This snapshot, taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This section of the framework is not intended to provide a glossary, which is included elsewhere within the document. However, it is recognised that in the field of IA, there exist some jargon and some shorthand terms used by practitioners. With the aim of making the main part of the framework more accessible, this section provides background material on some commonly used terms within the Central Government IA field.
The key international standard in the field of IA is ISO/IEC 17799.
The standard originated as best practice guidelines drawn up by the the Department of Trade and Industry (DTI) in the 1990s, and became a British Standard (BS7799) before becoming an international standard in 2000 and being revised in mid–2005.
A more detailed explanation of ISO/IEC 17799 can be found on the DTI website [External website].
Certification against the standard
Certification against the standard is currently against the BSI document (BS7799) rather than the ISO standard (ISO/IEC 17799). The intention is that BS7799 Part Two will be withdrawn and replaced by the first in an emerging series of standards, ISO/IEC 27001.
The British standard consists of three parts. Part One contains a code of practice. Part Two provides a specification of an ISMS. In the UK and elsewhere, there exists a framework for certification against Part Two, so that organisations can achieve independent assessment and verification of the implementation of their ISMS. Part Three contains best practice for risk analysis and risk management.
Although compliance with the provisions of the standard is required, government departments and agencies are not yet required to achieve certification against Part Two of BS7799.
Where a government organisation feels that third party certification would be beneficial, there is no bar; indeed formal certification will promote confidence.
However, where high levels of protectively marked information is concerned there may be difficulties. Departments may wish to consider a cross-certification process with another department, or in the case of BS7799 compliance, to use internal audit resources.
The Future for the Standard
It is ISO’s intention to migrate the ISO/IEC 17799 standard to a new series, ISO/IEC 27000 et seq. As part of this, BS7799 Part Two will shortly be withdrawn and replaced with ISO 27001; in the longer term ISO/IEC 17799 will be withdrawn and will become ISO/IEC 27002. Meanwhile, BS7799 will continue to be developed to some degree, in that Part 3 has been issued in draft, dealing with risk management. It can be expected that in time these standards will all fall under the 27000 series.
Related standards
ISO/IEC 17799 is managed through Sub–Committee 27 of the Joint Technical Committee 1 (JTC1/SC27), which specifically deals with Information Security. SC27 is associated with some 52 published standards [External website]in this field. In the context of this document they are recommended as best practice rather than mandated.
In addition to the emerging 27000 series of standards developed from ISO/IEC 17799, , the following are recommended as relevant to government:
The e–Government Interoperability Framework (eGIF) defines the technical policies and specifications governing information flows across government and the public sector.
Security is specifically covered by the Security Framework Documents, which encompass:
The National Computing Centre (NCC) [External website] offers a service whereby organisations can accredit their systems against the eGIF.
As the National Technical Authority in this area, CESG produce a number of HMG Infosec Standards and Memoranda which provide guidance and state policy. These are available on CD and from the CESG GSi web site. The most frequently used are summarised below. As with all CESG Memoranda and Standards, these form part of the governance framework; they must be considered and their applicability assessed in all cases where Government information is being held and processed.
HMG Infosec Standard No 1 (IS1)
The current version of IS1 provides a method for determining the level of risk in a particular environment and the relative levels of reduction in that risk as a result of the implementation of technical security measures. It does so by calculating a residual risk factor taking into account issues of confidentiality, integrity and availability. The method considers the nature of the attackers and the environment, and points to a Common Criteria assurance level target for technical barriers. The currently ongoing review process for IS1 has as one of its main objectives to attempt to take into account the business imperatives of non–government users.
HMG Infosec Standard No 2 (IS2)
IS2 provides guidance on key accreditation concepts and proposes an accreditation process closely linked to project and procurement process. IS2 Part 1 and Part 2 define the Risk Management and Accreditation Process, whilst Part 3 sets out the content and a suggested format of an RMADS.
IS2 also sets out a security policy structure based on a corporate policy which then drives individual system policies. The standard also provides advice on delineating responsibilities for security approval of systems according to the business’ structure, and advises on the means by which shared responsibilities can be assigned in the case of system interconnections.
HMG Infosec Standard No 3 (IS3)
IS3 indicates the general type of threats which are likely to be faced when connecting two (or more) business domains together. It also suggests the type of countermeasures which may be appropriate. The conduct of an IS3 analysis is mandated as part of the RMADS where an accredited system has external connections. IS3 is currently under review.
