Social Network For Security Executives: Help Make Right Cyber Security Decisions
BASIC GUIDE TO CESG - CAS(T)
BY: MANOJ VAKEKATTIL
CESG Assured Services for Telecommunication –CAS(T)
CAS(T) is a certification scheme for clients providing telecommunication services . The scheme supports the government public services Network (PSN),which requires all telecom services procured by public sector bodies be assured to suitably protect information at IL2-2-4.
The CAS (T) scheme has been created by the UK Governments National Technical Authority for Information Assurance, which is operated by the Communications and Electronic Security Group CESG), to counteract threats arising from telecommunications network providers and is based on Information Security Management System (ISMS) certification to ISO27001.
UK central government departments and agencies and the armed forces are CESG’s main customers. CESG also works with the wider public sector, including health service, law enforcement, local government and the utility companies that provide the services that form the UK's critical national infrastructure.CESG provides information assurance products and services and accreditation for consultants in industry. It also produces policy and guidance on biometrics and runs GovCertUK, the Computer Emergency Response Team (CERT) for UK government, assisting public sector organizations in their response to computer security incidents and providing advice to reduce their exposure to security threats.
CAS (T) carries additional specific guidance as defined and maintained by CESG. This is awarded to Telecom companies and the scope can cover their operation and management of technical aspects which can include :
- Hybrid (Fixed and Radio),
- Next Generation Network’s (NGN’s) including IP MPLS network services,
- DSLAM access network’s in unbundled exchanges,
- Licenced Microwave Radio connectivity and CPE router overlay.
• Ref : www.cesg.gov.uk (IL) -
6 - Top Secret
5 - Secret
4 - Confidential
3 - Restricted
2 - Protect
1 - Public
SECURITY IMPACT LEVELS
CAS(T) provides assurance that a network is built, operated and managed sufficiently for it to be used for handling public sector data at Business Impact Level.
These are most common referred to security levels.
Accreditation is of Information Security Management System. (ex: ISO27K)
IL2 (2-2-4) – Protected (Confidentiality-Integrity-Availability) (BIL) IL2 for confidentiality and integrity and IL4 for availability (this is usually shortened to 2-2-4). IL2 for confidentiality and integrity is important for two reasons: Most public sector data has an IL2 profile (corresponding to the PROTECT security marking) and the underlying PSN network operates at 2-2-4
IL2 covers primarily ensuring that your platform has high availability and that there are basic controls in place for access to the platform and access to the data on the platform.IL4 for availability represents an availability target of 99.95% – apart from being the PSN target, this value represents a pragmatic target that can be achieved readily at an acceptable cost.
CESG - IL2 (2-2-4) Protected (Confidentiality-Integrity-Availability)
Takes ISO 27K and specializes it towards Telecommunication suppliers
UK Government requires IL2 for service providers to supply services.(CESG Assured Service is now focused on this for PSN). If you want to offer services to UK government then you are going to have to do this sooner or later.
CESG NGN Good Practice Guide was the baseline for IL2
Levels are usually associated with specific government data security requirements
BIL - IL3,IL4,IL5,IL6
IL3 (3--‐3--‐4) – Restricted
Requires (SC) security cleared operatives and stronger controls
On access (integrity) and stronger controls on confidentiality
Requires complete segregation.
Baseline for most central government projects
Typically requires encryption overlay layer.
Quite expensive to build, run and operate.
Can’t share systems –e.g. your Ticketing system needs to be inside the IL3 bubble and separate to anything else
Can’t really use offshore people in this space.
IL4 (4-‐4-‐4) -‐ Confidential - Again built on IL3
Typically requires DV (Deep Vetted) security cleared operatives.
Home Office / FCO / MOD IL5 Secret and IL6 Top Secret
MOD / Security Services
IL5 Secret and IL6 Top Secret
MOD / Security Services
HOW DOES IT WORK ?
