECRET.  In the majority of instances it should be possible to sanitise your evidence. Otherwise contact your CB to make arrangements for interview in a secure environment​

What about CLAS consultants?

All CLAS members are CESG Certified Professionals but, through the CLAS membership services, they can gain a deeper understanding of the public sector approach to information risk management.​

What happens if I don't meet the standard?

The CB will notify you and set out why you have not met the standard on this occasion.  There are two main reasons for an unsuccessful application:

  • not checking the CB’s website thoroughly to see what qualifications are required
  • not providing enough evidence of IA/Cyber security skills.

Evidence in general should show what you did, how you did it and what impact this had on your organisation and how your IA expertise delivered business objectives. Assertion in itself is not evidence. ​

 

What happens if I pass and how long does certification last?

Your skills, knowledge and competence are independently recognised and your certification will last for 3 years, subject to meeting any requirements for continuing professional development.​

What if I have further questions about the scheme?

You should contact CESG Enquiries.​

What is the cost of certification ?

The cost varies depending on which CB you select and the IA role and role level you select.  Each CB has details on their website.

When am I expected to recertify?

The certification process run by APMG and BCS requires recertification at 18 month intervals and IISP at 12 monthly intervals.  This is to ensure that you are maintaining your IA expertise and that it remains relevant.​

When can I transfer my CCP certification to another CB?

The processes for assessing candidates for CCP and the timeframe for the on-going re-validation process are subtly different for each CB. This means that it is not practicable to move from one CB to another during the life of your certification. 

When your certification is due for renewal (after three years) then each CB will recognise your previous certification and essentially use their re-certification process to provide you with a new three year certificate.  This will entail looking at the last three years of work and related CPD etc. depending on the process used by the particular CB. You can of course at any time register with another CB to be re-assessed for an existing role or to add an additional certification to your current one(s) but this will be charged at the usual new assessment rate.​

Why should I apply for CCP certification?

You will be part of a growing community of recognised, competent IA/cyber security professionals covering both the UK public and private sectors.
 
CCP certification, which has been acknowledged as HMG’s standard for cyber security professionals, provides an independent and rigorous assessment of your expertise and your ability to apply that expertise in real-world situations. Knowing that you have been rigorously assessed, employers can have the confidence that they are getting the right person for the job.

Why these three CBs?

CESG chose the three CBs via a competitive selection process. All three CBs are widely recognised in the accreditation and qualification arena for IT and IA/cyber security. In addition, CESG conducts a regular audit of all the CBs to ensure the high standards demanded of a CESG-approved scheme are maintained.​

Will guidance on suitable training be available?

In support of the CESG Certified Professional scheme, CESG will be launching the CESG Certified Training (CCT) scheme in the summer of 2014.  CCT is designed to assure high-quality cyber security training courses. It is expected that he first certified courses will be available by late summer 2014.
 
For more information see: Certified Training.

Will the list of certified roles be expanded in future?

The original portfolio of six roles has recently been extended with the addition of a penetration tester role and it is anticipated that additional roles will be developed.​

Back to top

CESG Services

How can I benefit from CESG's services?

CESG offers a range of products and services including technical consultancy and advice, policy documentation, product evaluation and training, primarily to UK government and the armed forces, the wider public sector, and industries forming part of the Critical National Infrastructure, such as power and water. In the first instance contact CESG Enquiries.

How do I get advice on a particular aspect of Information Assurance?

CESG has a team of Customer Account Managers (CAMs) responsible for specific customer sectors , to capture your requirements and ensure you get the help and guidance you need. To locate your CAM, please contact CESG Enquiries.
 
We also have a partnership with private sector consultants under the CESG Listed Advisor Scheme(CLAS), to satisfy the increasing demand for high-quality advice.

Back to top

CLAS

CESG's role - How will CESG ensure consistency between the three Certification Bodies' tests?

The certification framework is aligned with the ISO standard for people certification (ISO 17024) which requires a scheme committee to oversee compliance with the standards. CESG will chair this committee and the members will include the Certification Bodies (CBs). We aim to ensure that each CB achieves a level of rigour that is acceptable to most public sector organisations. Some CBs may be further above this minimum level than others. As tests form only a part of the overall assessment process there may be variations in the difficulty of the CBs' tests.

CESG's Role - How will CLAS consultants keep up to date on changes in policy from a certification approach?

CESG will inform CLAS members through the monthly newsletter of any changes in its approach to certification. It will be up to the Certification Bodies to inform their customers of any changes in their approaqch to certification. It will be up to those certified to maintain their knowledge of IA policy relevant to them.

CESG's Role - Is there a common code of conduct for the new CLAS?

Yes, and it is in the CLAS members' contract. The Certification Bodies may also apply their own codes of conduct.

CESG's Role - Once you have one or more certifications what will you need to do to get CLAS?

The criteria will be the same as now except for the IA certification requirement; i.e. the ability to hold and maintain an SC/BPSS clearance, to be sponsored by a UK limited company and to have experience of the public sector approach to information risk management.

