|
|||||||||
|
|||||||||
|
| You are here: CESG > Products and Services >IACS > | ||||||||||||||||||||||||
|
 CESG Tailored Assurance Service (CTAS)News Flash The acquisition of NGS Software Ltd. by NCC Group Plc. has recently been announced. Both of these companies are approved to carry out evaluations for the CESG Tailored Assurance Service (CTAS). CESG wishes to assure customers and shareholders of CTAS that there will be no impact to the delivery of CTAS or any of its tasks. This service will continue without change for a number of months, during which time CESG will evaluate a number of options. CESG has a commitment to provide this assurance service and customers should not have concerns regarding its appropriateness to their IA requirements. What is CTAS? Following a fundamental reassessment of CESG Assurance Services influenced by current threats to HMG IT systems and valuable feedback from customers, the CESG Tailored Assurance Service was introduced in June 2007. This new flexible service takes the best from and replaces the existing Fast Track and System Evaluation (SYSn) services. It is designed to meet the needs of HMG Infosec Standard No.1 Residual Risk Assessment Method (IS1). The service is intended for a wide range of IT products and systems ranging from simple software components to national infrastructure networks. Therefore, a toolbox of activities is provided that enables each evaluation to be tailored as appropriate. A summary of these components is provided in the table below.
The Accreditors will decide which of these activities are most appropriate for their system. Furthermore, it will be possible to trade-off the effort required between the various activities depending on the risks. Note that it is not the intention to evaluate a whole system, just the key barriers and interfaces. Evaluations will be carried out by contractors approved by CESG to a specification detailed in the Security Target and Evaluation Work Programme. CESG will agree the scope and technical approach of the evaluation and will review the work of the contractor. CESG will also make recommendations on the significance of any issues that are discovered. The deliverables will be an Evaluation Report from the contractor and an Assessment Statement from CESG. The Evaluation Report summarises the results, lists any security vulnerabilities or major functionality errors, and highlights any additional residual risks and (where known) their business impact. Statements in the report regarding risks will make clear their relevance in the context of use of the product or system and identify whether they are generic to the product or due to a specific system configuration. The CESG Assessment Statement will confirm the extent to which the evaluation achieved the desired aims and summarise the significance of the main findings, highlighting any security risks or (where known) business impacts. It will describe the connection of the results to IS1 and any additional information that may be required. At this point the Tailored Assurance evaluation of the system or product is completed. An evaluation will generally have four phases:
Details of CTAS companies KPMG LLP POC : Martin Jordan Tel : 0207311 5386 mobile 07790 904245 fax 0207311 5836 Email : martin.jordan@kpmg.co.uk Website www.kpmg.co.uk Address : 15 Canada Square, London E14 5GL NCC Group plc POC : Matt Trueman Mobile: 07816 588 198 Email CTAS@nccgroup.com Website www.nccgroup.com Address : The Manchester Technology Centre, Oxford Road, Manchester M1 7ED NGS Software Ltd POC : Colin Gillingham Tel 020 8401 0070 mobile 0777 559 2952 fax 020 8401 0076 Email colin@ngssoftware.com Website : www.ngssoftware.com Address : 52 Throwley Road, Sutton, Surrey, SM1 4BF |
|||||||||||||||||||||||
 |
|||
|