BASIC GUIDE TO CESG - CAS(T)

BY: MANOJ VAKEKATTIL

ISO27001LA,CISM,CCNA,MCITP,ITIL-V3 CERTIFIED

OVERVIEWCESG Assured Services for Telecommunication –CAS(T)

CAS(T) is a certification scheme for clients providing telecommunication services . The scheme supports the government public services

Network (PSN),which requires all telecom services procured by public sector bodies be assured to suitably protect information at IL2-2-4.

The CAS (T) scheme has been created by the UK Governments National Technical Authority for Information Assurance, which is

operated by the Communications and Electronic Security Group CESG), to counteract threats arising from telecommunications network

providers and is based on Information Security Management System (ISMS) certification to ISO27001.

UK central government departments and agencies and the armed forces are CESG’s main customers. CESG also works with the wider public sector, including health

service, law enforcement, local government and the utility companies that provide the services that form the UK's critical national infrastructure.CESG provides

information assurance products and services and accreditation for consultants in industry. It also produces policy and guidance on biometrics and runs GovCertUK, the

Computer Emergency Response Team (CERT) for UK government, assisting public sector organizations in their response to computer security incidents and providing

advice to reduce their exposure to security threats.

CAS (T) carries additional specific guidance as defined and maintained by CESG.

This is awarded to Telecom companies and the scope can cover their operation and management of technical aspects which can include :

- Hybrid (Fixed and Radio),

- Next Generation Network’s (NGN’s) including IP MPLS network services,

- DSLAM access network’s in unbundled exchanges,

- Licenced Microwave Radio connectivity and CPE router overlay.

• Ref : www.cesg.gov.uk

(IL) - Classifications

6 - Top Secret

5 - Secret

4 - Confidential

3 - Restricted

2 - Protect

1 - Public

SECURITY IMPACT LEVELSCAS(T) provides assurance that a network is built, operated and managed sufficiently for it to be used for handling public sector data at

Business Impact Level. These are most common referred to security levels.

Accreditation is of Information Security Management System. (ex: ISO27K)

IL2 (2-2-4) – Protected (Confidentiality-Integrity-Availability)

(BIL) IL2 for confidentiality and integrity and IL4 for availability (this is usually shortened to 2-2-4). IL2 for confidentiality and integrity is

important for two reasons: Most public sector data has an IL2 profile (corresponding to the PROTECT security marking) and the underlying

PSN network operates at 2-2-4

IL2 covers primarily ensuring that your platform has high availability and that there are basic controls in place for access to the

platform and access to the data on the platform.IL4 for availability represents an availability target of 99.95% – apart from being the

PSN target, this value represents a pragmatic target that can be achieved readily at an acceptable cost.

CESG - IL2 (2-2-4) Protected (Confidentiality-Integrity-Availability)

Takes ISO 27K and specializes it towards Telecommunication suppliers

UK Government requires IL2 for service providers to supply services.(CESG Assured Service is now focused on this for PSN). If you

want to offer services to UK government then you are going to have to do this sooner or later.

CESG NGN Good Practice Guide was the baseline for IL2

Levels are usually associated with specific government data security requirements

BIL - IL3,IL4,IL5,IL6IL3 (3--‐3--‐4) – Restricted

Requires (SC) security cleared operatives and stronger controls

On access (integrity) and stronger controls on confidentiality

Requires complete segregation.

Baseline for most central government projects

Typically requires encryption overlay layer.

Quite expensive to build, run and operate.

Can’t share systems –e.g. your Ticketing system needs to be inside the IL3 bubble and separate to anything else

Can’t really use offshore people in this space.

IL4 (4-‐4-‐4) -‐ Confidential - Again built on IL3

Typically requires DV (Deep Vetted) security cleared operatives.

Home Office / FCO / MOD

IL5 Secret and IL6 Top Secret

MOD / Security Services

HOW DOES IT WORK ?• As mentioned earlier CAS(T) is built on ISO 27001. The requirements are documented in “Security Procedures:

Telecommunications Systems and Services”, which is available from CESG. For each ISO 27001 control, guidance on the

control implementation is provided – in the main this guidance is drawn from ISO 27002 and/or ISO 27011.

