The National Technical Authority for Information Assurance
 
  ABOUT US   PRODUCTS & SERVICES   PUBLICATIONS   POLICY & TECHNOLOGIES   FIND A .....
CTAS
What is CTAS?
Quick Guide to Using the Service
Operational Procedures for Evaluations
Methodology
Guidance Notes
FAQs
Business Questionnaire for CESG Tailored Assurance Service (doc)

 
 
Quick Guide to Using the Service

How to Engage the CESG Tailored Assurance Service
  1. Understand the purpose of the service. The CESG Tailored Assurance Service (CTAS) has been established to provide its Customers with a mechanism for utilising CESG authorised suppliers to undertake information assurance activities in a flexible, agile and efficient manner tailored to accreditors' needs. CTAS offers an improved approach to evaluation over existing schemes, its central feature being a thorough search for IA vulnerabilities.
  2. Decide whether a CTAS evaluation of the relevant product or system is needed - this will usually be determined by an HMG accreditor, informed by their security support team.
  3. Inform CESG of the intention to seek a CTAS evaluation - this can be done by direct contact with the IACS Delivery Office (tel. 01242-221491 extension 36500 or email iacs@cesg.gsi.gov.uk) or via the CESG Customer Account Manager with responsibility for the sector concerned.
  4. Complete an IACS Business Questionnaire for CESG Assurance Services1. Once this questionnaire is completed in softcopy and returned CESG will advise on whether the system or product is suitable for evaluation under CTAS. CESG will convey its decision within 5 working days of receipt of a completed Questionnaire.
  5. By this stage the intending customer should have a Security Target (ST) available - at least in outline form. If the customer does not consider themselves competent to prepare this initial ST they should seek assistance from a contractor with recognised skills in this area2 .
  6. If CESG accepts the system or product as being suitable for evaluation under CTAS then the organisation or company that will pay for the evaluation should contact the three listed CTAS evaluation companies to discuss terms for conducting the evaluation, basing the discussion on their outline ST. (Note that exceptionally CESG may restrict the choice of evaluation companies)3.
  7. Select the preferred evaluation contractor and contract with them for the evaluation. Note that CESG’s role in assessing the evaluation is performed as a sub-contractor to the CTAS evaluation company.
  8. Accreditors must make the final decisions on whether the IA risks to the product or system are acceptable and it is their responsibility to ensure that all aspects of security have been covered to their satisfaction.
  9. Further details are available in the CTAS document ‘Operational Procedures for Evaluations’ version 1.0 dated June 2007, available via the CESG website. Part II of that document is particularly relevant and explains some of the variations in operational procedures that can apply in special situations.

    1. There is a link to the questionnaire form on the CTAS page on the CESG website.
    2. The preparation of a satisfactory outline ST can be achieved by a separate contract with a suitable experienced company such a CTAS company, a UK CLEF, an IA consultancy company or CESG.
    3. Note that at this stage the CTAS companies will be talking separately with CESG in the course of formulating their offer; CESG will be providing comments on each company's evaluation workplan as part of this conversation.

Documents

How to Engage the CESG Tailored Assurance Service - A Quick Guide   How to Engage the CESG Tailored Assurance Service - A Quick Guide
190k
 © Crown copyright, 2010. This CESG Website is maintained for your personal use and viewing. Access and use by you of this site constitutes acceptance of our terms and conditions which take effect from the date of first use. Click here for our terms and conditions CESGweb@cesg.gsi.gov.uk