CPASoftwareVPNrequirements-vdocdoc.docVIP

unclassified  PAGE 8 of  NUMPAGES 8 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email infoleg@gchq.gsi.gov.uk unclassified Commercial Product Assurance pilot - selection criteria IPsec Software Client and Gateway (remote working) – Vendor self assessment To all vendors, please complete the following self assessment form, including as much information as possible. Completed forms should be returned via E-Mail to  HYPERLINK mailto:iacs@cesg.gsi.gov.uk iacs@cesg.gsi.gov.uk. Background on the Pilot: The purpose of this pilot is primarily to validate that the Security Characteristics CESG have developed for IPsec remote working products (including the gateways to which they communicate) can be used in practice to evaluate commercial security products. The Security Characteristics describe a range of mitigations which need to be validated in a product. These mitigations can be: Design - things which the product developer needs to have implemented within the product Verify - things which the evaluation team will need to do to independently validate the products robustness Deploy - activities which users or administrators will need to do to maintain the products security throughout its deployed life As examples - for a disk encryption product, there could be the following requirements: Design: The user must be able to change their password / passphrase on-demand. Verify: The evaluation team must independently check that the whole of the drive is encrypted. Deploy: The administrator must fit tamper stickers on the protected machine to ensure that unauthorised entry to its internals is detectable. The evaluation team will need to examine information from the product developer and perform necessary independent testing to ensure that each requirement is properly satisfied by the product. Their work