CESG (Penetration Testing)

The UK National Technical Authority for Information Assurance CESG is part of GCHQ and traditionally provided IT health check services to identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system for HMG and the wider public sector of systems handling protectively marked information.  The IT Health Check Service (CHECK) was devised to supplement information assurance services provided by CESG and demand for these services has grown.

In line with similar CESG initiatives, a special partnership with industry was deemed the most appropriate way of meeting this demand.  The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with HMG policy.  Companies belonging to CHECK are measured against high standards set by CESG.

The welcome emergence of the CREST Scheme, company membership and professional qualifications, has allowed consideration different ways of operating the scheme and presents an opportunity for CHECK to focus on that for which it was established:  the provision of appropriately skilled staff to conduct IT Health Checks for Government.

CESG and CREST have worked in collaboration to provide a set of examinations that would be acceptable to industry and meet the requirements of private and public sectors.  CESG now requires all existing and future CHECK Team Leaders and Members to have passed an approved professional examination designed to test for a basic grounding in the discipline.

CESG will accept a pass from one of the following examinations when approving CHECK Team Leader and Team Member status.

CHECK Team Leader (Infrastructure) CREST Infrastructure Certification Examination
CHECK Team Leader (Web applications) CREST Certified Web Application Tester
CHECK Team Member CREST Registered Tester Examination

A pass in any one of these examinations merely demonstrates technical competence and does not replace the other requirements to attain CHECK Team Leader/Member status.

The CESG CIAN 2009/08, in referring to IS6 paragraph, mandates that “All Departments whose delivery chain involves the handling of information relating to 100,000 or more identifiable individuals MUST engage independent experts to carry out penetration testing of their ICT systems.”

The table reproduced below maps system security test recommendations to typical ILs (Impact Levels):

Segmentation Model Level

BusinessImpact Level

System Configuration Test

Deter

2

Commercial Pen Test (this includes any CREST member company)
Deter

3

CHECK Pen Test
Deter & Resist

4

CHECK Pen Test + Vulnerability Test
Defend 5 CHECK Pen Test  + Vulnerability Test
HMG Pen Test
Defend 6 HMG Pen Test

 

Any ITHC must be led by a Team Leader who is present on site for the duration of the testing. For systems handling protectively marked material at SECRET, it is highly recommended that customers employ a minimum of 2 CHECK Team Leaders for an ITHC.

In line with the CHECK process any candidate failing an examination must wait for three months before re-sitting it.

More information on the CHECK scheme can be found at www.cesg.gov.uk.