I am one of the longest-serving CLAS (CESG Listed Adviser Scheme) consultants, joining the Scheme in October 2001, soon after its inception. Membership of the scheme confirms that I have extensive experience and expertise in Information Security and Information Assurance, and have been approved to apply this expertise in advising the UK Government and Defence industries.
In addition, I run the popular mailing lists and other online services for the entire CLAS community.
The CLAS Consultant’s role in brief
UK Government (including Central Departments, Non-Departmental Public Bodies, Local Government and Defence) are required to comply with the Cabinet Office’s Security Policy Framework and its supporting Policies, Standards and Guidance documents. In addition, those organisations wishing to connect to the Government Secure intranet (GSi) – soon to become the Public Services Network (PSN) – or other similar networks are required to comply with the appropriate Code of Connection and any technical security controls dictated within it.
In many cases (if not all), the systems concerned need to be formally accredited, requiring production of a Risk Management and Accreditation Document Set (RMADS), detailing the assets, threats, vulnerabilities, countermeasures and controls (physical, procedural, personnel and technical) that apply to a system, and demonstrating that any residual risks are appropriately managed.
Together, all of this compliance, governance, accreditation and technical work needs input from someone with a breadth and depth of knowledge that is difficult to maintain internally on an ongoing basis in all but the largest of Departments. For this reason, the CESG Listed Adviser Scheme was created, providing UK Government with a pre-approved, vetted pool of industry specialists on whom it could call to advise in all of these areas. CLAS Consultants are verified (and trained) by CESG in order to have a thorough understanding of:
- Current UK Government Policy, Standards and guidance from CESG and other sources;
- The threat and risk to official systems (Government, Defence and others); and
- The approach to mitigating and managing these risks, whether technical or not.
[For a more detailed background, see my article What is a CLAS Consultant?]
A CLAS Consultant’s Work
As a CLAS Consultant I am, therefore, able to provide any UK Government client with expert and up-to-date advice on all the requirements and guidance that apply, as well as undertake a lot of the hard work for you. I am also able to offer my services to consultancies, System Integrators and other suppliers who, in supplying systems or services to the UK Government, are also required to comply to the same set of requirements. Increasingly, the skills inherent in many (if not all) CLAS Consultants are also being recognised as valuable in other sectors, such as Financial Services, Retail Banking and Telecommunications.
Areas in which I can help include the following:
- Advice on the HMG accreditation process (in line with HMG Information Assurance Standard No. 2), collecting information, producing relevant documentation and advising on change and implementation required to succesfully achieve it;
- Technical Threat Assessment in line with current guidance and intelligence from relevant HMG sources;
- Review and analysis of Security Architecture and compliance with relevant CESG Guidance and notices;
- Technical Risk Assessment in line with HMG Information Assurance Standard No. 1;
- ISO/IEC 27001 compliance and/or certification (which forms a good basis for implementation of the HMG Baseline Countermeasure Set);
- Compliance with Joint Services Publication 440 (JSP440) and related Defence Standards and Notices;
- Personal data-handling requirements under the Data Handling Review and HMG Information Assurance Standard No. 6;
- Advice on the production of Privacy Impact Assessments (as dictated by HMG Information Assurance Standard No. 6, in support of Mandatory Requirement 14 in the Security Policy Framework);
- Interpretation and implementation of all current CESG Good Practice Guides; and
- Compliance with a wide variety of Codes of Connection, including GSi, GSE, GCSX, xGSi, the upcoming GCN and PSN requirements and equivalent community codes across Defence, Justice and Law Enforcement.
This list is by no means exhaustive, however, so if you have a related requirement that isn’t listed here, do please contact me and ask. I can provide excellent references on request, and as a CLAS consultant hold current SC Security Clearance.