SCC has become one of only five organisations in the UK that has been awarded the CAS (S) certification by the UK government. It’s a notable achievement, highlighting our capabilities in handling highly sensitive information by giving SCC the authority to handle and process classified government data.
SCC’s Barry Mitchell (Supply Chain Sales Manager) and Phil Wright (Lead Solutions Architect) explain what the certification means and why it’s critical for the safe removal and disposal of data.
What is CAS (S)?
CAS (S) — or CESG Assured Service (Sanitisation) — is a certification scheme from the National Cyber Security Centre (NCSC). It’s awarded to organisations that can prove their sanitisation and destruction services meet the strict guidelines that have been put in place by the government on how data should be erased and destroyed.
Organisations like SCC that are awarded the CAS (S) certification have demonstrated they offer complete security of information, with a rigorous end-to-end process for the sanitisation and destruction of end-of-life data.
Why is this certification so important?
Concerns around data protection are at an all-time high, particularly with the imminent GDPR go-live date on the 25th May, which is set to strengthen the way organisations currently hold, process and use personal data. CAS (S) provides complete assurance in SCC’s ability to address all GDPR considerations regarding the processing of end of life data.
What are the requirements to become certified?
The UK government has set out specific requirements for CAS (S) compliance, which are detailed in the HMG IA5 policy. These include a wide range of requirements that not only cover the technical detail of erasing or destroying data, but also the policies and processes that organisations should have in place to manage risk.
What does this mean for SCC clients?
By meeting this standard, organisations can be confident in SCC’s ability to handle and process data in an auditable and secure fashion as part of a comprehensive, end-to-end process. We use verified methods to securely sanitise data on devices such as desktops and laptops, so they can be safely re-used.
Our scope is also wider than other providers, being the only UK CAS (S)-certified organisation to have the re-use of flash media included in our capabilities, which covers Solid State Drivers. We are also the only CAS (S) service provider to operate on the Public Sector Framework, enabling public sector organisations to access our services with the confidence that we meet requirements on price and quality.
Is the CAS (S) certification relevant to me?
CAS (S) is designed for highly-sensitive government information and is directly relevant to any organisation that deals with HMG data or has adopted the HMG IA5 standard for its security policies.
What did achieving the certification entail?
SCC has been audited against nine mitigations of risk and compliance to ensure full compliance with an end-to-end process. This includes verifying correct and version-controlled procedures, the simulation and demonstration of service against the SCC process, including handling, transportation, sanitisation and destruction, employee sign-off processes and training plans, and the physical inspection of equipment, vehicle and facility security features.
How does CAS (S) fit with SCC’s solutions and services?
CAS (S) completes the SCC security accreditation portfolio for Recycling Services, with other credentials including:
• DIPCOG – approval from MOD for the destruction of all data classifications including top secret data at customer site
• CPNI Approval – for secure transportation and physical destruction at both customer and fixed premises
• LIST N – specific to the nuclear industry, enabling SCC to process sensitive nuclear information classified as OFFICIAL / OFFICIAL-SENSITIVE
• ISO 27001
SCC is also the only certified CAS (S) provider with the ability to offer these capabilities alongside a much greater scope of services and accreditations, for complete reassurance in data management, protection and security.
As Europe’s largest independent technology solutions company, SCC is ideally placed to help your organisation plan, manage and deliver IT services across your business. Find out more about our industry accreditations and partnerships or explore our wide range of IT services, which include data centre & cloud, security, network & connectivity and professional services.