|
|
Introduction
What is IACS?
IACS has been designed to respond to the increasing complexity
of IT products and systems and to the diverse customer requirements
for assurance in the security functionality of those products
and systems.
IACS is not a new service - rather, it uniquely blends the elements
of our assurance services to offer the end user or developer
a single gateway for obtaining the CESG assistance they require.
IACS provides for independent and objective assurance in the
security functionality of a product or system both within the
UK and internationally. IACS is about providing the best solution
to the full range of end users identified whilst allowing the
developer to achieve his commercial agenda in the most efficient
and streamlined way.
See the IACS brochure
(pdf) for a more detailed introduction.
The IACS Delivery Office is the first
point of contact for end users or developers alike. Staff will work
with customers to capture their requirements and resolve their queries.
Novel or complex issues will be resolved with the support of the IACS
Technical Panel providing definitive guidance for all of CESG's assurance
services. The Delivery Office will facilitate the provision of the
service and resolve any associated business issues. Currently the
elements making up IACS are as follows:
CESG Assisted Products Service (CAPS)
- Design consultancy is offered to developers and vendors of products
using cryptographic security measures.
- CAPS provides verification of these products to Government Standards.
- The design consultancy focuses on working with industry to
develop or modify cryptographic solutions that meet UK Government
standards
CESG Listed Adviser Scheme (CLAS)
- CESG has an approved pool of private sector consultants with
demonstrable competence in IA from which Government and the wider
public sector can draw on for a range of IA related services.
- Those applying for CLAS membership must satisfy CESG that they
have the right combination of qualifications and relevant IA experience.
- Membership of CLAS allows access to the latest Government advice
and CESG's own consultants.
CESG Tailored Assurance Service
- Uses a toolbox of assurance activities
- Involves the Accreditor in deciding which activities are
best suited to reducing the threats to the product or system
- Suitable for Government and other Critical National Infrastructure
users who require assurance in the security functionality
of a product or system
- Evaluation report highlights any residual risks (where
known) and their business impact
- No certificate awarded but CESG Assessment Statement issued
CESG Claims Tested Mark
- Independent testing of security functionality claims by ISO17025
accredited test laboratories
- Services and Products can be validated through the Scheme
- Compliance testing against CESG degaussing standards (lower level)
- Suitable for central government, the wider UK public sector and CNI
for Government Impact Levels 1 & 2
- Minimum assurance requirement for the National Information Assurance
Strategy and Transformational Government
CHECK
- IT Health checks using CESG Approved Companies
- CESG ensures the companies are assessed to provide a high quality
service.
- Work must be carried out under the Terms and Conditions of
CHECK
Cryptographic Evaluations
- The evaluation of a COTS cryptographic product that would have gone through the CAPS scheme will, from 1 April 2003, be the responsibility of IACS
- Provides cryptographic verification of these products to government standards
- Formally approves their use by HMG and other public sector organisations
- Covers:
Baseline
Enhanced
High Grade
- CESG recommends the use of FIPS-140 approved products for information not protectively marked, but sensitive
- Ensure correct implementation of security functions and identify vulnerabilities in IT systems and networks.
Common Criteria and ITSEC formal evaluation and certification
- Internationally recognised assurance packages
- EN45001 & ISO17025 testing and reporting on a range
of security features
- Uses established and approved testing methodology
- Working with Developers to ensure successfully certified products
& systems.
IT Health Check
- For HMG or CNI systems handling protectively marked material
at SECRET or above, the IT Health Check service is provided
by CESG personnel
- End user usually funds the cost of an IT Health Check
- Output is a report detailing any vulnerabilities and recommending
effective security countermeasures
- For HMG or CNI systems processing less sensitive information
up to and including the CONFIDENTIAL protective marking, IT Health
Checks can be performed by CESG-approved companies in the private
sector. Such approval is through the CESG CHECK service.
Open Standards Validations
- CESG Open Standards Validations sets out a standard for configuration
and use of the IPSec protocols to allow them to be used to protect
RESTRICTED material.
TEMPEST
- Carried out by CESG accredited test facilities
- Results are endorsed by CESG against the SDIP TEMPEST standards
- The developer of the product or system funds the TEMPEST evaluation and certification
- Once endorsed the product can be entered on the (NRPL) NATO Recommended Products List.
Summary
Whether you are an end user or developer, the IACS
Delivery Office can provide you with up-to-date information on
products going through evaluation or assessment and will work with
you to ensure that CESG provides you with the service that best meets
your needs. |
