|
|
How
to Engage the CESG Tailored Assurance Service
- Understand the purpose of the service. The CESG Tailored Assurance
Service (CTAS) has been established to provide its Customers with
a mechanism for utilising CESG authorised suppliers to undertake
information assurance activities in a flexible, agile and efficient
manner tailored to accreditors' needs. CTAS offers an improved
approach to evaluation over existing schemes, its central feature
being a thorough search for IA vulnerabilities.
- Decide whether a CTAS evaluation of the relevant product or
system is needed - this will usually be determined by an HMG accreditor,
informed by their security support team.
- Inform CESG of the intention to seek a CTAS evaluation - this
can be done by direct contact with the IACS Delivery Office (tel.
01242-221491 extension 36500 or email iacs@cesg.gsi.gov.uk)
or via the CESG Customer Account Manager with responsibility for
the sector concerned.
- Complete an IACS Business Questionnaire for CESG Assurance Services1.
Once this questionnaire is completed in softcopy and returned
CESG will advise on whether the system or product is suitable
for evaluation under CTAS. CESG will convey its decision within
5 working days of receipt of a completed Questionnaire.
- By this stage the intending customer should have a Security
Target (ST) available - at least in outline form. If the customer
does not consider themselves competent to prepare this initial
ST they should seek assistance from a contractor with recognised
skills in this area2 .
- If CESG accepts the system or product as being suitable for
evaluation under CTAS then the organisation or company that will
pay for the evaluation should contact the three listed CTAS evaluation
companies to discuss terms for conducting the evaluation, basing
the discussion on their outline ST. (Note that exceptionally CESG
may restrict the choice of evaluation companies)3.
- Select the preferred evaluation contractor and contract with
them for the evaluation. Note that CESG’s role in assessing
the evaluation is performed as a sub-contractor to the CTAS evaluation
company.
- Accreditors must make the final decisions on whether the IA
risks to the product or system are acceptable and it is their
responsibility to ensure that all aspects of security have been
covered to their satisfaction.
- Further details are available in the CTAS document ‘Operational
Procedures for Evaluations’ version 1.0 dated June 2007,
available via the CESG website. Part II of that document is particularly
relevant and explains some of the variations in operational procedures
that can apply in special situations.
1. There is
a link to the questionnaire form on the CTAS page on the CESG
website.
2. The preparation of a satisfactory outline ST can be achieved
by a separate contract with a suitable experienced company such
a CTAS company, a UK CLEF, an IA consultancy company or CESG.
3. Note that at this stage the CTAS companies will be talking
separately with CESG in the course of formulating their offer;
CESG will be providing comments on each company's evaluation workplan
as part of this conversation.
Documents
| How to Engage the CESG Tailored Assurance Service
- A Quick Guide |
|
190k |
|
Quick
Guide to Using the Service
