CESG (Communications-Electronics Security Group) Listed Advisor Scheme
The CESG Listed Advisor scheme (CLAS) was created to meet the increasing demand for authoritative information assurance (IA) advice for government organisations by approving a pool of high-quality consultants. These consultants are approved to give information assurance (IA) advice to the HM Government departments.
All CLAS consultants hold a formal HMG security clearance (a minimum of SC) and are authorised to provide information assurance advice on systems processing information up to and including UK SECRET.
The delivery of CLAS consultancy is specifically tailored to UK Government organisations, executive agencies and related contractors, as well as the wider public sector.
HMG Information Assurance
The Security Policy Framework (SPF), published in 2008 and updated in 2014, is mandatory for all government organisations and agencies.
The SPF states that “HMG handles a wide variety of information to ensure: the confidentiality of citizen data and commercial information; good government and the effective and efficient delivery of public services; the proper protection of national security-related information; and that obligations to international partners are met. HMG expects its’ [sic] partners in the wider public sector, suppliers and other commercial partners who handle information on HMG’s behalf to do the same.”
The UK Government operates a Classification Policy to identify and value information according to its sensitivity, and to drive the right protections. The new Classifications Policy came into effect in April 2014. The policy applies equally to assets entrusted to the government by others, such as foreign governments, international organisations, NGOs and private individuals.
It comprises three levels: OFFICIAL, SECRET and TOP SECRET, for which there are distinct security arrangements. Each classification requires a level of security controls appropriate for managing the information risks involved.
OFFICIAL covers most of the day-to-day business of government, service delivery, commercial activity and policy development.
SECRET and TOP SECRET information will typically require bespoke, sovereign protection, but OFFICIAL information can be managed with good commercial solutions that mitigate the risks faced by any large corporate organisation.
The SPF provides guidance to government organisations in the following key areas:
Culture and awareness
Technology and services
Preparing for and responding to security incidents
SPF policy priorities
Personnel security and national vetting
There are three different types of national security vetting clearance: Counter-
Terrorist Check (CTC), Security Check (SC) and Developed Vetting (DV). Before any
such clearance is undertaken, the requirements of the Baseline Personnel Security
Standard must be met.
Government risk management and accreditation of information systems
The UK Government has specific requirements for the governance of computer systems. This is called 'accreditation' and requires an accreditor to make a balanced decision that all the risks to an information system are appropriately mitigated. This doesn't mean that every risk must be completely eliminated (which is almost impossible) but that the accreditor must be satisfied that the outstanding risks, when reduced with suitable countermeasures, would not exceed the organisation’s risk threshold. If it does, the organisation should be able to show its reasons for accepting an increased level of risk.
Risk Management and Accreditation Documentation Sets (RMADS)
The first stage in developing a Risk Management and Accreditation Documentation Set (RMADS) is to determine the business impact level of the information held on the information system to be accredited. Depending on the findings, it may be sufficient to comply with ISO 27001.
For higher impact levels, an RMADS is mandatory.