CHECK
|
|
| |
 |
|
All CHECK companies are required to submit copies of CHECK IT Health
Check reports to the CHECK Scheme Administrator for quality checking
by the CHECK Assessment Panel within 4 weeks of the report having
been issued to the customer but please see the following paragraph.
Government policy allows unclassified information to be sent on the
internet but a maximum of Restricted (a classification within the
government Protective Marking scheme) only within the gsi (Government
Secure Intranet). Much of the work done by CHECK companies is sensitive
and could, if disclosed to unauthorised persons, result in compromise
of the system(s) concerned or cause great embarrassment to the system
owner. As such CHECK reports must not be sent to us via email but
must be sent by post or courier. If you use the latter option, please
ensure it is addressed to an individual and the room number 'A2h'
is included in the mailing address.
The following provides the reporting requirements laid down by CHECK that have been formulated to ensure that IT Health Check reports contain the information necessary for HMG customers to understand and respond to the findings of a Health Check.
- Report authors should ensure that the report is readable and
accessible to the customer
- the content of the report should be clear, concise and unambiguous;
- an executive summary of the Health Check findings should
be included that is directed at a non-technical audience (thereafter
the report can be exclusively directed at a technical audience
if desired).
- The report should provide details of the individuals involved
in the Health Check
- the report author should be identified;
- the CHECK Team Leader for the Health Check should be identified;
- any other individuals who worked on the Health Check should
be identified;
- a point of contact for the CHECK customer organisation should
be provided, along with contact details.
- The report should be Protectively Marked as appropriate. The
Protective Marking (PM) used should be agreed with the customer
but generally as a rule it should be classified according to the
PM of the system or any data on that system. However, as a result
of the sensitivities contained in a report, it is recommended
that reports for HMG, the CNI and the wider public sector should
carry as a minimum a PM of Restricted.
- The report should communicate the background, scope and context
of the Health Check
- the report should document the aim of the Health Check (as
agreed with the customer during scoping);
- the report should identify the hosts and devices or address
ranges agreed with the customer as the scope of the Health
Check;
- the report should contain an explanation of any strategy
to reduce the ideal scope of the Health Check testing (e.g.
representative sampling or prioritisation);
- any hosts and devices that are specifically out of scope
should be identified;
- any other customer-imposed restrictions that affected Health
Check testing should be made clear.
- Vulnerabilities should be accurately identified
- false-positives should be avoided through positively confirming
the presence of a vulnerability whenever possible;
- vulnerabilities should be described as well as identified;
- a vulnerability description should include an indication
of its impact to the customer.
- Each identified vulnerability should be associated with a remedial
solution
- each solution should be as accurate as possible;
- solutions should generally refer to technical controls and
should be provided in procedural form where possible;
- recommendations should be impartial as far as possible and
not favour the products of any particular vendor without justification;
- solutions should be provided with reference to the customer's
environment, context and any relevant restrictions rather
than blanket recommendations, wherever possible.
|
CHECK IT Health Check Report Requirements