BASIC GUIDE TO CESG - CAS(T)api.ning.com/files/frolw-dWeEgywVbuMK0g...(ex: ISO27K) IL2 (2-2-4 ......
Transcript of BASIC GUIDE TO CESG - CAS(T)api.ning.com/files/frolw-dWeEgywVbuMK0g...(ex: ISO27K) IL2 (2-2-4 ......
BASIC GUIDE TO CESG - CAS(T)
BY: MANOJ VAKEKATTIL
ISO27001:2013LA,CISM,CCNA,MCITP,ITIL-V3 CERTIFIED
OVERVIEWCESG Assured Services for Telecommunication –CAS(T)
CAS(T) is a certification scheme for clients providing telecommunication services . The scheme supports the government public services
Network (PSN),which requires all telecom services procured by public sector bodies be assured to suitably protect information at IL2-2-4.
The CAS (T) scheme has been created by the UK Governments National Technical Authority for Information Assurance, which is
operated by the Communications and Electronic Security Group CESG), to counteract threats arising from telecommunications network
providers and is based on Information Security Management System (ISMS) certification to ISO27001.
UK central government departments and agencies and the armed forces are CESG’s main customers. CESG also works with the wider public sector, including health
service, law enforcement, local government and the utility companies that provide the services that form the UK's critical national infrastructure.CESG provides
information assurance products and services and accreditation for consultants in industry. It also produces policy and guidance on biometrics and runs GovCertUK, the
Computer Emergency Response Team (CERT) for UK government, assisting public sector organizations in their response to computer security incidents and providing
advice to reduce their exposure to security threats.
CAS (T) carries additional specific guidance as defined and maintained by CESG.
This is awarded to Telecom companies and the scope can cover their operation and management of technical aspects which can include :
- Hybrid (Fixed and Radio),
- Next Generation Network’s (NGN’s) including IP MPLS network services,
- DSLAM access network’s in unbundled exchanges,
- Licenced Microwave Radio connectivity and CPE router overlay.
• Ref : www.cesg.gov.uk
(IL) - Classifications
6 - Top Secret
5 - Secret
4 - Confidential
3 - Restricted
2 - Protect
1 - Public
SECURITY IMPACT LEVELSCAS(T) provides assurance that a network is built, operated and managed sufficiently for it to be used for handling public sector data at
Business Impact Level. These are most common referred to security levels.
Accreditation is of Information Security Management System. (ex: ISO27K)
IL2 (2-2-4) – Protected (Confidentiality-Integrity-Availability)
(BIL) IL2 for confidentiality and integrity and IL4 for availability (this is usually shortened to 2-2-4). IL2 for confidentiality and integrity is
important for two reasons: Most public sector data has an IL2 profile (corresponding to the PROTECT security marking) and the underlying
PSN network operates at 2-2-4
IL2 covers primarily ensuring that your platform has high availability and that there are basic controls in place for access to the
platform and access to the data on the platform.IL4 for availability represents an availability target of 99.95% – apart from being the
PSN target, this value represents a pragmatic target that can be achieved readily at an acceptable cost.
CESG - IL2 (2-2-4) Protected (Confidentiality-Integrity-Availability)
Takes ISO 27K and specializes it towards Telecommunication suppliers
UK Government requires IL2 for service providers to supply services.(CESG Assured Service is now focused on this for PSN). If you
want to offer services to UK government then you are going to have to do this sooner or later.
CESG NGN Good Practice Guide was the baseline for IL2
Levels are usually associated with specific government data security requirements
BIL - IL3,IL4,IL5,IL6IL3 (3--‐3--‐4) – Restricted
Requires (SC) security cleared operatives and stronger controls
On access (integrity) and stronger controls on confidentiality
Requires complete segregation.
Baseline for most central government projects
Typically requires encryption overlay layer.
Quite expensive to build, run and operate.
Can’t share systems –e.g. your Ticketing system needs to be inside the IL3 bubble and separate to anything else
Can’t really use offshore people in this space.
IL4 (4-‐4-‐4) -‐ Confidential - Again built on IL3
Typically requires DV (Deep Vetted) security cleared operatives.
Home Office / FCO / MOD
IL5 Secret and IL6 Top Secret
MOD / Security Services
HOW DOES IT WORK ?• As mentioned earlier CAS(T) is built on ISO 27001. The requirements are documented in “Security Procedures:
Telecommunications Systems and Services”, which is available from CESG. For each ISO 27001 control, guidance on the
control implementation is provided – in the main this guidance is drawn from ISO 27002 and/or ISO 27011.