HMG Infosec Standard No 4 (IS4)
IS4 deals with communications security and cryptography, and sets out system specific vulnerabilities in terms of communications interception. Most importantly it states HMG policy in terms of communications security risk assessment procedures and the handling of cryptographic materials and devices.
HMG Infosec Standard No 5 (IS5)
IS5 specifies the minimum standards which must be enforced when storage devices holding protectively marked information are released from their accredited environment into another (such as when they are released for repair or disposal).
CESG Infosec Memorandum No 24 (Memo24)
Memo 24 and its supporting standards (including Memo 26) provide advice on password and authentication token characteristics based on a consideration of the information to be protected and the nature of the threat. Their application is mandatory for HMG systems processing protectively marked information.
From time to time S(E)Ns are released by the Cabinet Office Security Policy Division (COSPD); these set out current policy on matters such as encryption and the use of emerging technologies (such as 3G broadband links). S(E)Ns are usually pre-cursors to updates to existing policy documents.
The CPNI website (Technical notes) [External website] provides access to a number of security-related technical notes including for example, for forensic readiness planning.
UNIRAS is operated by CPNI, and acts both as a central focus for reporting security incidents affecting government systems, and as a central point for the assessment of threats and the issuing of vulnerability warnings to government.
Accreditation of government systems will in all cases mandate the use of UNIRAS for both responding to alerts, and reporting incidents.
Further information on what constitutes an incident and how to report it is available from the CPNI website (Guidance for Reporting Electronic Attack Incidents) [External website].
The Communications and Cryptographic Incident Notification, Reporting and Alerting Scheme (CINRAS) is the corresponding scheme for the reporting of communications security incidents. It is managed by CESG as the National Authority for Communications Security. CINRAS provides a central focus for alerting departments to communications security weaknesses and problems. It carries out incident assessments, advises on damage limitation and may provide assistance with investigation and recovery, if required.
ISO/IEC 17799 requires a formal and agreed statement of security policy, agreed at Board level within the organisation. One way of meeting the remaining documentation requirement is through the production of a Security Manual or similar which communicates the way in which the policy is implemented.
For systems processing Government information, in almost all cases there will be a requirement for an RMADS. An RMADS consists of four parts: an introductory section which sets the context for the accreditation, consisting primarily of a system description; a second part setting out the threats and vulnerabilities and specifying the countermeasures linked to those risks; a third part setting out the procedural countermeasures in the form of instructions to specific posts; the fourth part is the accreditation certificate itself. A template for an RMADS is available from IS2 Part 3.
The RMADS for a system or network sets out the security requirements for a system. It documents the basis of the security agreement between the system owner and the Accreditor.
At a high level the apparent difference between ISO/IEC 17799 and an RMADS is that the RMADS refers to a system or network, and the ISO/IEC 17799 documentation refers to an organisation. However, the standard is sufficiently flexible to adapt to the RMADS approach, and it is government policy that each RMADS should be ISO/IEC 17799 compliant, in terms of:
Organisations should consider the use of an overarching security policy document where there are a number of systems to address. Common principles across all systems and environments can be laid down in that high level document. This can avoid the need to repeat policy statements, and will make the overall documentation set more manageable.
Where there is a requirement to connect to a centralised infrastructure such as NHSNet, the Criminal Justice Network, Airwave, GSi etc., there will be a corresponding documentation requirement.
Typically, in addition to the infrastructure being accredited in its own right, each networked community will be subject to a Code of Connection (CoCo) setting out the requirements that apply to connecting systems. Typically this will call for independent security approval of the connecting system, but may also mandate a technical baseline and supporting procedural measures.
Connection to one of the GSi communities requires that the terms of the CoCo be met, both in terms of an acceptable security architecture, and crucially, in terms of the supporting procedural measures (audit and accounting are key areas).
Documents relating to the GSi requirements are available from OGC Buying Solutions.
CESG is the National Technical Authority for Information Assurance. As such they operate schemes which set standards and promote the availability of trustworthy computing and communications devices.
The Common Criteria, one of the services managed by CESG in the UK, represent the result of many years of work, experience, rationalisation and standardisation in the field of computer software and hardware security evaluation.