For further details see How can I join new CLAS?

CESG's Role - Where will clients go to validate a CLAS consultant’s certifications – CESG / certification bodies or somewhere else?

CESG will publish details of CLAS members, who have certification.

CESG's Role - Who will manage the appeals process?

The Certification Bodies, subject to oversight from a scheme committee chaired by CESG.

CESG's Role - Will the community be consulted on the changes?

Yes, in the usual manner the CLAS Forum members have been invited to attend , or be represented at a contract review meeting.

CESG's Role - Will the consultant need to provide proof of certification on CLAS renewals or applications or will CESG be checking directly with the Certification Bodies?

CESG expects to check with the Certification Bodies.

CESG's Role - Will there be a common complaints/ revocation of certificates process?

CESG hopes to agree this through the scheme committee.

CESG's Role - Will there be an appeals and arbitration process on certifications?

In line with ISO 17024 , each Certification Body will maintain and operate its own appeals process.

CESG's Role - Will there be any formal distinction between CLAS consultants of different role levels and skill types?

From a client perspective clearly certification at different roles and levels are distinct. CESG may subsequently introduce differing packages of services and fees at differing roles or responsibility levels.

CLAS Fees - What will the new CLAS membership fee be?

£999 + VAT (full CLAS member).
 
£499 +VAT (associate CLAS member).

CLAS Fees - Will there be bulk discounts on CLAS membership?

There are no plans for this at present.

IA Certification - Can you submit one application covering several roles?

Yes, each Certification Body will accommodate this.

IA Certification - Do the Certification Bodies 'need to know' about CLAS work that may be required to be discussed or provided as part of the certification process?

Applicants should only include in their application information that they need to share with the Certification Body, taking into account the constraints in the answer above, and the permission of Information Asset Owners (IAOs).

IA Certification - Do you apply for a level, or do you apply for a role and get allocated a level?

You apply for a level and the Certification Body(CB) will assess whether you meet it. It is at the CB's discretion whether to offer certification at a lower level if there is evidence to support it, but not at the level applied for.

IA Certification - How are the certification providers ensuring that the pass benchmark is appropriate?

The role definitions are based upon public sector requirements rather than an intetnt to achieve a specific pass rate. Each applicant will be assessed independently against the role definition.

IA Certification - How will a cool-off be managed?

That remains for the Certification Bodies to decide.

IA Certification - If you fail an exam will remedial training be recommended?

That is up to the relevant Certification Body or exam body.

IA Certification - Is the certification process completely separate for each different role?

No, all role definitions are based on the Institute of Information Security Professionals (IISP) skillset and Skills Framework for the Information Age (SFIA) responsibility levels, so much evidence could support applications for multiple roles.

IA Certification - What are the certification fees?

The fees vary between the Certification Bodies (CBs), role and responsibility level. The CBs will publish their fees as they open their application processes to the public.

IA Certification - What are the pre-requisites for the different roles?

See CESG Certification for IA Professionals (PDF 1.04Mb - v2.0, Sept 2012) framework and the associated Guidance to CESG Certification for IA Professionals (PDF 685KB - issue 1.0 Sept 2012)

IA Certification - What are the steps to achieve IA certification to the new scheme?

Apply to a Certification Body of your choice and follow their application process. In general the process entails submission of written evidence, provision of referees, sometimes supplemented with an an exam and/or interview.

IA Certification - What happens to CPD if ITPC goes?

Will we still need to demonstrate Continuing Personal development (CPD) or any other knd of professional development to CLAS or will this be part of the Certification Bodies' responsibility?

Each of the CBs will have their own criteria for maintaining certification, which will replace the ITPC criteria for CPD.

IA Certification - What level of accreditation will be required of the Certification Bodies' networks and systems, for providing certification?

Their information systems will be subject to accreditation by GCHQ at a minimum of IL3 for confidentiality, and IL2 for integrity and availability.

IA Certification - What level of clearance and qualifications are being imposed on the Certification Bodies?

The Certification Bodies (CB) are able to accept applications protectively marked RESTRICTED, and hold interviews up to SECRET. Assessors will therefore require Security Clearance. CB staff who handle applications will need to meet the Basline Personnel Security Standard.

IA Certification - Will there be any approved training courses for the roles?

The Certification Bodies may recommend training courses for exams they set. While CESG is unable to recommend private sector training, work is under way to design and implement a flexible mechanism for assuring training for IA professionals.

IA Certification - Will there be bulk discounts for certifications?

This is a matter for the Certification Bodies.

IA Certification - Will there be different qualifications for different roles?

The approach varies between Certification Bodies.

IA Certificaton - If you fail one Certification Body's exam is there a cool-off period before you can re-apply to the same body, or another body?

That is a matter for the Certification Bodies, but their current thinking is for a cool-off period of three months.

Marketing & Publicity - What is the value proposition of the CLAS scheme?

