CREST is committed to supporting all sectors of the technical information security industry by providing guidance material and commissioning research projects. The CREST material currently available is listed below. If you have an idea for a subject that CREST could consider conducting research into, please let us know by emailing [email protected]
CREST have completed research projects into both Penetration Testing and Cyber Security Incident Response and guides to assist organisations procuring these services have been published.
Penetration Testing Procurement Guides
The CREST Penetration Testing Services Procurement Guide is aimed at the buying community, ie. organisations that need penetration testing services, and provides practical advice on the purchase and management of penetration testing services, helping you to conduct effective, value for money penetration testing. It is designed to enable your organisation to plan for a penetration test, select an appropriate third party provider and manage all the important related activities.
An Introduction to this Guide aimed at helping suppliers of Penetration Testing services assist their potential clients when determining the essential criteria to be applied when choosing an appropriate supplier is also available and details can be found here.
Cyber Security Incident Response Guides
The CREST Cyber Security Incident Response (CSIR) Procurement Guide provides details on how to handle cyber security incidents in an appropriate manner and offers practical advice on how to prepare for, respond to and follow up an incident in a fast and effective manner. The purpose of the Guide is to help improve the buying process for current and potential buyers of CSIR services and to help the buying community meet the range of different requirements for responding to a cyber security incident, based on their type of organisation. This Guide will help you achieve the best response for your circumstances.
The CREST Cyber Security Incident Response (CSIR) Supplier Selection Guide helps the buying community understand the benefits of using external suppliers, determine which activities should be outsourced, define criteria upon which to base selection of a suitable supplier and provides guidance on appointing suitable third party experts. It provides practical advice on the procurement of CSIR services and investigates the primary considerations for a buyer when weighing up the benefits of outsourcing their CSIR capabilities.
In support of the work on cyber security incident response, a maturity assessment tool has been developed to enable assessment of the status of an organisation’s cyber security incident response capability. The tool helps to measure the maturity of a cyber security incident response capability on a scale of 1 (least effective) to 5 (most effective). The tool is powerful, yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level. Further details are available here.
Cyber Security Monitoring and Logging
The CREST Cyber Security Monitoring and Logging Guide explains what organisations need to do when monitoring and logging cyber security events. The Guide focuses on proactive measures that will make organisations more difficult to attack and help them to reduce the frequency and impact of cyber security incidents, including sophisticated cyber security attacks. Further details are available here.
COMING SOON – Industrial Control Systems: Technical Security Assurance Requirements
CREST has recently initiated a new research project to produce a Guide that will provide organisations with a pragmatic approach to identifying and meeting their Industrial Control System (ICS) technical security assurance requirements. This project, which is supported by CPNI / CESG, will focus on the testing of controls and other measures that are needed to provide assurance over the security of ICS. It will help organisations determine what they need to do, the best approach to take, and where to go for the right kind of help.
Whilst there is a proliferation of best practice frameworks and technology standards for securing ICS, there is very little to bring it all together easily and effectively for the Buying Community. The main objective for this project is to provide organisations with a pragmatic way of determining their own industrial control security requirements and procuring any required assurance services from third party experts.
Other research projects are planned in the near future and information will be made available on this page in due course.
If you have any questions or require further information, please email [email protected]