|
|||||||||
|
| You are here: CESG > Products and Services >IACS >CHECK > | ||||
 CHECKWhat is CHECK? IT health checks identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. CESG has traditionally provided IT health check services for HMG and the wider public sector of systems handling protectively marked information. Demand for these services has grown. Therefore, in line with similar CESG initiatives, a special partnership with industry is the most appropriate way of meeting this demand. The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK. CHECK Service Providers are currently permitted to work on systems processing protectively marked information up to, and including, CONFIDENTIAL (and also SECRET with CESG approval – see S(E)N 2006/04 for details). For the more sensitive HMG or CNI systems, and occasionally other agreed requirements, the IT Health Check service will continue to be provided by CESG personnel. However, there may be occasions where it would be permissible for CHECK Service Providers to undertake tests on such systems. Potential customers of the CHECK Service should also note that if the information is not protectively marked then they do not need to specify membership of CHECK in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding. In order to have access to protectively marked information, all members of a CHECK team hold at least Security Check (SC) clearance. However, you should be aware that CESG does not sponsor all of them. CESG endeavours to check all claims of a clearance, however, we are not able to do this on a regular basis. Therefore, it is most strongly advised that the customer confirms the security clearance status and review date with the issuing authority which the individual claims to have a clearance with. CESG cannot be held responsible for the clearance of those it does nor sponsor. 13th February 2008 Update on the CHECK Scheme for existing and prospective CHECK Companies The welcome emergence of CREST, TIGERScheme and other professional bodies has allowed us to consider different ways of operating the scheme and presents an opportunity for CHECK to focus on that for which it was established: the provision of appropriately skilled staff to conduct IT Health Checks for Government. CESG has recognised the CREST Infrastructure Certification Examination as being technically equivalent to the CHECK Service Assault Course. This means that, with immediate effect, CESG will accept a pass from either of the CREST Infrastructure Certification Examination or CHECK Service Assault Course when approving CHECK Team Leader status. The assault course merely demonstrates technical competency and does not replace the other requirements to attain CHECK Team Leader status. Only CESG may confer CHECK Team Leader status. Where CREST is the examination of choice, CREST will pass all relevant information to CESG in order to progress the application. It is the responsibility of the CHECK Company to ensure that CESG are notified, but this notification will only be accepted if it is received via CREST. Failure to do so before the expiry date will result in the individual losing Team Leader status. In due course, contracts will be amended to reflect this change. However, we are also taking the opportunity to make other changes to the contract, largely to codify existing CESG business processes. For example we intend to be much clearer about ’Red Light’ and ‘Green Light’ status. It is also our intention to move to a position where those companies not conducting Government work are removed from the scheme. This will allow us, in due course, to open up the scheme to those companies who would like to join, but have been prevented from doing so by resource constraints within CESG. It is our intention to phase the entry of new companies into the scheme and current thinking – which may change completely - is that this phasing will be managed via some kind of application process, after which applicant companies will be ranked based on the extent to which they have met published criteria. The highest-ranking companies will have their applications considered in the first phase. Those companies in receipt of this letter who are not currently members of CHECK will be contacted when we know more about the way in which we expect to handle the entry process, but should not expect to hear anything for the next several months and are kindly requested not to make any enquiries. |
||||
 |
|||
|