The value of CLAS membership will be promoted to the public sector as enabling a deeper understanding of the public sector approach to information risk management than can be assumed by IA certification alone. This is based on the services provided by CLAS members, and the fact that it is not essential to have any public sector experience in order to gain IA certification.

Marketing & Publicity - What promotion will be done within the buying community about the CLAS scheme and how HMG should be using it?

CESG will primarily use existing marketing arrangements for promoting the CLAS scheme; notably our websites, policy flashes, events and our network of Customer Account Managers. The Certification Bodies will also market the scheme.

Mutual Recognition - Does CLAS apply at all three levels of assessment, and for one or more of the role types?

Yes, membership of CLAS is conditional upon certification in any role at any level.

Mutual Recognition - Will there be mutual recognition across Certification Bodies' certifications for renewal and upgrades?

That is a matter for the CBs to agree between themselves, and will be confirmed in due course.

Back to top

CTAS

Can CESG recommend a specific CTAS company?

No. All of the CTAS Companies are listed on the CESG website together with their approval status. These companies have test laboratories with a CTAS capability that has been approved to meet the required standard for the service and therefore CESG cannot recommend a specific one.

The only exception would be if some specialist expertise was required or if there is the possibility of a conflict of interest. In this case, specialist sub-contractors may be required that need to be approved by CESG.

Can the CTAS results be reused for other customers?

In general, evaluations are tailored to the specific requirements of individual customers and the acceptance of a risk by one customer does not mean that it would necessarily be accepted by another.

The approval of a product, system or service based (in part) on CTAS results and advice, does not necessarily mean that the CTAS results can be used by other customers. However, some parts of an evaluation may be capable of re-use, subject to appropriate rework agreed by the Accreditor.
 
Another approach would be to have a pan-government accreditation or multi-department accreditation panel that makes approvals on behalf of a number of Customers.

How are CTAS Companies approved?

CTAS Companies are approved by CESG following a successful Trial CTAS Evaluation. Prior to this the company must be accredited against ISO/IEC 17025 and to the CESG Test Laboratory General Operational Requirements, as detailed on the CESG website.​

How are risk levels determined?

The residual risk for an information system, product, service or component is normally determined by following the procedures in IS1.
 
Where risks cause significant concern to an organisation, CTAS is one of a range of CESG integrated services that can be used to gain further assurance.

How do I get started?

There is CTAS guidance on the CESG website summarising Engaging CTAS, Guidance Notes and the Operational Procedures. The documentation also includes a Pre-Application Checklist, a Task Startup Meeting Agenda/Checklist and a CTAS Glossary.

After a potential customer or Sponsor has had initial discussions with candidate CTAS companies to confirm the appropriateness of the service, the starting point is the submission of a Business Questionnaire to the selected CTAS Company. Either the customer, Sponsor or CTAS Company then produces a draft Security Target to discuss and agree the detailed scope of work required in the evaluation. The CTAS Company will involve other stakeholders as appropriate. In addition, the CTAS Company will distribute all required CTAS documentation to CESG.
 
It is generally helpful during early discussions with stakeholders to have available any relevant overviews of the Target of Evaluation (TOE), including purpose, security features, target security functions and the test configuration(s) envisaged. This information will in due course be presented in an outline Security Target. The information may also be presented at the Task Startup Meeting held between all key stakeholders to clarify the TOE Scope and to discuss aspects relevant to the production of the Security Target and Evaluation Work Programme (EWP).
 
A list of CESG-approved CTAS Companies and their current status is available on the CESG website. Templates for the Business Questionnaire, Security Target, EWP and Task Startup Meeting Agenda/Checklist are available from the CTAS Companies.

How is assurance maintained in Systems, Products and Services?

Once an evaluation has been completed, it is likely that the system/product/service will be subject to change throughout its operational life. CESG recommends that changes are routinely assessed by a CTAS Company to ensure that no security weaknesses are introduced during TOE upgrades. All assurance maintenance activities are included in, or referenced from, the Assurance Maintenance Plan (AMP).

Contact CESG for further advice on how to perform an efficient, tailored maintenance review and audit approach using the AMP drafted during a CTAS evaluation.
 
CESG can provide confidence to the Accreditor that the assurance maintenance activities in an agreed AMP are sound and that they are completely addressed in the resulting Assurance Maintenance Report.

How is Assurance Maintenance initiated?

An assurance maintenance service can be provided by the CTAS Companies, with appropriate assurance and AMP advice from CESG when required by the Accreditor, and may be covered by an extension to the original evaluation contracts. However, other assurance providers may be involved as agreed by the Accreditor. When requested, CESG can provide advice and feedback based on their review of the AMP, SIA and Assurance Maintenance Report.

How is Assurance Maintenance tailored?