• The key difference between CAS(T) and the normal approach to ISO 27001 certification lies in the mandatory aspects of the
CAS(T) scheme. These spell out what must be included in the ISMS scope, which controls must be included in the Statement of
Applicability (SoA) and identifies minimum standards and best practice implementation targets for controls.
• If you are a telecoms provider who wishes to offer services to the public sector, then CAS(T) is the only realistic assurance
mechanism available to have your network approved by the PSN Authority as a Direct Network Service Provider (DNSP).
• If you are a public sector organisation with a network that you wish to share with other public sector organisations in your
region, then one approach is to have the entire network approved by the PSN Authority as a DNSP. An alternative approach
is to act as an ‘aggregator’ for other organisations where you provide the access to the PSN. Either way, CAS(T) is the main
option for providing assurance – although formal accreditation would be an alternative in some cases.
• It is important to understand that your network must be accredited before it can be approved by the PSN Authority.
• CAS(T) is an assurance mechanism – it provides confidence to the Accreditor that risk management is in place and operating
correctly, but it is not accreditation itself. The PSN process defines a ‘light-weight’ process for gaining accreditation for
CAS(T) certified networks – the PSN “Risk Management and Accreditation Requirements Document” explains the process
• Ref : www.cesg.gov.uk
ISO27001 CONTROLS 2013 V/S 2005
ISO27001:2013 ISO27001:2005
Control Description Control Designation
6.1.1 Information security roles and responsibilities 6.1.3 Critical
9.1.1 Access control policy 11.1.1 Critical
9.2.3 Management of privileged access rights 11.2.2 Mandatory
9.2.6 Removal or adjustment of access rights 8.3.3 Critical
11.1.2 Physical entry controls 9.1.2 Critical
12.1.2 Change management 10.1.2 Critical
12.4.1 Event logging 10.10.2 Critical
12.6.1 Management of technical vulnerabilities 12.6.1 Mandatory
13.1.1 Network controls 10.6.1 Mandatory
13.1.3 Segregation in networks 11.4.5 Mandatory
15.1.3 Information and communication technology supply chain 6.2.1 Critical
18.2.3 Technical compliance review 15.2.2 Critical
The Guidance note update to CAS(T) Assessment Requirements – June 2014 has been superseded and is withdrawn.
All CAS(T) certification, surveillance, special and recertification assessments should use the new documents with immediate effect unless the
scope for an assessment using the superseded documents has already been agreed.
As before, the Security Procedures designate each control as critical, mandatory or non-mandatory. The critical controls and associated
ISO27001:2005 controls (not a precise mapping) are:
The critical controls that were formerly mandatory controls must be assessed in the next surveillance or special audit if the associated mandatory control
had not previously been assessed.
Please note: There is no precise mapping between ISO27001:2005 and ISO27001:2013 controls so there may be some uncertainty about which controls
need to be assessed to ensure that all mandatory controls are assessed in the course of the an audit cycle that started with certification under the old
Security Procedures. If there is any doubt, CESG will advise which controls must be assessed.
REFERENCES ON CAS(T)
• References are available from the CESG website. Users who do not have access can contact CESG Enquiries to enquire about obtaining documents.
• [a] Process for performing CESG Assured Service (CAS) assessments, version 1.2, October 2013. Available at
www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/page/scheme-lib http://process/
• [b] CESG Assured Service CAS Service Requirement Telecommunications, Issue 1.1, October 2015. Available at
www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/servicerequirements
• [c] ISO/IEC 27001:2013 Information technology – Security techniques - Information Security Management Systems – Requirements
• [d] CESG Security Procedures, Telecommunications Systems and Services - latest issue available from the CESG website.
• [e] ISO/IEC 27006:2011 Information Technology – Security techniques – Requirements for bodies providing audit and certification of information security management
systems
• [f] Security Policy Framework [g] CESG Test Laboratory General Operational Requirements, version1.6, August 2013. Available at
www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/SchemeLibrary [h] ISO 19011:2011 Guidelines for quality and/or environmental management systems
• [g] Audit_handbook_for_CESG_Assured_ServiceAudit_handbook_for_CESG_Assured_Servicehttps://www.cesg.gov.uk/content/files/GPG_32_Audit_handbook_for_CESG
_Assured_Service_-_issue_2.0_Dec_2015.pdf
Thank You
For your queries please feel free to write to Manoj Vakekattil @: [email protected]