CHECK
|
|
| |
 |
|
as at 15 September 2008
The CHECK Service was devised to supplement IA services provided by
CESG. CHECK companies are currently permitted to work on systems processing
protectively marked information up to, and including, CONFIDENTIAL
(and also SECRET with CESG approval – see CIAN 2009/08 for details).
CHECK companies, and all members of their CHECK team, shall at all
times comply with the performance criteria (as amended from time to
time) so as not to bring the service and CESG into disrepute.
The principles below are not intended to be a comprehensive list of
the principles of CHECK. Although they form the basis of the CHECK
Service, the CHECK contract and Service Provision Guidelines should
be consulted for greater detail. The CHECK contract shall take precedence
over this document if any issue of conflict occurs.
CHECK Membership
- All CHECK companies must be able to sign-up to English law.
- Any company accepted into CHECK must have performed IT Health
Checks (ITHCs) under the company name for a minimum of 12 months.
- If an application to join CHECK is rejected it cannot be resubmitted
within a 12 month period. The decision of the assessment panel
is final and there is no appeal process for new applicants.
- All team members must be British nationals (or as a minimum
hold dual British nationality) and be able to obtain and hold
an SC clearance.
- CESG will sponsor an SC clearance, if required. Security forms
must be returned by the requested deadline. GCHQ Personnel Security
section will not pursue clearances where security forms have not
been returned following two reminders to do so. Failure to comply
will therefore result in a clearance application being stopped.
Their decision is final.
- To be accepted as a CHECK team member each individual will have
worked FULL TIME on ITHCs for the previous 12 months. Updated
information on all members of a CHECK team is required annually
as part of a company’s renewal process.
- If a member of a CHECK team transfers, it is the responsibility
of the importing CHECK company to verify the status of the individual’s
clearance.
- Membership is valid for a period of 1 year at a time. CHECK
companies must renew their membership by the required date, otherwise
membership will lapse. If membership lapses the company will no
longer be able to provide ITHC services under CHECK and will be
removed from the CESG web site.
- In order to undertake work under the terms and conditions of
CHECK, a Company must hold ‘Green Light’ status, which
is achieved by at least one individual of the CHECK team having
passed the standard Network and Operating Systems Assault Course
and thus having gained Team Leader status.
CHECK Assignments
- Any ITHC must be led by a Team Leader who is present on site
for the duration of the testing. For systems handling protectively
marked material at SECRET, it is highly recommended that customers
employ a minimum of 2 CHECK Team Leaders for an ITHC.
- The CHECK company should endeavour to notify CESG at least 5
working days before the commencement of each ITHC.
- A copy of the report, in line with the published reporting guidelines,
must be sent to CESG within 4 weeks of it being issued to the
customer.
|
Fundamental
Principles of the CHECK Service
as at 15 September 2008