At GRC Solutions, we’re proud to have become the first company to successfully complete a CRT (Cyber Resilience Testing) evaluation under the newly launched NCSC (National Cyber Security Centre) Cyber Resilience Testing framework.
Under our new designation as an NCSC CRTF (Cyber Resilience Test Facility), we’ve worked with a major security product manufacturer to take it through the principles-based assurance methodology. It now has a report, created in accordance with the methodology approved by the NCSC, which its customers can rely on to understand how well it meets the CRT principles.
The report has been designed to give technology users more confidence when choosing security products and be more responsive to the evolving threat landscape, and empower risk owners to make more informed decisions about the security of their data and networks. Several key government agencies and public sector bodies are starting to ask about CRT evaluations as part of their procurement processes. We expect that engagement to continue to increase.
The process
The GRC Solutions team have been working with the NCSC to deliver pilot evaluations and help shape the product assurance landscape, so we knew what activities would be needed to complete the first actual evaluation.
The project was split into three phases:
Phase 1 – Preparation
One of the aims of PBA (principles-based assurance) is to remove the inflexible, prescriptive requirements which create barriers for new technology and innovative solutions. To enable this, the NCSC has defined high-level principles and a set of ‘claims’ that describe how the technology meets the principles.
The core work done in the first phase was to check that the claims accurately describe the product and to modify them where they did not.
This is important because it allows flexibility in the standard. As long as the changes don’t weaken the overall principle, modifications are a useful way to describe the system design to anyone purchasing and using it.
GRC Solutions also worked with the manufacturer in this phase to fully document the product scope and to define the types of evidence we expect for each of the claims.
Phase 2 – Evidence review
This phase formed the majority of the time spent on the evaluation. We worked with the manufacturer to gather evidence against the agreed claims through:
- Documentation review
- Auditing and sampling of records
- Interviews and workshops
- Demonstrations of the system functions
Once the evidence was gathered, it was analysed to ensure it demonstrated that the claims are met.
We worked collaboratively with the manufacturer to ensure the system was accurately represented, which involved an ongoing discussion about the system and the claims.
Phase 3 – Reporting
The final phase is the most important, as it produces the output used by the manufacturer, which they can provide to procurement teams, risk owners, data owners and any other interested parties.
The report structure allows these groups to understand the capabilities and risks of a system. It contains a description of the system, key risks and a colour-coded summary against each principle.
This is designed by the NCSC to encourage a full understanding of the system and associated risks, rather than placing reliance on a certificate which may not be suitable for their own local risks and requirements.
Summary
Despite having done several pilots, this evaluation felt like a new challenge, one we met with enthusiasm and excitement.
We were working to shorter timeframes to ensure the evaluation was cost-effective and efficient. This was only possible because the manufacturer was well prepared and had thoroughly understood both the methodology and the principles themselves in terms of their system.
As expected, the biggest discussion point was about the report content, as the approach deviates significantly from the old schemes, which produced certificates. This will continue to be an ongoing education for all stakeholders, including the labs, and the NCSC has committed to support this.
The overall process is something I am very pleased to have been a part of, along with the evaluation teams at GRC Solutions and the manufacturers. I am hopeful that this scheme will develop a strong national and international profile, which can be used by system and product owners, procurement teams and risk owners to increase the overall resilience within the UK and beyond.
How GRC Solutions can help you
Are you interested in cyber resilience testing, principles-based assurance or other types of product assessment?
Talk to one of our experts today to find the perfect solution for your security, privacy and compliance needs.
About the author
Isabel Forkin is a ChCSP (Chartered Cyber Security Professional), CISA (Certified Information Systems Auditor) and CISSP (Certified Information Systems Security Professional) with almost twenty years’ professional experience in IT security, including strong auditing experience, particularly against the CAS and ISO 27001 standards, and a diverse background, including penetration testing and business continuity management.