IT trust scheme goes live

The government has introduced the first phase of an accreditation plan designed to build trust in IT security and ensure products and services meet basic quality standards.

The Cabinet Office's Central Sponsor for Information Assurance (CSIA) group, which co-ordinates information security projects across government, has started certifying internet security products frequently used by public sector organisations.

It plans a full launch of the CSIA Claims Tested Mark (CCT) scheme by June 2006 (Computing, 7 October 2004).

Initial trials will prioritise products and services used by local authorities, the NHS and criminal justice organisations.

But the CSIA says the scheme will ultimately provide an independent kitemark for all public and private organisations, and for consumers purchasing IT security services.

'The scheme underwent technical trials at the end of last year, where we identified the best way to certify three products and three test centres,' said Harvey Mattinson, head of accreditation at the CSIA, in an exclusive interview with Computing.

'Since then six companies have already signed up to the scheme, and we're now welcoming vendors who sell popular web security products.'

Registration for CCT accreditation will cost vendors between £10,000 and £20,000 per application, with testing and approval of products, such as anti-virus software, firewalls and disk encryption, expected to take up to 20 working days.

For vendors to gain accreditation, test centres must substantiate their claims about the reliability and functionality of products and their compatibility with other operating systems.

IT services companies EDS, IBM and LogicaCMG have been chosen to act as the scheme's first independent test laboratories to certify IT security products, after being approved by the United Kingdom Accreditation Service.

Further companies will receive test centre status following completion of the trials, and the CSIA expects the scheme to eventually become a fully independently-managed service.

CCT will complement other security accreditation schemes, such as Common Criteria. This scheme is run by CESG, GCHQ's national information security technical authority, and approves security products and services used in IT systems of national importance.

'This trial will help us finalise and formalise the final accreditation scheme,' said Mattinson.