CTAS
|
|
| |
 |
|
What is CTAS?
Following a fundamental reassessment of CESG Assurance Services influenced
by current threats to HMG IT systems and valuable feedback from customers,
the CESG Tailored Assurance Service was introduced in June 2007. This
new flexible service takes the best from and replaces the existing
Fast Track and System Evaluation (SYSn) services. The SYSn documents
are available by e-mailing IACS@cesg.gsi.gov.uk.
It is designed to meet the needs of HMG Infosec Standard No.1 Residual
Risk Assessment Method (IS1).
The service is intended for a wide range of IT products and systems
ranging from simple software components to national infrastructure
networks. Therefore, a toolbox of activities is provided that enables
each evaluation to be tailored as appropriate. A summary of these
components is provided in the table below.
| Assurance Activities |
| Development Procedures Review |
| Product Functionality & Design Assessment |
| System Architecture and Design Review |
| Security Functional Testing |
| Installation & Operational Procedures |
| Vulnerability Analysis & Testing |
| Source Code Analysis |
| Assurance Maintenance Review |
The Accreditors will decide which of these activities are most appropriate
for their system. Furthermore, it will be possible to trade-off the
effort required between the various activities depending on the risks.
Note that it is not the intention to evaluate a whole system, just
the key barriers and interfaces.
Evaluations will be carried out by contractors approved by CESG
to a specification detailed in the Security Target and Evaluation
Work Programme. CESG will agree the scope and technical approach
of the evaluation and will review the work of the contractor. CESG
will also make recommendations on the significance of any issues
that are discovered.
The deliverables will be an Evaluation Report from the contractor
and an Assessment Statement from CESG.
The Evaluation Report summarises the results, lists any security vulnerabilities
or major functionality errors, and highlights any additional residual
risks and (where known) their business impact. Statements in the report
regarding risks will make clear their relevance in the context of
use of the product or system and identify whether they are generic
to the product or due to a specific system configuration.
The CESG Assessment Statement will confirm the extent to which the
evaluation achieved the desired aims and summarise the significance
of the main findings, highlighting any security risks or (where known)
business impacts. It will describe the connection of the results to
IS1 and any additional information that may be required. At this point
the Tailored Assurance evaluation of the system or product is completed.
An evaluation will generally have four phases:
- Preparation: Production of Security Target
and Evaluation Work Programme.
- Evaluation: Evaluation of the product or system.
- Reporting: Production of the Evaluation Report
and CESG Assessment Statement.
- Maintenance: Implementation of the Assurance
Maintenance Plan.
Accreditors are encouraged to play an active role during the progress of the evaluation, e.g. including the following circumstances:
- Problems arise that could affect the completion date or the target assurance;
- Priorities that need to be reviewed;
- Testing that will be in the operational environment.
Note that although Tailored Assurance will form one input to system
accreditation, it will not assess physical or personnel security.
Accreditors must make final decisions on whether the risks are acceptable
and it is their responsibility to ensure that all aspects of security
have been covered to their satisfaction.
Details
of CTAS companies
KPMG LLP
POC : Martin Jordan
Tel : 0207311 5386 mobile 07790 904245 fax 0207311 5836
Email : martin.jordan@kpmg.co.uk
Website www.kpmg.co.uk
Address : 8th Floor, 1 Canada Square, Canary Wharf, London E14 5AG
NCC Group plc
POC : Andy Hague
Tel 01612095321 mobile 07773315293 fax 01612095222
Email andy.hague@nccgroup.com
Website www.nccgroup.com
Address : The Manchester Technology Centre, Oxford Road, Manchester
M1 7ED
NGS Software Ltd
POC : Dave Litchfield
Tel 0208401 0070 mobile 07881813792 fax 0208401 0076
Email dave@ngssoftware.com
Website : www.ngssoftware.com
Address : 52 Throwley Road, Sutton, Surrey, SM1 4BF
|