CLAS Consultancy
CESG Listed Advisor Scheme
The CESG Listed Advisor scheme (CLAS) was created by approving a pool of high quality consultants. It was created to meet the increasing demand for authoritative information assurance advice for Government departments and agencies. All CLAS Consultants hold a formal HMG Security Clearance (a minimum of SC) and are authorised to provide information assurance advice on systems processing information up to and including UK SECRET.
The delivery of CLAS consultancy is specifically tailored to UK Government departments, executive agencies, related contractors and the wider public sector such as:-
· Central and devolved Government.
· Local authorities.
· Organisations forming part of the Critical National Infrastructure.
· Non-Government organisations.
· GSI and CJX connected organisations.
· Those handling Government Protectively Marked assets such as Police and Health services and some private sector organisations.
HMG Information Assurance
The Security Policy Framework (SPF), published late in 2008 replaces The Manual of Protective Security. The SPF is mandatory for all government Departments and Agencies. It states that it “should also be extended, where necessary, to any organisations working on behalf of, or handling HMG assets, such as Non-Departmental Public Bodies (NDPBs), contractors, Emergency Services, devolved administrations, Local Authorities or any regular suppliers of goods and / or services.”
The SPF is composed of four tiers with tiers 1 to 3 being available publically from the Cabinet Office website. Tier 4 attracts a protective marking of UK RESTRICTED and is intended for people who are required to implement tiers 1 to 3.
Tiers one to three are:
Tier 1: The Overarching Security Policy Statement.
Tier 2: The Five Core Security Principles.
Tier 3: The Seven Security Policies.
The Seven Security Policies highlighted in Tier 3 are:-
1. Governance, Risk Management and Compliance
2. Protective Marking and Asset Control
3. Personnel Security
4. Information Security and Assurance
5. Physical Security
6. Counter-Terrorism
7. Business Continuity
Tier 3 also outlines 70 Mandatory Requirements that all applicable organisations must adhere to.
Risk Management and Accreditation of Information Systems
Government has specific requirements towards the governance of computer systems. This is called “accreditation” and requires an Accreditor, to make a balanced decision that all the risks to an information system are appropriately mitigated.
This doesn’t mean that every risk must be completely eliminated – which is almost impossible - it means that the Accreditor must be satisfied that the outstanding risks, when reduced with suitable countermeasures would not exceed the risk appetite of the organisation; or if it does, what is the reasoning behind accepting an increased level of risk.
The first stage in developing a Risk Management and Accreditation Documentation Set (RMADS) is to determine the Business Impact Level of the information that is held on the information system to be accredited. Depending on the findings of that, it may be sufficient to simply comply with ISO27001. For higher levels of impact level, an RMADS is mandatory.
There are two main phases in developing an RMADS. These are further broken down into individual work units:-
Phase 1 - Perform an HMG IA Standard 1 Technical Risk Assessment.
· Catalogue the information system and generate a scope diagram.
· Verify the minimum assumptions to ensure that the risk assessment is accurate.
· Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS.
Phase 2 – Create the RMADS in accordance with HMG IA Standard 2:-
· Perform an ISO 27001 Benchmarking Review to determine that there are suitable commercial countermeasures already in existence.
· Develop a Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite.
· Develop Security Operating Procedures where a technical solution or existing documentation does not meet the required level of risk mitigation.