The scope of the maintenance activities is normally that initially stated in the Security Target and Evaluation Work Programme of the most recent related evaluation, with updates as appropriate to the product/system/service changes requiring assurance.  All subsequent tailoring of Assurance Maintenance is recorded in the Assurance Maintenance Plan (AMP) and agreed by the Accreditor and other stakeholders

The maintenance activities are derived from examining the changes summarised in an outline Security Impact Analysis. Any high-risk (i.e. major) or medium-risk change to the previous evaluated configuration may trigger a re-evaluation.

How is the evaluation tailored?

The selected CTAS Company will liaise with the Sponsor, Customer, Accreditor and CESG to agree the scope of work.

Based on the Security Target and the requirements of the Customer and their Accreditor, an Evaluation Work Programme is produced by the CTAS Company. In accordance with the CTAS Principles and Methodology, this will detail the appropriate evaluation activities and associated activity plans that will meet the requirements of the Accreditor (with advice from CESG where appropriate).

How long does a CTAS Evaluation take?

This depends on the complexity of the Target of Evaluation (TOE) and the range of requested evaluation activities. It also depends on the time taken to agree the Security Target and Evaluation Work Programme (EWP) produced during the Preparation Phase. The Evaluation Phase cannot start until the Preparation Phase has completed. As a general rule, the CTAS Evaluation will probably take longer than three months but overall should be completed within one year. CESG will generally arrange a fixed-price contract to cover a one-year period. CESG will charge an extra fixed price for every extra year requested to continue their agreed assessment activities. ​

What activities can be performed during a CTAS evaluation?

An unlimited range of evaluation activities can be undertaken during the Evaluation Phase optionally including (but not limited to): security architecture review, design review, review of Developer test evidence, review of procedures (delivery, installation & operational procedures), site audits, vulnerability analysis, source code analysis, cryptographic analysis, security functional testing and penetration testing. All security testing, including penetration testing, is performed against a detailed (low-level) Test Plan previously agreed with key stakeholders, including CESG and Sponsor / Developer / integrator / service provider prior to the tests. For planning convenience, the selected evaluation activities are grouped under appropriate generic activity headings of Document Review, Audit, Analysis and Test, each generic activity being described in a detailed activity plan. Examples of these activities might include:

  • Document Review: Review of evaluation deliverables (e.g. security architecture, design, test evidence, development procedures, operational guidance and operational procedures)
  • Audit: Audit of procedures (development, delivery, installation  and operational procedures)
  • Analysis: Cryptographic analysis and/or source code review; vulnerability analysis
  • Test: Security functional and penetration tests against agreed Test Plan.
    The above examples do not comprise a definitive list and other evaluation activities may be included as required by the Accreditor.

Note: It is not the intention to evaluate a whole system, product or service - just the key barriers, interfaces and security functions.

What activities can be performed during the Assurance Maintenance Phase?

In essence the evaluators may initially be tasked to undertake a Maintenance Review of the proposed changes to an evaluated configuration (prior to implementation) and confirm whether they agree with the impact of these changes as summarised in an outline Security Impact Analysis - normally provided by the Developer. If appropriate, they may recommend to the Accreditor that a Maintenance Audit or a Re-evaluation is performed to provide adequate assurance.

A requested or periodic Maintenance Audit (e.g. annually) may be later performed to audit the correct implementation of these changes. The scope of the maintenance activities is determined by the Accreditor, but a Maintenance Audit may include activities such as a check for new vulnerabilities and threats, a review of the patches applied, an audit of maintenance procedures, a review of Developer testing, sample tests of changed security functionality and a review of any updated operational guidance/procedures. The results of the selected activities are documented in an Assurance Maintenance Report.
 
The generic maintenance activities, described as Maintenance Review and Maintenance Audit activities in an optional Maintenance Phase Activity stage, might therefore include:

  • Maintenance Review: Assessment of TOE changes proposed in an outline Security Impact Analysis. (Production of recommendations in Reporting stage)
  • Maintenance Audit: Assessment of low-risk (minor) changes in TOE derivatives, including sample Document Review, Audit, Analysis and Test activities as agreed by stakeholders. (Production of Assurance Maintenance Report in Reporting stage).

Note: Ongoing 'assurance maintenance' is strongly recommended for operational systems.

What is a CTAS evaluation?

A CTAS evaluation provides a view of assurance on the IT security attributes of a system, product or service and will be carried out by a company having CESG-approved test laboratory with CTAS capability. The scope of the evaluation is specified in a Security Target and the range of evaluation activities is detailed in an Evaluation Work Programme. The Accreditor and CESG, with other key stakeholders, will agree the scope and technical approach of the evaluation and will review the CTAS activities and results documented in an Evaluation Report. At the end of the evaluation, CESG will issue a CTAS Assessment Statement to the Accreditor on the results of the evaluation, making recommendations on the significance of any issues that are discovered.

Note: For a given CTAS evaluation, CESG will only work directly with the CESG-approved CTAS Company selected by the Sponsor from those listed on the CESG website.​

What is a CTAS Re-Evaluation?

