CREST has a strong relationship
with government bodies such as CESG, The National Technical Sponsor for
Information Assurance. The CREST Certified Tester
(Infrastructure) examination was the first penetration testing
certification scheme to be granted equivalence with the CHECK Service
Assault Course. Since then, candidates passing the CREST
examination have been able to apply for CHECK Team Leader status under
the CESG CHECK Scheme.
CESG have commented: “The welcome emergence of the CREST scheme has allowed us to consider different ways of operating the scheme and presents an opportunity for CHECK to focus on that for which it was established: the provision of appropriately skilled staff to conduct IT Health Checks for Government.”
CHECK Team Members
CREST has also worked very closely with CESG to further develop the way in which CHECK Team members are selected. The process for obtaining CHECK Team Member status has in the past been to obtain clearances, prove nationality and provide evidence, via a CV, of one year’s experience of penetration testing. It has been widely recognised that this did not provide sufficient confidence in the abilities of the individuals responsible for carrying out this important work. It also meant that the transition from Team Member to Team Leader was significant. It also restricted the way in which teams can be constructed for lower impact level systems.
The only way of having any confidence in the team was to have a team leader actively involved in all aspects of the review. On occasions this made the cost of review of low impact system prohibitive.
CESG and CREST recognised these issues and have worked in collaboration to provide an examination that would be acceptable to industry and meet the requirements of industry and government.
Based on this collaboration CESG has now changed the process for the selection of CHECK Team Members. CESG now requires all existing and future CHECK Team members to have passed an approved professional examination designed to test for a basic grounding in the discipline.
The CREST Registered Tester examination is the first examination approved by CESG as providing evidence of competence for CHECK Team Members. In order to carry out Government work there will still be a requirement to obtain clearances and prove nationality.
CREST believes that this is a major step forward in professionalising the industry. It will improve the level of service offered to Government and also to send a clear message to the private sector regarding the need to utilise individuals who can demonstrate competence. CESG has stated ‘In order to retain CHECK Member status, existing CHECK Team Members must have sat an approved examination by 31 March 2011 and passed it by 31 March 2012.
With immediate effect, anybody wishing to become a CHECK Team Member who, according to CESG’s records does not currently enjoy this status, must first pass an approved examination. In line with the CHECK Team Member process any candidate failing the examination must wait for 3 months before re-sitting it.’
CHECK Team Leader Web Applications
All areas of business and government have seen prevalence in the use of web based applications and shared services platforms. There have, for example, been more than 10,000 websites established for the 2012 Olympics, not all of which are legitimate. This change has introduced new threats and vulnerabilities and real damaging attacks. To obtain the required levels of information assurance for web applications there is a requirement to have access to technically competent professionals who specialise in the testing of web applications.
CREST established the CREST Certified Tester (web applications) examination to meet this requirement and this qualification has been very well received. CESG has now stated ‘In response to these requirements CESG now intends to differentiate between and endorse the specific skills of a CHECK Team Leader by discipline.
A new qualification, CHECK Team Leader (Web Applications) will be introduced to complement the existing qualification, now known as CHECK Team Leader (Infrastructure). Team Leader status will be attained by passing an examination endorsed by CESG as well as meeting other criteria, including those relating to clearance, nationality and evidence of two years penetration testing in the relevant discipline.’
The CREST Certified Tester (web applications) examination has been assessed by CESG and has now been approved to provide the competence requirements for the new CHECK Team Leader (Web Applications) role. There is still a requirement to obtain clearance, prove nationality and evidence of experience.
Change in Rules for Check Team Leaders
The introduction of the new CHECK Team Leader category and assessment for CHECK Team Members has necessitated some slight revisions in the rules associated with the scheme. In summary these are;
- Any existing Check Team Leader candidate failing the Check Team Leader examination must wait for 3 months before re-sitting it. During that time – i.e. for 3 months after the first failure - they may operate as a CHECK Team Member. However, should they fail for a second time, or fail to re-take the examination, they lose any official status within the CHECK scheme and must either pass a CHECK Team Member examination or CHECK Team Leader examination in order to continue to participate in tasks conducted under CHECK terms and conditions.
- Any new Check Team Leader candidate failing the Check Team Leader examination must wait for 3 months before re-sitting it. During that time they may not operate as a CHECK Team Member.
- Any candidate failing a CHECK Team Leader examination who is in possession of a valid CHECK Team Member qualification will retain Team Member status for the duration of that qualification.
- These rules are fully compatible with those already in place within CREST.
In order to ensure that there is an appropriate match between supply and demand for the new CHECK Team Leader (Web Applications) qualified personnel, CESG will, in the medium term, recommend as desirable the use of specialised practitioners that are most relevant to the system being tested. Thereafter, and if necessary, the guidance will more explicitly reference the need to use CHECK Team Leaders from the appropriate discipline. The changes to the CHECK Team Member selection process have a
year to be applied, providing that individuals plan their examination early there will be sufficient time to implement this in a controlled manner.
CHECK Scheme remains extant for organisations and consultants wishing
to work with UK Government. If you have any questions regarding
the relationship between CREST and CESG please contact ian.glover@crest-approved,org.
More information on the CHECK scheme can be found at www.cesg.gov.uk.