Summary of Certified Digital Security Levels
Level 1
A fundamental intent to embrace information assurance and security. This entry level requires demonstration of an organisation’s commitment to digital security by the production of policies, guidance and instructions.
Level 2
Implementation of security measures. Building on the organisation’s security policies and procedures, Level 2 requires initial implementation of user training, background checking, server and workstation patching, and the implementation of asset management.
Level 3
Audit and Control. With security measures implemented, this level requires the organisation to demonstrate clear control of all information assets, including software, from purchase to disposal, the employment of formally trained administrators and the use of network perimeter protection.
Level 4
This level represents the shift to the second standards group within the CDS model. To achieve this level the organisation needs to demonstrate a working configuration control strategy for all information assets, in addition to: restriction of internet-facing services and internal servers, control of USB Devices, control of remote access and wireless connections.
Level 5
Gaining level 5 requires more formal establishment of IT security roles within the workforce, with reviews of all security measures being undertaken at set intervals by formal audit. USB facilities require tighter control and management, and encryption of portable IT assets must be undertaken.
Level 6
Formally established IT security roles are dedicated solely to the organization (although outsourcing is permissible). Regular sub-contractor staff should undergo background checks. All regular and permanent communications links beyond company premises to be encrypted, and Application Layer Firewalls are employed across the enterprise.
Level 7
The first step in the Advanced standard group requires the organisation to have multi-skilled IT security staff able to audit and review barriers through testing them, the deployment of Intrusion Detection/Prevention Systems, and the creation of an Incident Response Team.
Level 8
Support of the underlying security systems must be provided by the addition of encryption for both data at rest and across enterprise communications. Administrators must hold formally recognised high-level qualifications, and normal users must undergo approved training. Test and reference systems must be kept to permit the testing of patches and improvements.
Level 9
This ultimate level of CDS requires the organisation to subject all key systems to code review or use components and applications that have been formally evaluated; eg, Common Criteria. System configuration must be secured against alteration.
|