|
|
General information
Policy guidance
Product help
Product evaluation and approval
General
Information
How do I benefit from CESG's services?
CESG offers a range of products and services including technical
consultancy and advice, policy documentation, product evaluation
and training, primarily to UK government and the armed forces,
the wider public sector, and industries forming part of the
Critical National Infrastructure, such as power and water. In
the first instance either call the Customer Support Office on
01242 709141, or e-mail enquiries@cesg.gsi.gov.uk
(or for policy-related questions policy@cesg.gsi.gov.uk).
Your query will either be answered directly or acknowledged
and forwarded to the relevant specialist area.
What training is available from CESG?
CESG has devised a series of general and technical courses to
provide an understanding of a range of information assurance
issues. These are contained in our Training Prospectus. Contact
the CESG Course Administration Office on 01242 221491 ext. 34202
or e-mail training@cesg.gsi.gov.uk.
I need
advice on a particular aspect of information assurance. How
do I go about getting it?
CESG has a team of Customer Account Managers responsible for
the various customer sectors (MOD/central government/law enforcement/industry
and local government) to capture your requirements and ensure
you get the help and guidance you need. We also have a partnership
with private sector consultants - CLAS, the CESG Listed Adviser
Scheme, to satisfy the increasing demand for high-quality advice.
Further details can be found on the CLAS
pages .
Policy guidance
What is the latest policy view on the use of wireless
LANs?
Wireless LANs should be considered highly vulnerable to interception
and jamming. We recommend they are not used for sensitive material
or where assured availability is required. NISCC
Technical Note 04/02, available at www.cpni.gov.uk,
gives technical background.
How do I go about checking whether my system
is secure?
No matter how secure you think your systems are, you can never
be sure unless they are tested by an independent expert. CESG
manages an IT Security Health Check Service, which is designed
to ensure correct implementation of security functionality and
to identify vulnerabilities in IT systems and networks which
may compromise the confidentiality, integrity and availability
of information held on systems and networks. For sensitive HMG
or CNI systems, and occasionally other agreed requirements,
the IT Security Health Check service is provided by CESG personnel.
For less sensitive systems (generally up to and including CONFIDENTIAL)
the service can be provided by commercial companies approved
by CESG under the CHECK scheme. Details of the CHECK scheme
can be found at www.cesg.gov.uk/products_services/iacs/check/index.shtml.
What advice is available where protection is needed
for non-protectively marked, but nonetheless private information,
e.g. Impact Level 1 or 2 information?
In some areas, particularly where electronic government services
are managed, large amounts of data are handled which, while
not protectively marked, are sensitive and should carry the
PRIVATE descriptor, or be marked PROTECT. In either case, it
will be categorized at Impact Levels 1 or 2. In such cases,
material should be protected by a product whose performance
and functionality has at least been validated and assured. CESG
therefore recommends use of a CCT Mark Scheme product, combined
with FIPS 140 where cryptographic protection is also required.
Details of CCT Mark Scheme products can be found at www.cabinetoffice.gov.uk/csia/claims_tested_mark/.
FIPS products can be found at http://csrc.nist.gov/groups/STM/cmvp/
Are there any UK-government approved biometrics
applications?
There are currently no approved biometrics applications, and
we do not expect any to be available in the near future as none
of the technologies have yet, in our view, reached the stage
where we would be happy with them as the sole access control
mechanism. Guidance is available, however, in "Biometrics
for Identification and Authentication - Advice on Product Selection (pdf)".
Where can I find guidance on suitable products/services for erasing data and media disposal?
Please refer to IS5 for details of the new current policy here.
A S(E)N covering the policy for Higher Level Degaussing equipment
is currently with Cabinet Office awaiting publication. Suitable
products at the lower levels can be found on the CCTM products
list (www.cabinetoffice.gov.uk/csia/claims_tested_mark/),
and at higher levels on the Directory
of Infosec Assured Products (pdf) or the NSA
Approved Products list (www.nsa.gov/ia).
How do I apply for a policy document?
CESG provides guidance and advice for UK HMG and non-governmental
bodies with a current Government contract.
HMG departments and agencies without access to CESG's GSi site
should e-mail their request direct to enquiries@cesg.gsi.gov.uk.
Non-Governmental organisations may receive information from
CESG. These requests must be supported by the Government organisation
they have the contract with and must have a business case. Enquiries
(as above) should be e-mailed by the contracting HMG authority
confirming the requirement for release of the document(s).
Product help
I haven't received my key material. What can I do?
Keymat distribution to end users is controlled by the Crypto
Custodians who ordered it for you; regrettably, therefore, CESG
is unable to offer guidance on the whereabouts of the material
- please contact your Crypto Custodian.
Is it possible
to transmit data on a Sectéra secure mobile phone?
Following recent testing, a secure data software update is now
available for the secure GSM phone. Data transmission is also
possible on the Wireline terminal.
What
do I do if I am having problems with my Kilgetty?
Click on the Kilgetty link http://www.cesg.gov.uk/products_services/iacs/caps/kilgetty/index.shtml
on our website first for useful information including an FAQ
page. If this doesn't answer the question, please contact Hewlett
Packard technical support on 01925 841805.
What plans are there to enhance the THAMER link encryptor?
A G703 interface achieved Design Acceptance Certification in
June 2003, and there are plans in hand for high-speed and tactical
versions.
Product
evaluation and approval
I have a product/service which I would like to get assured? How do I go about it?
CESG’s Information Assurance and Certification Services
(IACS) can provide assurance services for products and systems
claiming to have security capability, and with requirements
at Impact Level 3 and above. See the IACS
pages for more detail. Where cryptography is a key element
of a product at this level, it is likely that advice under the
CESG Assisted Products Scheme (CAPS) would be needed prior to
the actual evaluation – go to the CAPS
pages for more information. Where the requirement is for
Impact Level 1 or 2, CCTM will provide assurance for products
and services, combined with FIPS140 where there are also cryptographic
requirements.
How do I find out whether a particular product is
CESG-approved?
The Directory
of Infosec Assured Products (also available from the Publications
section) lists the various types of assured products, the products'
features and the context in which they should be used. You can
also search for a particular product, or type of product, using
the IACS and CAPS links on the home page
How do I find out whether a particular product, system
or service is approved through a UK Government Scheme?
The Directory
of Infosec Assured Products (also available from the Publications
section) lists the various types of assured products, the products’
features and the context in which they should be used. You can
also search for a particular product, or type of product, using
the IACS and CAPS boxes on our home page. Also refer to the
CCT Mark products list for products and services offering protection
for Impact Level 1 and 2 requirements. (www.cabinetoffice.gov.uk/csia/claims_tested_mark/)
|
