|
|||||||||
|
| You are here:CESG >Products and Services >IACS >CTAS > | ||||
 Frequently
Asked QuestionsBackground Background What is CTAS? What is CTAS? CTAS is an independent, technical security evaluation of a system or product for a government department (or possibly a CNI) customer. CTAS is carried out by approved evaluation companies with support from CESG and results in advice on the extent to which technical risks have been addressed. CTAS is designed to meet the needs of HMG Infosec Standard 1(IS1) and equivalent documents like JSP440. Evaluations focus on the technical security of systems, COTS products and bespoke components within a system context. Procedures associated with technical security can also be included within scope but evaluations do not extend to an assessment of physical or personnel security. It does not deal with cryptography as this is covered by the CAPS scheme. As far as availability is concerned, the evaluations can consider resilience against malicious denial of service attacks, but in general will not consider reliability or redundancy (although this might be reviewed in future). CTAS has been designed to allow a significant amount of flexibility and evaluations can be tailored to meet the requirements of an Accreditor but at the same time, certain minimum activities from the methodology must always be carried out e.g. a review of the design and testing. Why is CTAS required? CTAS exists in order to give technical advice to Customers on the extent to which security risks have been addressed. As such, it will not deliver a simple pass / fail result but is more likely to state a degree of confidence in the effectiveness of intended security measures, along with any residual security concerns or recommendations. However, in some cases serious issues may result in a recommendation that the product or system does not appear fit for its application for HMG/CNI. Who needs CTAS? CTAS is only applicable for Customers in government departments (or potentially in other parts of the Critical National Infrastructure). The evaluation is paid for by a Sponsor, who may often be a developer of the product or system or a service provider. (Note that the terms for Customer and Sponsor can often be confused). Can results of CTAS be reused for other Customers? In general, evaluations are tailored to the specific requirements of individual Customers and the acceptance of a risk by one Customer does not mean that it would necessarily be accepted by another. Therefore the approval of a product or system based (in part) on CTAS advice, does not necessarily mean that it can be used by other Customers. However, some parts of an evaluation may be capable of re-use, subject to appropriate rework agreed by the Accreditor. Another approach would be to have a pan-government accreditation or multi-department accreditation panel that makes approvals on behalf of a number of Customers. Risk Management What level of risk does CTAS address? What level of risk does CTAS address? CTAS is primarily intended to address risks that would normally call for an equivalent of Common Criteria at Evaluation Assurance Levels in the range EAL2 - EAL4 for Impact Levels 2 to 4. For lower risks, there may be alternative approaches including:
If the residual risk analysis indicates that a level equivalent to EAL5 or higher is required, then CESG should be contacted to discuss possible approaches. The contact details in this instance are: iacs@cesg.gsi.gov.uk. Who owns the risk? The Customer ultimately owns the risk associated with an information system. The Customer is typically an HMG department or possibly a CNI organisation who procures or has procured the system or product. The risk assessment may be delegated to an Accreditor. Therefore a CTAS evaluation should never be seen as an approval or accreditation of a product or system in itself. CTAS only provides technical advice to departments for input to a risk management decision. This is expected to be based on business needs and physical / personnel security considerations in addition to the technical advice from CTAS. How are risk levels determined? The residual risk for an information system, product or component is determined by following the procedures in IS1. Where risks cause significant concern to a department, CTAS is one of a range of approaches that can be used to gain further assurance. Engagement How is CTAS requested? How is CTAS requested? CTAS is initiated by completing a questionnaire (doc) . On receipt of this, CESG will advise whether the proposed evaluation is appropriate and whether CESG will be able to support an evaluation company in taking the work forward. The questionnaire should be sent to iacs@cesg.gsi.gov.uk Who requests CTAS? There must be a requirement from a Customer (in government or possibly the wider CNI), however the request can also come from a developer or service provider acting as a Sponsor (with the explicit support of such a Customer). What happens when CESG is approached? On receipt of a questionnaire, CESG will consider whether CTAS is the best assurance service to match the requirements (this is not always the case e.g. CAPS may be more appropriate in some cases) and whether the proposal generally makes sense within a government security context. In some cases, the Sponsor and Customer may be invited to take part in further discussions with CESG to determine a way forward. Who carries out the CTAS evaluations? CTAS evaluations can only be carried out by a limited number of companies that have been approved to work on CESG's behalf. These specific 'CTAS Evaluation Companies' are listed on the CESG website. How do sponsors engage with CTAS evaluation companies? Sponsors need to make their own arrangements for selecting and contracting with CTAS companies to carry out the work. Can CESG recommend a specific CTAS company? No. All of the listed CTAS companies have been selected to meet the required standard for the service and therefore CESG cannot recommend a specific one. The only exception would be if some specialist expertise was required or if there is the possibility of a conflict of interest. In this case, specialist sub-contractors may be required that need to be approved by CESG. How do CTAS evaluation companies engage with CESG? CTAS evaluation companies normally subcontract CESG to provide assurance advice only on evaluations and to provide oversight of the CTAS scheme. Optionally, CESG services may be contracted by the Customer to provide assurance advice and oversight. The CTAS companies are to be used for the actual evaluation testing. A Quick Guide to Using the Service (pdf) is available on the CESG website. Scoping the evaluation What is a Security Target? What is a Security Target? A Security Target describes the scope of the system or product to be evaluated (referencing design documents where