CTAS
|
|
| |
 |
|
How to Engage the CESG Tailored Assurance Service
- Understand the purpose of the service. The CESG Tailored Assurance
Service (CTAS) has been established to provide its Customers with a
mechanism for utilising CESG authorised suppliers to undertake information
assurance activities in a flexible, agile and efficient manner tailored
to accreditors' needs. CTAS offers an improved approach to evaluation
over existing schemes, its central feature being a thorough search for
IA vulnerabilities.
- Decide whether a CTAS evaluation of the relevant product or system
is needed - this will usually be determined by an HMG accreditor, informed
by their security support team.
- Inform CESG of the intention to seek a CTAS evaluation - this
can be done by direct contact with the IACS Delivery Office (tel.
01242-221491 extension 36500 or email iacs@cesg.gsi.gov.uk)
or via the CESG Customer Account Manager with responsibility for
the sector concerned.
- Complete an IACS Business Questionnaire for CESG Assurance Services1.
Once this questionnaire is completed in softcopy and returned CESG will
advise on whether the system or product is suitable for evaluation under
CTAS. CESG will convey its decision within 5 working days of receipt
of a completed Questionnaire.
- By this stage the intending customer should have a Security Target
(ST) available - at least in outline form. If the customer does not
consider themselves competent to prepare this initial ST they should
seek assistance from a contractor with recognised skills in this area2
.
- If CESG accepts the system or product as being suitable for evaluation
under CTAS then the organisation or company that will pay for the evaluation
should contact the three listed CTAS evaluation companies to discuss
terms for conducting the evaluation, basing the discussion on their
outline ST. (Note that exceptionally CESG
may restrict the choice of evaluation companies)3.
- Select the preferred evaluation contractor and contract with them
for the evaluation. Note that CESG’s role in assessing the evaluation
is performed as a sub-contractor to the CTAS evaluation company.
- Accreditors must make the final decisions on whether the IA risks
to the product or system are acceptable and it is their responsibility
to ensure that all aspects of security have been covered to their satisfaction.
- Further details are available in the CTAS document ‘Operational
Procedures for Evaluations’ version 1.0 dated June 2007, available
via the CESG website. Part II of that document is particularly relevant
and explains some of the variations in operational procedures that can
apply in special situations.
1. There is a link to the
questionnaire form on the CTAS page on the CESG website.
2. The preparation of a satisfactory outline ST can be achieved by
a separate contract with a suitable experienced company such a CTAS
company, a UK CLEF, an IA consultancy company or CESG.
3. Note that at this stage the CTAS companies will be talking separately
with CESG in the course of formulating their offer; CESG will be providing
comments on each company's evaluation workplan as part of this conversation.
Documents
| How to Engage the CESG Tailored Assurance Service
- A Quick Guide |
|
190k |
|
Quick Guide to Using the Service