• As mentioned earlier CAS(T) is built on ISO 27001. The requirements are documented in “Security Procedures: Telecommunications Systems and Services”, which is available from CESG. For each ISO 27001 control, guidance on the control implementation is provided – in the main this guidance is drawn from ISO 27002 and/or ISO 27011.
• The key difference between CAS(T) and the normal approach to ISO 27001 certification lies in the mandatory aspects of the CAS(T) scheme. These spell out what must be included in the ISMS scope, which controls must be included in the Statement of Applicability (SoA) and identifies minimum standards and best practice implementation targets for controls.
• If you are a telecoms provider who wishes to offer services to the public sector, then CAS(T) is the only realistic assurance mechanism available to have your network approved by the PSN Authority as a Direct Network Service Provider (DNSP).
• If you are a public sector organisation with a network that you wish to share with other public sector organisations in your region, then one approach is to have the entire network approved by the PSN Authority as a DNSP. An alternative approach is to act as an ‘aggregator’ for other organisations where you provide the access to the PSN. Either way, CAS(T) is the main option for providing assurance – although formal accreditation would be an alternative in some cases.
• It is important to understand that your network must be accredited before it can be approved by the PSN Authority.
• CAS(T) is an assurance mechanism – it provides confidence to the Accreditor that risk management is in place and operating correctly, but it is not accreditation itself. The PSN process defines a ‘light-weight’ process for gaining accreditation for CAS(T) certified networks – the PSN “Risk Management and Accreditation Requirements Document” explains the process
• Ref : www.cesg.gov.uk
ISO27001 CONTROLS 2013 V/S 2005
The Guidance note update to CAS(T) Assessment Requirements – June 2014 has been superseded and is withdrawn.
All CAS(T) certification, surveillance, special and recertification assessments should use the new documents with immediate effect unless the scope for an assessment using the superseded documents has already been agreed.
As before, the Security Procedures designate each control as critical, mandatory or non-mandatory. The critical controls and associated ISO27001:2005 controls (not a precise mapping) are:
|6.1.1||Information security roles and responsibilities||6.1.3||Critical|
|9.1.1||Access control policy||11.1.1||Critica|
|9.2.3||Management of privileged access rights||11.2.2||Mandatory|
|9.2.6 R||Removal or adjustment of access rights||8.3.3||Critical|
|11.1.2 P||Physical entry controls||9.1.2||Critical|
|12.6.1||Management of technical vulnerabilities||12.6.1||Mandatory|
|13.1.3||Segregation in networks||11.4.5||Mandatory|
|15.1.3||Information and communication technology supply chain||6.2.1||Critical|
|18.2.3||Technical compliance review||15.2.2||Critical|
The critical controls that were formerly mandatory controls must be assessed in the next surveillance or special audit if the associated mandatory control had not previously been assessed. Please note: There is no precise mapping between ISO27001:2005 and ISO27001:2013 controls so there may be some uncertainty about which controls need to be assessed to ensure that all mandatory controls are assessed in the course of the an audit cycle that started with certification under the old Security Procedures. If there is any doubt, CESG will advise which controls must be assessed.
REFERENCES ON CAS(T)
• References are available from the CESG website. Users who do not have access can contact CESG Enquiries to enquire about obtaining documents.
• [a] Process for performing CESG Assured Service (CAS) assessments, version 1.2, October 2013. Available at www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/page/scheme-lib http://process/
• [b] CESG Assured Service CAS Service Requirement Telecommunications, Issue 1.1, October 2015. Available at www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/servic...
• [c] ISO/IEC 27001:2013 Information technology – Security techniques - Information Security Management Systems – Requirements
• [d] CESG Security Procedures, Telecommunications Systems and Services - latest issue available from the CESG website.
• [e] ISO/IEC 27006:2011 Information Technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
• [f] Security Policy Framework [g] CESG Test Laboratory General Operational Requirements, version1.6, August 2013. Available at www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/Scheme... [h] ISO 19011:2011 Guidelines for quality and/or environmental management systems
You can also see the detailed guide here