The Common Criteria provide a means of specifying a security functionality profile for a product, which can then be associated with one of seven predefined levels of assurance, or confidence that the system or product meets its claims. The value in the Common Criteria lies in the facts that:
The Common Criteria assurance levels are those referenced in mainstream governance documents such as HMG Infosec Standard No 1, and the criteria therefore form part of the governance framework for government IS.
ITsec
The ITsec scheme provides a framework for the security evaluation of products and systems. The process works to one of a number of defined levels of rigour, in each case assessing the construction and operation of the product or system against an agreed target of functionality. Evaluation is carried out in the UK in licensed evaluation facilities whose work is checked by CESG. There is international recognition across a number of countries of products certified under the scheme against the Common Criteria.
Sys and FTA
CESG also operate two schemes aimed at providing assurance on a cost-effective basis where recognition of the certificate is not a requirement (the Fast Track service and SYS evaluations). These services are based on CC principles, but are tailored to the specific assurance requirements of the customer. There is currently a project in hand to merge and further streamline these schemes to provide a single tailored assurance service for systems.
CAPS
The CESG Assisted Product Scheme (CAPS) enables products to be cryptographically verified by CESG to HMG cryptographic standards and formally approved for use by HMG and other appropriate organisations. For HMG customers, CAPS provides assured solutions to cryptographic requirements: for companies that are CAPS subscribers it provides enhanced opportunities to market their products to government.
The range of CAPS approved products extends beyond encryption of data in transit (for communications security) and encryption of data at rest (e.g. for laptop protection) and includes those in which encryption is used to enable other mechanisms such as document verification and authentication of individuals.
IT Health Checks
The CHECK scheme relates to IT Health Checks (ITHCs) for protectively marked systems. ITHCs up to CONFIDENTIAL (but occasionally higher) are undertaken by CHECK companies. CESG undertakes ITHCs for particularly sensitive systems.
To operate under CHECK companies must have at least 1 qualified CHECK Team Leader. To become registered as CHECK Team Leaders, individuals must pass an ‘assault course’ test, to demonstrate a sufficient level of understanding and experience.
An ITHC provides evidence that the system under test has been configured in a secure manner and that no unnecessary vulnerabilities exist.
Potential customers of the CHECK Service should also note that if the information is not protectively marked then they do not need to specify membership of CHECK in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding. Nonetheless in all cases Departments should ensure that the scope and objectives of the work are agreed in advance, and that the results are formally presented and discussed in the context of the relevant procedural security support mechanisms.
CLAS
The CESG Listed Advisor Scheme (CLAS) provides a register of qualified IT security consultants. Potential customers should also note that if the information is not protectively marked then they do not need to specify membership of CLAS in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding. Furthermore advice should be sought from CESG where there are particular sensitivities.
In order to become CLAS–registered, individuals must provide evidence of experience of successfully applying government security practices, must attend an annual CESG training course to keep them updated on HMG policy in this area, and must operate within the terms of the scheme. Departments engaging CLAS-registered consultants can be confident that the individual is a competent practitioner and that the individual possesses an up to date knowledge of HMG security standards and policies.
The CSIA Claims Tested Mark Scheme has been created under the auspices of the GIPSI (General Information Assurance Products and Services Initiative) and provides a basic level of assurance that a product meets its claimed security functionality.
The Scheme is intended to meet the needs of departments and other bodies in the wider public sector requiring an indication that a product can be relied upon, having been validated by an independent third party. Test laboratories wishing to operate under the scheme must be UKAS accredited against ISO 17025, and must be approved by the scheme management, in order to ensure an adequate level of quality.
The scheme has been constructed to meet the requirements of applications which do not require full evaluation (such as those outside Central Government) and it has avoided many of the commercial implications of evaluation.
The relevance of the scheme in the context of HMG Infosec Std No1 is explained in S(E)N 05/07.
Accreditation is the formal assessment of the IS against its IA requirements, resulting in the acceptance of residual risks in the context of the business requirement. It is a prerequisite to approval to operate.
Where accreditation is not required there may be an analogous process carried out by ISO/IEC 17799 auditors.
Accreditation should be seen as a process and not an event; the maintenance of accreditation is as important an issue as gaining accreditation in the first place.
The diagram below indicates the relationship between the schemes and documents identified in this section. There is no implied precedence or relative significance; the aim of the diagram is to show the relationships between the entities. The GSi documentation, being system-specific, is not shown.
