|
|
Breaking News
15.00hrs 10th August 2010
- CESG is about to trial our new approach to Commercial Product
Assurance through testing our recently developed Security Characteristics
for Hard Disk Encryption products and VPNs for Remote Working.
This assurance work will seek to test our new approach and ensure
that the products evaluated are suitable for use for the protection
of information in lower threat / lower impact environments (up
to and including Impact Level 3). Products which are successfully
evaluated against these criteria will be certified by CESG in
due course.
Selection of products for this trial will be against a set of
criteria which seek to identify the most suitable product and
vendor for assurance. The criteria is available for Hard
Disk Encryption products (doc) and VPNs
for Remote Working (doc). Additionally, product developers
should be aware that they will need to enter an agreement with
CESG to cover this work - key
points of this agreement (pdf).
If you are a product developer and would like to participate
in this trial, please advise CESG of your interest via iacs@cesg.gsi.gov.uk
by the 23rd of August.
12.00hrs 25th November 2009
- A clarification and summary of Product
Assurance at IL3 and Below (pdf) has been issued. |
Introduction
What is IACS?
IACS has been designed to respond to the increasing complexity
of IT products and systems and to the diverse customer requirements
for assurance in the security functionality of those products
and systems.
IACS is not a new service - rather, it uniquely blends the elements
of our assurance services to offer the end user or developer
a single gateway for obtaining the CESG assistance they require.
IACS provides for independent and objective assurance in the
security functionality of a product or system both within the
UK and internationally. IACS is about providing the best solution
to the full range of end users identified whilst allowing the
developer to achieve his commercial agenda in the most efficient
and streamlined way.
See the IACS brochure
(pdf) for a more detailed introduction.
IACS Delivery staff will work with customers to capture their requirements
and resolve their queries. Novel or complex issues will be resolved
with the support of the IACS Technical Panel providing definitive
guidance for all of CESG's assurance services. The Delivery Office
will facilitate the provision of the service and resolve any associated
business issues. Currently the elements making up IACS are as follows:
CESG Assisted Products Service (CAPS)
- Design consultancy is offered to developers and vendors of products
using cryptographic security measures.
- CAPS provides verification of these products to Government Standards.
- The design consultancy focuses on working with industry to
develop or modify cryptographic solutions that meet UK Government
standards
CESG Listed Adviser Scheme (CLAS)
- CESG has an approved pool of private sector consultants with
demonstrable competence in IA from which Government and the wider
public sector can draw on for a range of IA related services.
- Those applying for CLAS membership must satisfy CESG that they
have the right combination of qualifications and relevant IA experience.
- Membership of CLAS allows access to the latest Government advice
and CESG's own consultants.
CESG Tailored Assurance Service
- Uses a toolbox of assurance activities
- Involves the Accreditor in deciding which activities are
best suited to reducing the threats to the product or system
- Suitable for Government and other Critical National Infrastructure
users who require assurance in the security functionality
of a product or system
- Evaluation report highlights any residual risks (where
known) and their business impact
- No certificate awarded but CESG Assessment Statement issued
CESG Claims Tested Mark
- Independent testing of security functionality claims by ISO17025
accredited test laboratories
- Services and Products can be validated through the Scheme
- Compliance testing against CESG degaussing standards (lower level)
- Suitable for central government, the wider UK public sector and CNI
for Government Impact Levels 1 & 2
- Minimum assurance requirement for the National Information Assurance
Strategy and Transformational Government
CHECK
- IT Health checks using CESG Approved Companies
- CESG ensures the companies are assessed to provide a high quality
service.
- Work must be carried out under the Terms and Conditions of
CHECK
Cryptographic Evaluations
- The evaluation of a COTS cryptographic product that would have gone through the CAPS scheme will, from 1 April 2003, be the responsibility of IACS
- Provides cryptographic verification of these products to government standards
- Formally approves their use by HMG and other public sector organisations
- Covers:
Baseline
Enhanced
High Grade
- CESG recommends the use of FIPS-140 approved products for information not protectively marked, but sensitive
- Ensure correct implementation of security functions and identify vulnerabilities in IT systems and networks.
Common Criteria and ITSEC formal evaluation and certification
- Internationally recognised assurance packages
- EN45001 & ISO17025 testing and reporting on a range
of security features
- Uses established and approved testing methodology
- Working with Developers to ensure successfully certified products
& systems.
HMG IA Maturity Model
- A portal to information in support of the HMG IA Maturity Model
(IAMM) and supporting guidance
- Assisting organisations' boards to progress towards the broad
outcomes of the National IA Strategy
IT Health Check
- For HMG or CNI systems handling protectively marked material
at SECRET or above, the IT Health Check service is provided
by CESG personnel
- End user usually funds the cost of an IT Health Check
- Output is a report detailing any vulnerabilities and recommending
effective security countermeasures
- For HMG or CNI systems processing less sensitive information
up to and including the CONFIDENTIAL protective marking, IT Health
Checks can be performed by CESG-approved companies in the private
sector. Such approval is through the CESG CHECK service.
Open Standards Validations
- CESG Open Standards Validations sets out a standard for configuration
and use of the IPSec protocols to allow them to be used to protect
RESTRICTED material.
TEMPEST
- Carried out by CESG accredited test facilities
- Results are endorsed by CESG against the SDIP TEMPEST standards
- The developer of the product or system funds the TEMPEST evaluation and certification
- Once endorsed the product can be entered on the (NRPL) NATO Recommended Products List.
|