A Re-evaluation is similar to a CTAS Evaluation, but it focusses on changes between a previously-evaluated TOE and a specified TOE derivative. A re-evaluation is triggered by a high-risk (major) change during a Maintenance Phase. The re-evaluation may be guided by an SIA referenced or included in an AMP.​

What is a Security Impact Analysis?

A Security Impact Analysis (SIA) describes the changes between specific versions of the system, product or service and categorises each change as having high, medium or low security relevance.

The SIA summarises the impact of each change to the previous evaluation deliverables, stating which previously-evaluated deliverables need to be updated and justifying to the Accreditor whether a Re-evaluation or Maintenance Audit, including testing, is appropriate.
 
The format of the SIA is that which is most cost effective for the author, but the outline SIA will need to provide sufficient information for the Accreditor to determine what maintenance or re-evaluation activities are required to maintain accreditation should the update be implemented.  (Minimal low-risk changes may be notified in an email if this is acceptable to the Accreditor.) The final SIA should provide the detailed impact of the changes for the implemented TOE derivative. It is either referenced from or included in the AMP.

What is a Security Target?

A Security Target describes the scope of the system, product or service - the Target of Evaluation (TOE). It details the security environment, including  the assets, related threats and usage assumptions, the TOE Scope and the requirements for security functionality and assurance. Specific aspects that are outside the TOE Scope are also defined to ensure that the results of the evaluation are unambiguous.  The Security Target must be agreed by all key stakeholders, including the Accreditor and CESG, before an evaluation can begin.

What is a Target of Evaluation (TOE)?

A Target of Evaluation (TOE) is the system, product or service to be evaluated – within well-defined boundaries. The TOE Scope is defined in the Security Target and includes the security boundaries and components in terms of hardware, software and firmware that are the focus of the evaluation. It may comprise a family of closely-related derivative versions to which the latest security updates and patches have been applied in accordance with an agreed AMP.​

What is an Assurance Maintenance Plan?

An Assurance Maintenance Plan (AMP) describes or references the procedures for maintaining the assurance in the system, product or service as determined in the previous CTAS evaluation and as updated by any subsequent maintenance activity.
 
It defines the key roles and procedures for change control, vulnerability awareness, patching, testing, Maintenance Reviews and Maintenance Audits. It also includes the planned Maintenance Schedule and includes or references relevant Security Impact Analyses to track the TOE change history.

An AMP template is available from the CTAS Company.
 
Note: It is strongly recommended that the AMP is drafted early in the CTAS process, e.g. during the Definition or Planning stages to avoid unnecessary delay to the agreement of maintenance contracts and the start of maintenance activities. (This may be of benefit to CTAS evaluations of operational TOEs that are being maintained during the evaluation or re-evaluation cycle.) It may also assist the approval and control of TOE updates required as a result of interim results produced during the Evaluation phase.

What is an Evaluation Work Programme?

An Evaluation Work Programme (EWP) describes the set of evaluation activities to be performed by the evaluators during the CTAS evaluation. It identifies the resources involved, together with key milestones for deliverables from the customer and for outputs from the evaluation. It references the Security Target for a definition of the scope of the evaluation and the outline activity plans, including Test Plan, that will be developed in as much detail as possible during the course of the Definition stage. The outline EWP needs to be agreed by the Accreditor and CESG during the Definition stage before detailed planning in the Planning stage can begin. The detailed EWP produced during the Planning stage either includes or references the detailed activity plans.

An EWP template, together with guidance on Test Plans, is available from the CTAS Company.​

What is CTAS?

The CESG Tailored Assurance Service (CTAS) is intended to provide assurance for a wide range of HMG, MOD, Critical National Infrastructure (CNI) and public sector customers procuring IT systems, products and services, ranging from simple software components to national infrastructure networks.

The purpose of CTAS is to provide answers to specific assurance questions and concerns posed by the Accreditors, typically at the pre-deployment stage. These questions are addressed by a tailored evaluation performed by a CTAS Company and key results that may impact business are highlighted in an Assessment Statement produced by CESG.
 
CTAS terminology is defined in the CTAS Glossary on the CESG website.
 
Note: that although the CTAS answers and results will form one input to accreditation, CTAS will not in general assess physical or personnel security other than specific aspects of the security environment requested by the Accreditor. Accreditors must make final decisions on whether the risks are acceptable and it is their responsibility to ensure that all aspects of security have been covered to their satisfaction (i.e. within their risk appetite).

What is the general outline of a CTAS evaluation?

A CTAS evaluation has two phases as detailed in the CTAS Principles and Methodology. These may be followed by an optional Maintenance Phase:

  • Preparation: Production and agreement of Security Target (ST) and detailed Evaluation Work Programme (EWP), including associated Activity Plans. Production of outline Assurance Maintenance Plan (AMP).
  • Evaluation: Evaluation of the TOE by CTAS Company in accordance with the ST and detailed EWP. Production of Evaluation Report, draft AMP and CESG Assessment Statement.
  • Maintenance: Reviews and Audits of changes in TOE derivatives in accordance with AMP.

