CDS Certification
The Validation process of Certification process is relatively simple, many of which are undertaken by the applying organization:
1. The subject organization reviews the CDS levels and decides which 'target level' is best suited to its business requirements, risk appetite and funding.
2. The subject organization performs its own gap analysis to identify the effort to meet the requirements of the target level.
3. The subject organization contacts CDS or a CDS Auditing body and registers for an audit
4. The subject organization submit some information about their system so CDS can identify:
--> If the target level the organizations is aiming for is appropriate for their system.
--> If the security they are planning to implement appropriate for this level (either not enough or too much).
--> How long an audit will probably take and when it can be schedule
5. The subject organization implement the requirements of their target level (and all associated lower levels).
6. Once the subject organization believe they have met the requirements, they contact their CDS auditor and as well as discussing the audit they arrange the dates and details for the audit.
7. The subject organizations finalize the audit evidence and arrange the audit room it in accordance with the "Audit Requirements" of their level. The audit requirements will detail:
--> The space and ventilation requirements.
--> The order the evidence is to be placed to allow for initial verification that all the required evidence is present (even if not complete).
--> The level of detail and currentness required of information/evidence (e.g how current the AntiVirus status report is required to be).
8. On the day(s) of the audit the CDS Auditor will assess the evidence and provide a report on how the organization has performed against the criteria.
9. Where some items are slightly deficient, and the Auditor deems it appropriate, the organization may be able to provide additional evidence to the Auditor before the end of the audit.
10. At the end of the Audit the Auditor will forward the report to CDS for external verification that the CDS level was achieved with appropriate levels of details regarding the requirements outlined in the guidance document.
11. If in the opinion of the CDS Validator the Audit report confirms that the subject organization has demonstrated compliance with the target CDS Level, they issue them with a unique CDS verification number.
Note:
Before leaving the Auditor seals all the submitted evidence in a Tamper Evident Bag and returns it to the subject organization. This allows for spot checks on the Auditors to be conducted and allows for the improvements of the subject organizations to be seen. Most imporotantly it prevents either Auditor or CDS from accessing or compromising the security related evidence relating to the subject site.
The subject organization is required to store the Tamper Evident Bag securely in such a manner that subsequent auditors can access the information (and having checked the seals are confident the subject organization has not altered them).
|