CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS



Similar documents
UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.

CPA SECURITY CHARACTERISTIC DATA SANITISATION - FLASH BASED STORAGE

CPA SECURITY CHARACTERISTIC DATA AT REST ENCRYPTION: ALWAYS-ON MOBILE DEVICES

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

October 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services

OFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT

UNCLASSIFIED

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

UNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Application Guidance CCP Penetration Tester Role, Practitioner Level

Oracle Business Intelligence Enterprise Edition (OBIEE) Version with Quick Fix running on Oracle Enterprise Linux 4 update 5 x86_64

IT Heath Check Scoping guidance ALPHA DRAFT

October 2015 Issue No: 1.1. Security Procedures Windows Server 2012 Hyper-V

CPA SECURITY CHARACTERISTIC MIKEY-SAKKE SECURE VOIP GATEWAY

January 2015 Issue No: 2.1. Guidance to CESG Certification for IA Professionals

GPG13 Protective Monitoring. Service Definition

UNCLASSIFIED CPA SECURITY CHARACTERISTIC SERVER VIRTUALISATION. Version Crown Copyright 2012 All Rights Reserved

Good Practice Guide Security Incident Management

UNCLASSIFIED CPA SECURITY CHARACTERISTIC SOFTWARE FULL DISK ENCRYPTION. Version 1.1. Crown Copyright 2011 All Rights Reserved

CPA SECURITY CHARACTERISTIC TLS VPN FOR REMOTE WORKING SOFTWARE CLIENT

Committees Date: Subject: Public Report of: For Information Summary

Corporate Information Security Policy

CPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION

PSN Protective Monitoring. Service Definition

BT Assure DoS Mitigation UK

RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

UNCLASSIFIED CPA SECURITY CHARACTERISTIC WEB APPLICATION FIREWALLS. Version 1.3. Crown Copyright 2011 All Rights Reserved

AUDIT, SCRUTINY AND STANDARDS COMMITTEE 26 FEBRUARY Subject: ISO27001 INFORMATION SECURITY COMPLIANCE PROGRESS REPORT

A Guide to the Cyber Essentials Scheme

Citrix NetScaler Platinum Edition Load Balancer Version 10.5 running on MPX 9700-FIPS, MPX FIPS, MPX FIPS, MPX FIPS appliances

Good Practice Guide: the internal audit role in information assurance

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

28400 POLICY IT SECURITY MANAGEMENT

Supplier Assurance Framework Good Practice Guide

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

CCTM IA CLAIMS DOCUMENT (ICD) Data Eliminate Ltd

HKCAS Supplementary Criteria No. 8

Preparing yourself for ISO/IEC

National Approach to Information Assurance

UNCLASSIFIED HMG IA Standard No. 1 Technical Risk Assessment

ISMS Implementation Guide

1E POWER AND PATCH MANAGEMENT PACK INCLUDING WAKEUP AND NIGHTWATCHMAN Version 5.6 running on multiple platforms

ISO 14001:2015 Client Transition Checklist

Software configuration management plans

The new Family of Standards & ISO/IEC 27001

University of Liverpool

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Oracle Identity and Access Management 10g Release running on Red Hat Enterprise Linux AS Release 4 Update 5

Service Definition Document

Wireless Network Security Position Paper. Overview for CEO s

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

Site to Site Virtual Private Networks (VPNs):

Cyber Essentials Scheme

DNV GL Assessment Checklist ISO 9001:2015

For the Design, Installation, Commissioning & Maintenance of Fixed Gaseous Fire Suppression Systems

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Good Practice Guide Open Source Software Exploring the Risk

Certification of Integrated Master s Degrees in Computer Science and Cyber Security

Queensland recordkeeping metadata standard and guideline

ARTL PKI. Certificate Policy PKI Disclosure Statement

Compliance and Unified Communication

Quality Management Systems Foundation Training Course

Information Security Team

CERTIFICATION REPORT No. CRP253

CERTIFICATION REPORT No. CRP271

Contents QUALIFICATIONS PACK - OCCUPATIONAL STANDARDS FOR TELECOM INDUSTRY. Introduction. Qualifications Pack- Telecom Network Security Technician

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Digital Continuity to Support Forensic Readiness

How To Manage An Wireless Network At A University

Cyber Essentials Scheme

MANAGE THIRD PARTY RISKS

How to gain accreditation for a G-Cloud Service

PTC 331 Telecom Network Interconnection using ITU-T No.7 Signalling Part A: Introduction

Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03.

ETSI EN V2.2.2 ( )

HSCIC Audit of Data Sharing Activities:

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

Space Project Management

Cyber Essentials Scheme. Summary

Citrix Password Manager, Enterprise Edition Version 4.5

How To Protect School Data From Harm

Fire Protection Industry Scheme Reference SP205 Part 1

University of Brighton School and Departmental Information Security Policy

Central Sponsor for Information Assurance. A National Information Assurance Strategy

ISAE 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information

developing your potential Cyber Security Training

Practical Overview on responsibilities of Data Protection Officers. Security measures

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Transcription:

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS Issue 1.1 Crown Copyright 2015 All Rights Reserved 1 of 9

Document History Version Date Description 0.1 November 2012 Initial Draft Version 1.0 September 2013 Issued version 1.1 December 2015 Minor corrections; alignment with revised GPG 32 and Security Procedures Soft copy location DiscoverID 44993858 This document is authorised by: Technical Director External Capability Development, CESG This document is issued by CESG For queries about this document please contact: Service Assurance Administration Team CESG Hubble Road Cheltenham Gloucestershire GL51 0EX United Kingdom Tel: +44 (0)1242 221 491 Email: cas@cesg.gsi.gov.uk The CAS Authority may review, amend, update, replace or issue new Scheme Documents as may be required from time to time. 2 of 9