The Preparation Phase has two distinct Stages:

  • Definition: Production and agreement of ST, outline EWP and outline Test Plan. Production of outline AMP
  • Planning: Production of detailed activity plans for Document.

Review, Audit, Analysis (e.g. code reviews and cryptographic analysis) and Test activities. Agreement of detailed EWP. The Evaluation Phase has two separate Stages:

  • Activity: Document Review, Audit, Analysis and Test activities as specified in the EWP.
  • Reporting: Production of the CTAS Evaluation Report and draft AMP by the CTAS Company and production of Assessment Statement by CESG.

The Maintenance Phase is recommended by CESG and is an optional, iterative phase that implements the selected maintenance activities for low-risk TOE changes. A Maintenance Phase cycle can have two distinct Stages:

  • Activity: Maintenance Review and Maintenance Audit activities, including review of Security Impact Analysis, as specified in the AMP.
  • Reporting: Production of Assurance Maintenance Reports and CESG reviews as required by the AMP; Review of AMP and re-evaluation triggers.

A diagram of the Evaluation process showing the Evaluation phases and stages is included in the CTAS Principles and Methodology.
 
Notes: The CTAS Company cannot proceed from one phase or stage to the next until the previous phase or stage has been completed by agreement from all key stakeholders for specific milestones. For example: the Planning stage cannot proceed until the Security Target and outline EWP have been agreed by all stakeholders including the Accreditor and CESG in the Definition stage; the Maintenance phase cannot proceed until an AMP has been agreed and the Evaluation phase completed. A new Maintenance Activity stage cannot start until the previous Evaluation or Maintenance Reporting stage has been completed and an outline Security Impact Analysis (SIA) produced.

What level of risk does CTAS address?

CTAS can provide tailored assurance for TOEs that involve any level of protective marking ranging from the lowest to the highest.

There are alternative approaches that can provide a level of assurance including:
  • ISO/IEC 27001
  • IT Security Health Checks
However, the Accreditor may agree to supplement these approaches with a CTAS evaluation, to provide additional evidence which other approaches do not provide in areas of concern. The higher levels of protective marking may involve additional evaluation activities by CESG. In such instances, this should be discussed with CESG.  

What outputs are produced from a CTAS evaluatio

The outputs from a CTAS evaluation will be a detailed Evaluation Report and draft AMP from the CTAS Company, together with an Assessment Statement from CESG that relates to the IT security attributes of a specific product, system or service (i.e. TOE) and its residual risks.

The Evaluation Report, which either includes or references the detailed evaluation results, and final draft AMP are produced and distributed to stakeholders by the CTAS Company. After review of these documents, CESG will issue an Assessment Statement highlighting key points for consideration, including any residual risks to accreditation and any related recommendations for ongoing maintenance.
 
Note: A CTAS evaluation is, in general, specific to one particular environment - i.e. if the same system is implemented for two separate organisations it will require separate CTAS evaluations for each implementation. This is due to the tailoring of evaluation activities and scoping of security functionality, coupled with the different environmental assumptions that may have been made.

What value does CESG add to the process?

The bulk of work is carried out by the CTAS Company. CESG’s role as National Technical Authority for IA is mainly to ensure that the companies maintain high standards of work and to ensure a reasonably consistent evaluation and maintenance approach between CTAS Companies. CESG will:

  • agree Security Target, EWP and detailed activity plans, advising on the scoping and evaluation approach
  • undertake site visits to review soundness and completeness of evaluation tests
  • review the Evaluation Report, confirming whether the evaluation was completed according to the agreed Security Target, EWP and detailed activity plans
  • review the draft AMP prior to completion of the Assessment Statement
  • produce an Assessment Statement summarising key recommendations and highlighting areas of concern to the Accreditor
  • provide recommendations and insights based on CESG IA knowledge and experience
  • ensure CTAS Companies maintain evaluation standards in conjunction with UKAS Accreditation to ISO/IEC 17025
  • when requested, provide confidence to the Accreditor that maintenance activities are sound in approach and have been completed as planned.

In rare cases, CESG may provide in-house evaluation work to supplement the CTAS evaluation but this will generally be handled by a separate contract directly between CESG and the Customer.

Who are CTAS customers?

The CTAS Company Customer is the evaluation Sponsor, normally the integrator/developer/supplier or service provider who places a CTAS evaluation contract with a CESG-approved CTAS Company. The end Customer must be a HMG department, part of MOD, or the wider public sector that uses the product/system/service and has an allocated Accreditor available.​

Who is responsible for producing a Security Impact Analysis?

The Sponsor or customer is normally responsible for ensuring that a Security Impact Analysis (SIA) has been produced by the Developer/Maintainer for each proposed significant derivative of the original TOE. However, it may also be produced by the Evaluators as a result of the assurance maintenance or consultancy activities. It is submitted to CESG by the CTAS Company.​

Who is responsible for producing the Security Target, EWP and AMP?