• The key difference between CAS(T) and the normal approach to ISO 27001 certification lies in the mandatory aspects of the

CAS(T) scheme. These spell out what must be included in the ISMS scope, which controls must be included in the Statement of

Applicability (SoA) and identifies minimum standards and best practice implementation targets for controls.

• If you are a telecoms provider who wishes to offer services to the public sector, then CAS(T) is the only realistic assurance

mechanism available to have your network approved by the PSN Authority as a Direct Network Service Provider (DNSP).

• If you are a public sector organisation with a network that you wish to share with other public sector organisations in your

region, then one approach is to have the entire network approved by the PSN Authority as a DNSP. An alternative approach

is to act as an ‘aggregator’ for other organisations where you provide the access to the PSN. Either way, CAS(T) is the main

option for providing assurance – although formal accreditation would be an alternative in some cases.

• It is important to understand that your network must be accredited before it can be approved by the PSN Authority.

• CAS(T) is an assurance mechanism – it provides confidence to the Accreditor that risk management is in place and operating

correctly, but it is not accreditation itself. The PSN process defines a ‘light-weight’ process for gaining accreditation for

CAS(T) certified networks – the PSN “Risk Management and Accreditation Requirements Document” explains the process

• Ref : www.cesg.gov.uk

ISO27001 CONTROLS 2013 V/S 2005

ISO27001:2013 ISO27001:2005

Control Description Control Designation

6.1.1 Information security roles and responsibilities 6.1.3 Critical

9.1.1 Access control policy 11.1.1 Critical

9.2.3 Management of privileged access rights 11.2.2 Mandatory

9.2.6 Removal or adjustment of access rights 8.3.3 Critical

11.1.2 Physical entry controls 9.1.2 Critical

12.1.2 Change management 10.1.2 Critical

12.4.1 Event logging 10.10.2 Critical

12.6.1 Management of technical vulnerabilities 12.6.1 Mandatory

13.1.1 Network controls 10.6.1 Mandatory

13.1.3 Segregation in networks 11.4.5 Mandatory

15.1.3 Information and communication technology supply chain 6.2.1 Critical

18.2.3 Technical compliance review 15.2.2 Critical

The Guidance note update to CAS(T) Assessment Requirements – June 2014 has been superseded and is withdrawn.

All CAS(T) certification, surveillance, special and recertification assessments should use the new documents with immediate effect unless the

scope for an assessment using the superseded documents has already been agreed.

As before, the Security Procedures designate each control as critical, mandatory or non-mandatory. The critical controls and associated

ISO27001:2005 controls (not a precise mapping) are:

The critical controls that were formerly mandatory controls must be assessed in the next surveillance or special audit if the associated mandatory control

had not previously been assessed.

Please note: There is no precise mapping between ISO27001:2005 and ISO27001:2013 controls so there may be some uncertainty about which controls

need to be assessed to ensure that all mandatory controls are assessed in the course of the an audit cycle that started with certification under the old

Security Procedures. If there is any doubt, CESG will advise which controls must be assessed.

REFERENCES ON CAS(T)

• References are available from the CESG website. Users who do not have access can contact CESG Enquiries to enquire about obtaining documents.

• [a] Process for performing CESG Assured Service (CAS) assessments, version 1.2, October 2013. Available at

www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/page/scheme-lib http://process/

• [b] CESG Assured Service CAS Service Requirement Telecommunications, Issue 1.1, October 2015. Available at

www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/servicerequirements

• [c] ISO/IEC 27001:2013 Information technology – Security techniques - Information Security Management Systems – Requirements

• [d] CESG Security Procedures, Telecommunications Systems and Services - latest issue available from the CESG website.

• [e] ISO/IEC 27006:2011 Information Technology – Security techniques – Requirements for bodies providing audit and certification of information security management

systems

• [f] Security Policy Framework [g] CESG Test Laboratory General Operational Requirements, version1.6, August 2013. Available at

www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/SchemeLibrary [h] ISO 19011:2011 Guidelines for quality and/or environmental management systems

• [g] Audit_handbook_for_CESG_Assured_ServiceAudit_handbook_for_CESG_Assured_Servicehttps://www.cesg.gov.uk/content/files/GPG_32_Audit_handbook_for_CESG

_Assured_Service_-_issue_2.0_Dec_2015.pdf

Thank You

For your queries feel free to write to Manoj Vakekattil @: manoj.vakekattil@gmail.com