appropriate), the relevant threats and the claimed security functionality. The Security Target needs to be produced and agreed before an evaluation can begin. A Security Target template is included as an appendix to the CTAS Methodology (pdf). Who is responsible for producing the Security Target? The CTAS evaluation company is responsible for ensuring that a Security Target has been produced but who actually produces it is not important. The Security Target could in fact be written by the Customer, Sponsor, CTAS evaluation company, CLAS Consultant, CLEF or by another party. For example, the Sponsor may already have a draft Security Target before they approach CTAS evaluation companies or they might ask the evaluation company to produce a Security Target as part of the package of work. The Security Target must be agreed by key stakeholders (including Accreditor and CESG) before the evaluation begins. How is the evaluation tailored? The appointed CTAS company will liaise with the Sponsor, the Customer, Accreditor and CESG to agree the scope of work. Based on the Security Target and the requirements of the Customer and their Accreditor, an Evaluation Work Programme is produced by the evaluation company. This will select the minimum required parts of the CTAS methodology plus additional aspects as required by the Accreditor (with advice from CESG where appropriate). An Evaluation Work Programme template is included as an appendix to the CTAS Methodology (pdf). Evaluations What takes place during software product evaluations? What takes place during software product evaluations? COTS products and bespoke components can be evaluated at one of two levels, of which the first is considered roughly equivalent to EAL 2/3 and the second to EAL4. The CTAS Methodology gives more details but the first level assesses overall confidence in the product by considering available evidence in the following areas: functionality and design, development procedures and basic security functional testing. The second level supplements this with source code analysis and more extensive vulnerability analysis. What takes place during system evaluations? The CTAS Methodology describes the approach in more detail. In essence the evaluators review the architecture and design of the system, carry out testing (normally including penetration testing) and can audit operational procedures (as required by the Accreditor). Ongoing ‘assurance maintenance’ is normally recommended for operational systems. What value does CESG add to the process? The bulk of work is carried out by the CTAS evaluation company. CESG’s role is mainly to ensure that the companies maintain high standards of work and to try and ensure a reasonably consistent approach between companies. CESG will also advise on the scoping and approach of the evaluation, will produce a summary of key recommendations and confirm whether the agreed evaluation work was completed according to the methodology. In rare cases, CESG will offer in-house evaluation work to supplement the CTAS evaluation but this will generally be handled by a separate contract directly with the Customer. Assurance Maintenance How is assurance maintained in Systems and Products? How is assurance maintained in Systems and Products? Once an evaluation has been completed, it is likely that the system/product will be subject to change throughout its operational life. CESG recommends that changes are routinely assessed by an evaluation company to ensure that no security weaknesses are introduced during system upgrades. The CTAS Methodology describes the maintenance review and audit approach in more detail. What is an Assurance Maintenance Plan? An Assurance Maintenance Plan describes or references the procedures for maintaining the assurance in the system or product as determined in the previous CTAS evaluation and as updated by any subsequent assurance activity. It covers procedures for change control, vulnerability awareness, patching, testing and Maintenance Reviews. It also includes the planned Maintenance Schedule. Who is responsible for producing an Assurance Maintenance Plan? The CTAS evaluation company is responsible for ensuring that an Assurance Maintenance Plan has been produced but who actually produces it is not important. The Assurance Maintenance Plan could in fact be written by the Customer, Sponsor, CTAS evaluation company, CLAS Consultant, CLEF or by another party. The Plan is normally produced during the initial evaluation and should be agreed by key stakeholders (including Accreditor and CESG) before the Maintenance Phase begins. It is then subject to periodic review. How is Assurance Maintenance initiated? The assurance maintenance service is provided by the CTAS evaluation companies, with appropriate assurance advice from CESG, and may be covered by an extension to the original evaluation. Otherwise, the engagement with a CTAS evaluation company and CESG is as described for a CTAS evaluation. How is Assurance Maintenance tailored? The scope of the maintenance is normally that stated in the Security Target and Evaluation Work Programme of the most recent related evaluation. The assurance activities are derived from examining the changes summarised in an outline Security Impact Analysis. Any major change to the original security functionality may trigger a re-evaluation. What takes place during the Assurance Maintenance Phase? The CTAS Methodology describes the approach in more detail. In essence the evaluators review proposed changes prior to implementation and confirm whether they agree with the impact of the changes as summarised in an outline Security Impact Analysis provided by the Developer. A periodic Maintenance Review (e.g. annually) is later performed to audit the correct implementation of these changes. The latter review may include a check for new vulnerabilities, a review of the patches applied, an audit of maintenance procedures, a review of Developer testing and a test of updated security functionality. What is a Security Impact Analysis? A Security Impact Analysis (SIA) describes all changes between specific versions of the system or product and categorises each change as having major or minor security relevance. The SIA summarises the impact of each change on the previous evaluation deliverables, stating which deliverables need to be updated and justifying whether a re-evaluation or maintenance audit is appropriate. The SIA, together with guidance on categorising changes, is described in an appendix to the CTAS Methodology (pdf). Further questions Where is more information about CTAS? The CESG website (www.cesg.gov.uk) contains further information including a Quick Guide to Using the Service (pdf). In particular, please consult the current versions of the CTAS Methodology document (pdf) and the CTAS Operational Procedures (pdf) document for definitive guidance. |
||||
 |
|||
|