The CTAS Company is responsible for ensuring that a Security Target has been produced and issued but who actually produces it is not important. The Security Target could in fact be written by the Customer, Sponsor, CTAS Company, CLAS Consultant, CLEF or by another party. For example, the Sponsor may already have a draft Security Target before they approach CTAS companies or they might ask the CTAS Company to produce a Security Target as part of the package of work.

Note: Sponsors with no previous experience of evaluation are recommended to seek CTAS Company advice prior to writing a Security Target.
 
The CTAS Company is responsible for producing and issuing the EWP and associated activity plans, with input as appropriate from the Customer, developer/integrator or service provider.
 
The CTAS Company is also responsible for ensuring that an Assurance Maintenance Plan (AMP) has been produced and issued but who actually produces it is not important. The Assurance Maintenance Plan could in fact be completed by the Customer, Sponsor, CTAS Company, CLAS Consultant, CLEF or by another party.
 
The Security Target, EWP and outline Test Plan (including appropriate test objectives) must be agreed by all key stakeholders (including Accreditor and CESG) before the Evaluation Phase begins.
 
The draft AMP must be produced by the CTAS Company and reviewed by CESG during the original evaluation. It should be agreed by the other key stakeholders (including Accreditor) before any Maintenance Phase begins. It is then subject to periodic review by all key stakeholders.
 
The Security Target, EWP, Test Plan and draft AMP must be submitted to CESG by the CTAS Company, who is the final author for CTAS evaluation purposes. (Any other supporting documentation and evidence must also be submitted via the CTAS Company).​

Who owns the risk?

The end Customer’s SIRO ultimately owns the risk associated with an information system. The end Customer is typically an HMG department, a CNI organisation or wider public sector organisation that procures or has procured the system, product or service. The risk assessment may be delegated to an Accreditor.

Therefore a CTAS evaluation should never be seen as an approval or accreditation of a product, system or service in itself. CTAS only provides technical IT Security advice to departments for input to a risk management decision. This is expected to be based on business needs and environmental / personnel security considerations in addition to the technical advice from CTAS

Back to top

Customer Satisfaction Surveys

How are my contact details being used?

IIn supporting CESG in this activity, ORC International have been provided with the necessary data to contact you and conduct the survey. CESG may also request contractors to support us in other activities and process the data on our behalf. However, use of your personal data will only be authorised for use in relation to CESG activities and will be lawfully processed according to the Data Protection Act.
 
If you do not wish CESG to use your data in this way, please contact CESG Enquiries and we will remove your details from our database.

How long will the interview take?

You will be contacted by an interviewer from ORC International to arrange a mutually convenient time for a telephone interview. The questions should take no more than 15 minutes to answer.

How will the survey be conducted?

You will be contacted by an interviewer from ORC International to arrange a mutually convenient time for a telephone interview. The questions should take no more than 15 minutes to answer.

I want to take part in a CESG Survey. What do I need to do?

If you have received a letter from Director IA, CESG, requesting you to take part in a CESG Customer Satisfaction Survey you should receive a telephone call from ORC International to arrange a convenient time to conduct a telephone interview. The fieldwork will generally take place in January, and will cover the previous year.
 
Please contact CESG Enquiries:
  • if you have received a letter, but ORC International have not been in touch
  • If you have not received a letter, but you would like to take part in the next survey.

What happens to the results of the survey?

CESG uses the information to determine where we need to make improvements in the service we provide. We will provide a summary of the results of the survey and any action we intend to take on the basis of the results in due course.

What if I don't want to take part in the survey?

CESG hope that you will be able to find the time to take part in the Customer Satisfaction Survey. As a key customer your feedback is very important to us.
 
However, if you do not wish to take part please tell the interviewer from ORC International when they contact you.

What will the survey ask me about?

The survey will ask for your views on the following:
  • Which of CESG's services you use and how satisfied you are with them
  • Overall views e.g. reputation, technical capabilities
  • Customer service e.g. ability to deliver on time
  • Staff and quality of advice e.g. technical expertise of staff
  • Market place e.g. speed of response to new technologies
  • How satisfied you are with certain aspects (such as those noted above) using a scale of 1 to 10.

Who are ORC International?

ORC Research Corporation (ORC) is an independent research consultancy that operates in accordance with the Market Research Society’s code of conduct.
 
ORC International, the UK research and consultancy arm of ORC, has carried out the Customer Satisfaction Survey on behalf of CESG since 2005.

Why have I been selected to take part?

CESG view you as a key customer. Your views are therefore extremely valuable to us to tailor the services we deliver to meet customer needs.

Why have I been sent a hard copy survey?

If you have received a hard copy questionnaire in the post, this is because we do not have your telephone number in our records. Please complete the form in hard copy and return in the business reply envelope provided.

Why is the survey being conducted?

