CESG Logo
 
The National Technical Authority for Information Assurance
 
CESG Web logo
The Government’s Information Assurance flagship conference 14-15 Sep 2010.
Public & Private Sector rates reduced. For more details see the IA10 page.
  ABOUT US   PRODUCTS & SERVICES   PUBLICATIONS   POLICY & TECHNOLOGIES   FIND A .....
Introduction
   
  CESG Assisted Products Service (CAPS)
 
  CESG Listed Adviser Scheme (CLAS)
 
  CESG Tailored Assurance Service (CTAS)
 
  CESG Claims Tested Mark (CCTM)
 
  CHECK
 
  Cryptographic Evaluations
 
  Common Criteria & ITSEC
 
  HMG IA Maturity Model
 
  IT Health Check
 
  Open Standards Validations
 
  TEMPEST

 
 
Information Assurance & Consultancy Services (IACS)

Breaking News

15.00hrs 10th August 2010 - CESG is about to trial our new approach to Commercial Product Assurance through testing our recently developed Security Characteristics for Hard Disk Encryption products and VPNs for Remote Working. This assurance work will seek to test our new approach and ensure that the products evaluated are suitable for use for the protection of information in lower threat / lower impact environments (up to and including Impact Level 3). Products which are successfully evaluated against these criteria will be certified by CESG in due course.

Selection of products for this trial will be against a set of criteria which seek to identify the most suitable product and vendor for assurance. The criteria is available for Hard Disk Encryption products (doc) and VPNs for Remote Working (doc). Additionally, product developers should be aware that they will need to enter an agreement with CESG to cover this work - key points of this agreement (pdf).

If you are a product developer and would like to participate in this trial, please advise CESG of your interest via iacs@cesg.gsi.gov.uk by the 23rd of August.



12.00hrs 25th November 2009 - A clarification and summary of Product Assurance at IL3 and Below (pdf) has been issued.

Introduction

What is IACS?

IACS has been designed to respond to the increasing complexity of IT products and systems and to the diverse customer requirements for assurance in the security functionality of those products and systems.

IACS is not a new service - rather, it uniquely blends the elements of our assurance services to offer the end user or developer a single gateway for obtaining the CESG assistance they require. IACS provides for independent and objective assurance in the security functionality of a product or system both within the UK and internationally. IACS is about providing the best solution to the full range of end users identified whilst allowing the developer to achieve his commercial agenda in the most efficient and streamlined way.

See the IACS brochure (pdf) for a more detailed introduction.

IACS Delivery staff will work with customers to capture their requirements and resolve their queries. Novel or complex issues will be resolved with the support of the IACS Technical Panel providing definitive guidance for all of CESG's assurance services. The Delivery Office will facilitate the provision of the service and resolve any associated business issues. Currently the elements making up IACS are as follows:

CESG Assisted Products Service (CAPS)
  • Design consultancy is offered to developers and vendors of products using cryptographic security measures.
  • CAPS provides verification of these products to Government Standards.
  • The design consultancy focuses on working with industry to develop or modify cryptographic solutions that meet UK Government standards
CESG Listed Adviser Scheme (CLAS)
  • CESG has an approved pool of private sector consultants with demonstrable competence in IA from which Government and the wider public sector can draw on for a range of IA related services.
  • Those applying for CLAS membership must satisfy CESG that they have the right combination of qualifications and relevant IA experience.
  • Membership of CLAS allows access to the latest Government advice and CESG's own consultants.
CESG Tailored Assurance Service
  • Uses a toolbox of assurance activities
  • Involves the Accreditor in deciding which activities are best suited to reducing the threats to the product or system
  • Suitable for Government and other Critical National Infrastructure users who require assurance in the security functionality of a product or system
  • Evaluation report highlights any residual risks (where known) and their business impact
  • No certificate awarded but CESG Assessment Statement issued
CESG Claims Tested Mark
  • Independent testing of security functionality claims by ISO17025 accredited test laboratories
  • Services and Products can be validated through the Scheme
  • Compliance testing against CESG degaussing standards (lower level)
  • Suitable for central government, the wider UK public sector and CNI for Government Impact Levels 1 & 2
  • Minimum assurance requirement for the National Information Assurance Strategy and Transformational Government
CHECK
  • IT Health checks using CESG Approved Companies
  • CESG ensures the companies are assessed to provide a high quality service.
  • Work must be carried out under the Terms and Conditions of CHECK
Cryptographic Evaluations
  • The evaluation of a COTS cryptographic product that would have gone through the CAPS scheme will, from 1 April 2003, be the responsibility of IACS
  • Provides cryptographic verification of these products to government standards
  • Formally approves their use by HMG and other public sector organisations
  • Covers:
    Baseline
    Enhanced
    High Grade
  • CESG recommends the use of FIPS-140 approved products for information not protectively marked, but sensitive
  • Ensure correct implementation of security functions and identify vulnerabilities in IT systems and networks.
Common Criteria and ITSEC formal evaluation and certification
  • Internationally recognised assurance packages
  • EN45001 & ISO17025 testing and reporting on a range of security features
  • Uses established and approved testing methodology
  • Working with Developers to ensure successfully certified products & systems.
HMG IA Maturity Model
  • A portal to information in support of the HMG IA Maturity Model (IAMM) and supporting guidance
  • Assisting organisations' boards to progress towards the broad outcomes of the National IA Strategy
IT Health Check
  • For HMG or CNI systems handling protectively marked material at SECRET or above, the IT Health Check service is provided by CESG personnel
  • End user usually funds the cost of an IT Health Check
  • Output is a report detailing any vulnerabilities and recommending effective security countermeasures
  • For HMG or CNI systems processing less sensitive information up to and including the CONFIDENTIAL protective marking, IT Health Checks can be performed by CESG-approved companies in the private sector. Such approval is through the CESG CHECK service.
Open Standards Validations
  • CESG Open Standards Validations sets out a standard for configuration and use of the IPSec protocols to allow them to be used to protect RESTRICTED material.
TEMPEST
  • Carried out by CESG accredited test facilities
  • Results are endorsed by CESG against the SDIP TEMPEST standards
  • The developer of the product or system funds the TEMPEST evaluation and certification
  • Once endorsed the product can be entered on the (NRPL) NATO Recommended Products List.
Products Footer image
 © Crown Copyright, 2010. This CESG Website is maintained for your personal use and viewing. Access and use by you of this site constitutes acceptance of our terms and conditions which take effect from the date of first use. Click here for our terms and conditions CESGweb@cesg.gsi.gov.uk