CESG Claims Tested Mark
Encyclopedia
The CESG Claims Tested Mark (abbreviated as CCT Mark or CCTM), formerly CSIA Claims Tested Mark, is a UK Government Standard for computer security
.
The CCT Mark is based upon framework where vendors can make claims about the security attributes of their products and/or services, and independent testing laboratories can evaluate the products/services to determine if they actually meet the claims. In other words, the CCT Mark provides quality assurance approach to validate whether the implementation of a computer security product or services has been performed in an appropriate manner.
Intelligence, Security and Resilience (ISR) function. The role of providing specialist input to the CCT Mark fell to CESG as the UK National Technical Authority (NTA) for Information Security, who assumed responsibility for the scheme as a whole on 7 April 2008.
(CC), which is simultaneously both correct and incorrect:
(CPA) approach. It is unclear as yet whether CCT Mark will remain in existence for assurance of Information Security
services.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
.
The CCT Mark is based upon framework where vendors can make claims about the security attributes of their products and/or services, and independent testing laboratories can evaluate the products/services to determine if they actually meet the claims. In other words, the CCT Mark provides quality assurance approach to validate whether the implementation of a computer security product or services has been performed in an appropriate manner.
History
The CCT Mark was developed under the auspices of the UK Government's Central Sponsor for Information Assurance (CSIA), which is part of the Cabinet Office'sCabinet Office
The Cabinet Office is a department of the Government of the United Kingdom responsible for supporting the Prime Minister and Cabinet of the United Kingdom....
Intelligence, Security and Resilience (ISR) function. The role of providing specialist input to the CCT Mark fell to CESG as the UK National Technical Authority (NTA) for Information Security, who assumed responsibility for the scheme as a whole on 7 April 2008.
Operation
All Testing Laboratories must comply with ISO 17025, with the United Kingdom Accreditation Service (UKAS) carrying out the accreditation.Comparisons
The CCT Mark is often compared to the international Common CriteriaCommon Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
(CC), which is simultaneously both correct and incorrect:
- Both provide methods for achieving a measure of assurance of computer security products and systems
- Neither can provide a guarantee that approval means that no exploitable flaws exist, but rather reduce the likelihood of such flaw being present
- The Common Criteria is constructured in a layered manner, with multiple Evaluation Assurance LevelEvaluation Assurance LevelThe Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
(EAL) specifications being available with increasing complexity, timescale and costs as the EAL number rises - Common Criteria is supported by a Mutual Recognition Agreement (MRA), which, at the lower EAL numbers at least, means that products tested in one country will normally be accepted in other markets
- The CCT Mark is aimed at the same market as the lower CC EAL numbers (currently EAL1/2), and has been specifically designed for timescale and cost efficiency
Future
As of September 2010, CESG have announced that the product assurance element of CCT Mark will be overtaken by the new Commercial Product AssuranceCommercial Product Assurance
Commercial Product Assurance is an emergent UK Government Standard for computer security.It is intended to supplant other approaches such as Common Criteria and CCT Mark for UK government use....
(CPA) approach. It is unclear as yet whether CCT Mark will remain in existence for assurance of Information Security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
services.