CESG’s aim is to continually improve CESG’s services in line with the needs of our customers. In order to do this effectively we need to know the areas where we are meeting your requirements, and those areas that you feel we could improve.

Will my views remain confidential?

CESG would like to use your individual responses for continual improvement, but your responses will remain confidential unless you give your permission for them to be attributed.
 
If you do not wish your individual responses to be used, ORC International will treat the information you give in total confidence; no comments will be attributed and CESG will only see your views as part of an overall summary of the results. You will be asked during the telephone interview whether you are willing for your responses to be identified.

Back to top

IAMM

How does the new Java IAMM Tool run under MS Excel?

Guidance: The new Java IAMM Tool is essentially pure Java, i.e. it does not run under MS Excel.  The Java IAMM Tool needs the Java Runtime Environment 1.5, or later, to be installed.  However, the Java IAMM tool can export data to MS Excel.​

We can put it on our corporate environment, but we don't have the budget to process the appropriate change request.

Guidance: In this case, CESG cannot help you, as this is a local business decision.  You may wish to make appropriate plans for the new financial year, e.g. through establishing the budget required to investigate, and actually implement the IAMM Tool on your corporate desktop environment, at the local departments/agencies own risk.​

We can't download the IAMM ".zip" file.

Guidance: Once people appropriately engage their local Software Asset Management [SAM] team, these problems are usually overcome, as the SAM team are usually authorised to download software by some local means.  If this really can't be overcome timely, then CESG may be able to send you a receipted CD which contains the Java IAMM Tool​

We can't put it on the corporate desktop environment.

Guidance: Put it on a suitable laptop, as the IAMM Tool is designed to run on a suitable standalone laptop. The IAMM Tool is not supported on a corporate desktop environment, however if you wish to run it on your corporate environment, and you encounter difficulties, then please let CESG know in good time. CESG cannot guarantee to overcome the local contractual, or lockdown, etc., environment, but CESG may be able to help if a minor modification is required that does not inhibit the general applicability of the IAMM Tool release [However, CESG cannot guarantee that the resources will be available to do this].​

We can't run it from the browser. Where is the HTML wrapper?

Guidance: The IAMM Tool is not for a Java browser plug-in, so it does not require a HTML wrapper [i.e. assuming that you are not running it as a Citrix application, which may require you to start Citrix up {e.g. https://citrixweb/ }.  The IAMM Tool runs inside the standalone Java Runtime Environment for Java 1.5, or later.​

We will continue to run with the 2011/12 Excel version of the IAMM Tool on our corporate environment.

Guidance: CESG can't guarantee to support legacy versions of the IAMM Tool, so please be aware that the Excel Tool has stopped working previously due to local lockdown measures.  Should problems occur, CESG cannot guarantee that it will be able to help to fix these (Although you should let CESG know).  Therefore, you should have a backup plan, e.g. moving to suitable laptops [or to the new Java IAMM Tool, if appropriate], should the situation arise.​

Back to top

Policy and Guidance

How can I check whether my IT system is secure?

CESG manages the IT Security Health Check Service (CHECK), which is designed to ensure that security functionality has been implemented correctly, and to identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity and availability of information held on systems and networks.
 
For sensitive HMG or Critical National Infrastructre (CNI) systems, and occasionally other agreed requirements, the CHECK service is provided by CESG personnel.
 
For less sensitive systems (generally up to and including CONFIDENTIAL) the service can be provided by commercial companies approved by CESG under CHECK.

How can I protect private, but non-protectively marked information, e.g. Impact Level 1 or 2 information?

Where electronic government services are managed, large amounts of data are handled which, while not protectively marked, are sensitive and should carry the PRIVATE descriptor, or be marked PROTECT. In either case, it will be categorised at Impact Levels 1 or 2.
 
In such cases, material should be protected by products which have been validated and assured for performance and functionality. CESG therefore recommends use of products validated under the CCTM Scheme, together with FIPS 140 where cryptographic protection is also required.

How do I apply for a policy or guidance document?

CESG provides guidance and advice for UK HMG departments, and non-governmental bodies with a current Government contract.
 
If you work for a Government department or agency but do not have access to CESG's GSi site please contact CESG Enquiries.
 
If you work for a non-Government organisation your request must be supported by the Government organisation with which you have the contract, and you must have a valid business case. Your contracting HMG authority must contact CESG Enquiries confirming their requirement for release of the document.

Where can I find guidance on suitable products or services for erasing data and media disposal?

Back to top

Products and Technologies

I haven't received my key material. What can I do?

Keymat distribution to end users is controlled by the Crypto Custodians who ordered it for you.  
 
Unfortunately this means that CESG is unable to offer guidance on the whereabouts of the material. Please contact your Crypto Custodian.

Is it possible to transmit data on a Sectéra secure mobile phone?

Yes, it is possible to transmit data on a Sectera secure mobile phone. Data transmission is also possible on the Wireline terminal. SMS messages are NOT secure.

Back to top