CESG (Cyber Incident Response Scheme)

The National Cyber Security Strategy sets a strategic objective of enhancing national prosperity and national security by making the UK more resilient to cyber attacks.   Such attacks can vary in terms of persistence, sophistication and impact.

There is a range of guidance to help organisations maintain cyber defences, such as CESG’s Good Practice Guides and ‘10 Steps to Cyber Security’, and information published on the CPNI website.  There continue to be occasions where attackers successfully breach the corporate networks of organisations based or located in the UK.  This may be due to basic defences not being maintained adequately.  However, it may also be due to the targeting and sophisticated techniques employed by determined, well resourced cyber attackers.

Where an organisation has been attacked, its most immediate concerns are likely to be:

A twin track approach is being taken for certified Cyber Incident Response services:

Further details are available on the CESG website at http://www.cesg.gov.uk

CREST CSIR COMPANY APPLICATION PROCESS

Organisations wishing to join the CREST CSIR Scheme will need to sign a Non-Disclosure Agreement (NDA) with CREST.  On receipt of the signed NDA CREST will issue an application form.  The organisation will be required to complete all parts of the application and submit it to CREST.  The application will be reviewed in detail and where necessary areas of concern will be highlighted in a formal letter to the applicant company.  Once the paper application has been completed to a satisfactory standard, a site visit will be required to validate the claims made on the application and to remind the organisation of its obligations under the code of conduct.  Once this has been completed and membership payment received the company will be entered onto the CREST register under the Cyber-Security category.

For existing CREST penetration testing member companies, many of the questions regarding the quality of the service and the policies, processes and procedures for the protection of client based information will already have been completed and will have been assessed.  Existing CREST Penetration Testing Member companies will also have already signed up to the CREST Code of Conduct and signed an NDA.  An existing member company should therefore request an application form and will be required to complete the sections relating to the Cyber-Security Incident Response service.  Once completed this section will be reviewed and assessed in line with the process for new members as outlined above.  There have been some updates to the existing CREST application form.  All existing CREST organisations will be required to complete the new application form as part of their three year renewal cycle.  The new questions reflect ‘recognised best practice’ and therefore organisations should consider completing all parts of the new form.

CREST fully recognises the sensitivity of the material provided as part of the company assessment process.  All applications submitted to CREST are only seen by CREST employed staff.  No information is passed to the member company representatives of neither the CREST Executive nor any other parties regarding the submission of an application, nor any correspondence relating to the application process.  The member company representatives on the CREST Executive have no part in the decision to award or not award CREST membership.

For existing CREST member companies there will be no additional membership charge although an administration fee of £500 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category.  For companies that are not current CREST members but would like to be CSIR members, the annual fees after passing the company assessment are outlined on the following page – Applying for Company Membership.  Membership will provide the company with all the CREST member benefits.

After the initial assessment there will be an annual renewal.  This is designed to be relatively easy to complete and looks to validate certain essential elements of the membership process, confirm agreements between the company and CREST and providing an update where existing policies, processes and procedures have been amended or improved.  There is no charge for this annual review.  Every three years the company will be subject to a full assessment requiring a full resubmission of all documents.  There will be an assessment fee of £750 plus VAT for this.

CREST announced the first wave of memberships for the CSIR scheme in November 2013 and applications are now received regularly.  CREST accepts applications for company membership and membership applications to be included in the CSIR scheme throughout the year.

Please review the Frequently Asked Questions here relating to the CESG CIR and CREST CSIR schemes and their relationship.