As an Information Security consultant, I do varied security work in different sectors, but I am also a CLAS consultant, and am often asked what I actually do – and whom I work with – when I don that particular hat. This article gives an explanation of what a CLAS Consultant is, a brief history of how the concept came into being, and what kind of knowledge and experience you should expect to find in a typical CLAS Consultant.
Background: GCHQ and CESG
Although known by different names until 1946, GCHQ (Government Communications Headquarters) has existed since early in the 20th century, providing signals intelligence (SIGINT) to UK Government and military organisations. Within GCHQ, the technical aspects of Communications and Electronics are covered by the CESG branch. Originally, CESG was an abbreviation for Communications-Electronics Security Group, although this definition was dropped recently – “CESG” now stands for “The National Technical Authority for Information Assurance” (I’ve lost count of the number of glossaries and documents I’ve had to amend to reflect this change!).Prior to 1998, CESG was almost single-handedly responsible for providing technical security advice to HMG departments, although related work was undertaken by the Central Computer and Telecommunications Agency (CCTA) and other groups. CESG particularly concentrated on the areas of communications, signals, cryptography and other electronic matters. Over time, perhaps in an effort to keep their workload manageable, CESG created and published to HMG a series of Infosec Memos, Manuals and other guidance advising HMG on all manner of areas from cryptographic assurance to technical Threat Assessment, Risk Assessment and technical countermeasures. In the main, the guidance was deeply technical, and required the reader to be technically-minded to fully understand and implement the guidance.
This need for quite extensive depth and breadth of technical knowledge in the individuals and teams responsible for implementing and working with CESG’s guidance meant that there was an increasing demand for specialist skills, and this gap was inevitably filled by industry (retaining advanced skills in the Civil/Crown Services is an historic problem, but that’s another story!).
A Cunning Plan: CESG Listed Advisers
In 1998, due to this increasing demand and technical specialisation, as well as the anticipated surge in demand for direct advisers to organisations connecting to the shiny new “Government Secure intranet” (GSi), the CESG Listed Adviser Scheme (CLAS) was conceived. A small number of experienced security professionals from industry were chosen to see if advice of this nature could be formally outsourced. The pilot met with a positive response across key customers, and this early experiment in what became CESG’s wider “Partnerships with Industry” initiative was formalised and the application process was opened to all suitably-qualified professionals.
In the early days, given the low number of consultants applying to the Scheme, all applicants were scrutinised by CESG on a case-by-case basis, and approved or denied depending on such things as their CV, experience and references. My own application, for example, was based on customer feedback relating to some of the work I’d already done with the Cabinet Office and other departments, as well as my prior experience in assessing and dealing with technical security issues. As the Scheme expanded, however, the increased checking and assessment workload required the introduction of more formal (and transparent) approaches to selection – for example, all CESG Listed Advisers are now required to obtain (and maintain) the Infosec Training Paths and Competencies (ITPC) qualification, a competency-based framework allowing Information Assurance professionals to demonstrate our skills in 10 areas of importance to HMG, such as:
- Implementation of HMG baseline requirements and compliance with relevant legislation
- Using Technical Security Measures
- Business Focus
- Managing Resources & Value for Money (VFM)
- Dealing With Change
- Information Assurance Teamwork
The ITPC scheme, originally created by the Cabinet Office and administered by the Central Sponsor for Information Assurance (CSIA), is now run by the Institute of Information Security Professionals (IISP).
Enter the CLAS Consultant
So, then, a “CLAS Consultant”, or “CESG Listed Adviser”, is an Information Security/Assurance professional who has been vetted, assessed and approved by CESG to advise the UK Government (and its key suppliers, such as Defence contractors, System Integrators and the like) on such things as:
- HMG Policies (previously the Manual of Protective Security, now the Security Policy Framework and its supporting documents)
- HMG Standards (such as Information Assurance Standard No. 1 on Risk Assessment, No. 2 on Accreditation, No. 4 on Cryptography, etc.)
- CESG Guidance (including Good Practice Guides, Developers’ Notes, Security Procedures, etc.)
- Risk Assessment and Management (including production of Risk Management and Accreditation Documents Sets, or RMADSs, which provide evidence of adequate risk management to accreditors)
- Interconnections and Compliance (in particular the GSi Code of Connection)
All CESG Listed Advisers are guaranteed to hold at least SC clearance, enabling us to advise HMG and industry clients on all but the most highly-sensitive of projects (SC infers sufficient trust for regular access to “SECRET” material, the second-highest level of Protective Marking). Many of us hold higher levels of clearance, but SC is the guaranteed minimum level for Scheme members.
The CESG Listed Adviser Scheme is shortly due a facelift, featuring a new assessment approach based on detailed “skill areas”, and with each consultant demonstrating a defined level of expertise using an IA Specialist skills framework designed to cover all relevant areas of HMG Information Assurance. This should allow customers to select a consultant they know can perform the job as required – not every consultant has skills identical to every other – one piece of work may need someone with strong management experience of the accreditation process and less technical knowledge, whereas another may require in-depth technical Threat/Risk Assessment to support a department already managing the accreditation side.
Essentially, a CLAS Consultant is a pre-approved, security-cleared, trusted adviser any HMG department or supplier can select from a published list to advise them on security requirements, good practice and other guidance. Frequently operating as independent consultants, or else retained as in-house advisers to large consultancy organisations or suppliers to HMG and Defence, we are intended to be expert sources of up-to-date Information Security/Assurance advice as it applies to UK Government and Defence.
It is important to note that there is frequently much more to a CLAS consultant than HMG security/assurance – since we have come from industry, our prior experience is frequently more varied. For more discussion on this topic, please watch out for a future article, where I will expand on the work a CLAS consultant typically undertakes, as well as the other sectors to which CLAS consultants can generally turn their attention.
Do you have any questions about being a CLAS consultant that I haven’t covered here? Contact me or leave a comment below.
Good enough to Share?
Please feel free to leave a response below. Pinging is currently not available . If you are interested in tracking blog comments too, please subscribe to one of my comment feeds.
Any questions or suggestions regarding this article?
Respond to “What is a CLAS Consultant?”
To leave a comment, please log in below. Not yet registered? It's quick and easy - just fill in my five-second registration form and a password will be emailed to you.
Blog Article Feeds
You can subscribe to my articles (blog posts) in several ways:
- All posts [RSS]
(you'll receive an update whenever I post a new article to my blog)
- All posts [Email]
(as above, but you subscribe to my list server, which sends you an email every time there is a new article to view)
The above subscriptions do not apply to comments - if you'd like to receive those, see the feeds to the right.
If mention of RSS and list servers has you scratching your head, just take a look at my Help page and I'll talk you through it.
Would you like to subscribe to a feed so you are notified when someone has commented on this article? Please select a feed to control the types of comments you receive:
- All comments on all posts [RSS]
(you'll receive an update whenever a new comment appears anywhere on my blog)
- Comments on this post only [RSS]
(i.e. receive updates when someone comments on this page only)
I do not currently offer an email-based subscription option for following comments, but please contact me if you would prefer to receive discusson updates via email, and I will put it in place if there is enough interest. There are also separate feed and email subscription options for blog posts to the left.