CESG (Communications-Electronics Security Group) Listed Advisor Scheme
The CLAS is in the process of being phased out, and will be replaced by the Certified Cyber Security Consultancy CESG and CAS scheme, launched in June 2015. The CESG has announced that it plans to launch the new scheme in early 2016.
What has changed?
The current CLAS consultancy scheme, where individual information assurance (IA) consultants register with CESG, is being phased out. Consultants will now be required to register under the new Certified Cyber Security Consultancy CESG and CAS scheme where consultancy organisations and approved IA consultants register under one umbrella.
The new scheme is similar to the existing CLAS, but once registered or approved under the new CESG scheme, consultants or consultancy organisations will also become part of a CCS (Crown Commercial Service) approved supplier list.
History of the CLAS
All CLAS consultants with a formal HMG security clearance (a minimum of SC) were authorised to provide information assurance advice on systems processing information up to and including UK SECRET.
The delivery of CLAS consultancy was specifically tailored to UK Government organisations, executive agencies and related contractors, as well as the wider public sector.
HMG Information Assurance
The Security Policy Framework (SPF), published in 2008 and updated in 2014, is mandatory for all government organisations and agencies.
The SPF states that “HMG handles a wide variety of information to ensure: the confidentiality of citizen data and commercial information; good government and the effective and efficient delivery of public services; the proper protection of national security-related information; and that obligations to international partners are met. HMG expects its’ [sic] partners in the wider public sector, suppliers and other commercial partners who handle information on HMG’s behalf to do the same.”
The UK Government operates a Classification Policy to identify and value information according to its sensitivity, and to drive the right protections. The new Classifications Policy came into effect in April 2014. The policy applies equally to assets entrusted to the government by others, such as foreign governments, international organisations, NGOs and private individuals.
It comprises three levels: OFFICIAL, SECRET and TOP SECRET, for which there are distinct security arrangements. Each classification requires a level of security controls appropriate for managing the information risks involved.
OFFICIAL covers most of the day-to-day business of government, service delivery, commercial activity and policy development.
SECRET and TOP SECRET information will typically require bespoke, sovereign protection, but OFFICIAL information can be managed with good commercial solutions that mitigate the risks faced by any large corporate organisation.
The SPF provides guidance to government organisations in the following key areas:
Culture and awareness
Technology and services
Preparing for and responding to security incidents
SPF policy priorities
Personnel security and national vetting
There are three different types of national security vetting clearance: Counter-
Terrorist Check (CTC), Security Check (SC) and Developed Vetting (DV). Before any
such clearance is undertaken, the requirements of the Baseline Personnel Security
Standard must be met.
Government risk management and accreditation of information systems
The UK Government has specific requirements for the governance of computer systems. This is called 'accreditation' and requires an accreditor to make a balanced decision that all the risks to an information system are appropriately mitigated. This doesn't mean that every risk must be completely eliminated (which is almost impossible) but that the accreditor must be satisfied that the residual risks, when reduced with suitable countermeasures, would not exceed the organisation’s risk threshold. If it does, the organisation should be able to show its reasons for accepting an increased level of risk.