HOME | TERMS | CONTACT US | SITE MAP   The National Technical Authority for Information Assurance     ABOUT US   PRODUCTS & SERVICES   PUBLICATIONS   POLICY & TECHNOLOGIES   FIND A ..... You are here: CESG > Products and Services >IACS >CHECK >Reports CHECK What is CHECK? Find a CHECK Service Provider and Validate Personnel Why you need a CHECK Service Provider The CHECK Service Assault Course Fundamental Principles of the CHECK Service CHECK Reporting Requirements How Do I Use a CHECK Service Provider? Why should I become a CHECK Service Provider? Customer Feedback for CHECK Provider work Applying For CHECK Membership CHECK Contact information     Reports We consider reporting to be an essential part of the Health Check process. HMG customers require penetration testing reports to provide them with a full understanding of vulnerabilities within their network as well as specific advice on how to eliminate or mitigate those vulnerabilities. In order to ensure that our review procedure is comprehensive and consistent, we require that the reports that you supply to support your application cover a Health Check (network penetration test) of a non-trivial heterogeneous network. The report itself should include the following information: A non-technical summary of the Health Check findings. An objective or aim for the Health Check. The Scope of the Health Check as agreed with the customer. The vulnerability findings. Recommendations/solutions. Basic logs. More specifically, we will be looking for the following items within the report: Individuals involved in the test are identified. The summary is a good high-level description of the main findings and aimed at a non-technical audience. All findings are positively identified (where possible) and described. Each finding is accompanied by a solution that is relevant to the customers environment. Automated vulnerability scanning tools do not appear to have been heavily relied upon (including "cut-and-paste" output from vulnerability scanners). The tests and attacks performed have been as comprehensive as possible, technically sound and within the bounds of the customer agreed scope. The logs should contain full port scans for each live system within scope and show how each live system was identified. Copies of customer reports will be treated as confidential documents and, if requested, returned after review. We understand that there may be issues concerning disclosure and will accept sanitised documents. However, the sanitisation should not affect the readability of the report nor alter its technical premises. Please contact us if you would like guidance on report sanitisation. We supply further reporting requirements for CHECK reports to companies that enter the CHECK scheme. Back to Applying For Check Membership  © Crown copyright, 2008. This CESG Website is maintained for your personal use and viewing. Access and use by you of this site constitutes acceptance of our terms and conditions which take effect from the date of first use. Click here for our terms and conditions CESGweb@cesg.gsi.gov.uk