CONTENTS REFERENCES... 4 I. OVERVIEW... 5 A. Service Aims... 5 B. Variants... 5 C. Typical Use Case(s)... 5 D. Likely threats this Service will provide mitigations against... 5 E. Out of scope... 5 F. Future Enhancements... 6 II. SERVICE REQUIREMENT FORMAT... 7 III. REQUIREMENTS... 8 A. Mitigations... 8 IV. GLOSSARY... 9 3 of 9

REFERENCES [a] [b] [c] [d] The Process for Performing CAS Assessments, v1.2, October 2013, CESG Good Practice Guide No. 32- Audit Handbook for CESG Assured Service (Telecoms) latest issue available from the CESG website. Security Procedures Telecommunications Systems and Services latest issue available from the CESG website. Security Policy Framework (SPF), Cabinet Office 4 of 9

I. OVERVIEW 1. This document is a CAS Service Requirement it describes requirements for a particular type of assured Service for assessment and certification under CESG s CESG Assured Service (CAS) scheme. A. Service Aims 2. This service requirement aims to provide appropriately audited secure Telecommunications for HMG in line with relevant HMG IA policy [d] and guidance (as detailed in section III.A of this document). B. Variants 3. There are no variants for the CESG Assured Service for telecommunications services. 4. Scope of Service offering Telecommunications Services shall be assessed and certified against all clauses in CESG Security Procedures Telecommunications Systems and Services (see [c]). C. Typical Use Case(s) 5. Telecommunications across HMG networks using industry developed and supported systems with a high availability requirement. D. Likely threats this Service will provide mitigations against 6. The threats on this service come under four categories: Loss of service availability: A telecommunications network loses the high level of availability required by HMG customers either by systemic failure, accident or as a result of a denial of service attack. Insider attack: A member of the service provider team (or a third party used as part of the Telecommunications process) attempts to subvert the Telecommunications process and removes, replaces, or transfers data. Unauthorised access to Telecommunications: Attacker gains access to network (either the voice / data or management layers) which has been either incorrectly or incompletely security configured and is able to retrieve data from the network. Physical Attack: Intruder gains physical access and then attacks the network equipment. E. Out of scope 7. CAS does not cover security and availability of telecommunications that are outside the physical bounds of the declared service or service slice. 5 of 9

8. Certain interconnect and peering configurations between Communications Providers may be unsuitable for carrying assured services, because they cannot meet the minimum availability target for these Security Procedures. These interconnect options must be excluded from the scope of assured service. 9. Where a service is offered without managed Customer Premises Equipment (CPE), the CPE will normally be excluded from the scope of the assured service. F. Future Enhancements 10. CESG welcomes feedback and suggestions on possible enhancements to this Service Requirement. 6 of 9

II. SERVICE REQUIREMENT FORMAT 12. All CAS Security Requirements contain a list of mitigations which the Service must meet. 13. Each mitigation includes informational text in italics, describing the threat that it is expected to mitigate. It also lists at least one specific mitigation, which describes what must actually be done to achieve that requirement. In some cases there is additional explanatory text which expands upon these requirements. 14. In the requirements listed below, the following terminology can be used: Must, Mandatory and Required are used to express a mitigation that is essential. All mitigations and detailed mitigations are mandatory unless there is an explicit caveat, such as not applicable to this Service offering. Should and Strongly Recommended are used whenever a requirement is highly desirable, but is not essential. These are likely to become mandatory in future iterations of the Security Requirement. Could and Recommended are used to express a non-mandatory requirement that may enhance security or functionality. 15. For example: MITXXX - [A mitigation] This mitigation is required to counter [a threat] For a CAS Service [requirement]. For example [further explanatory comment]. 7 of 9

III. REQUIREMENTS A. Mitigations MIT001 Requirements for the Information Security Management System (ISMS) This mitigation is required to ensure the scope of the ISMS is relevant and complete. The Telecommunications Service Provider must adhere to the requirements and scope described in chapter 2 of HMG Security Procedures Telecommunications Systems and Services. MIT002 - HMG IA Standard Security Procedures Telecommunications Systems and Services [c] is followed This mitigation is required to ensure that confidence can be gained that the ISMS meets the security and availability required for a service or service slice. The Telecommunications Service Provider must adhere to the requirements and scope described in chapter 5 and the Appendix of HMG Security Procedures Telecommunications Systems and Services. MIT003 Continuous Audit and Improvement This mitigation is required to ensure that the service is consistently working as expected and that any security flaws are identified and fixed. Processes described in the CESG Good Practice Guide No. 32- Audit Handbook for CESG Assured Service (Telecoms) [b] must be in place for providing regular internal audits of the service being delivered, in order to ensure that all processes are being correctly followed and that the service conforms to industry good practice aligned to HMG standards and requirements. Audits should be conducted by a separate member of staff from the team providing the instance of the service being audited. Processes must be in place to identify and fix any issues identified where the service is not being delivered as expected. 8 of 9

IV. GLOSSARY 16. The following definitions are used in this document: Term CAS CPE CPNI ISMS Meaning CESG Assured Service Customer Premises Equipment Centre for the Protection of National Infrastructure Information Security Management System 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information