How Do I Use a CHECK Service Provider?
CHECK Service Providers are currently permitted to work on systems processing protectively marked information up to, and including, CONFIDENTIAL (and also SECRET with CESG approval – see CIAN 2009/08 for details). For the more sensitive HMG or CNI systems and occasionally other agreed requirements, the IT Health Check service will continue to be provided by CESG personnel. However, there may be occasions where it would be permissible for CHECK Service Providers to undertake tests on such systems. Potential customers of the CHECK Service should also note that if the information is not protectively marked then they do not need to specify membership of CHECK in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding.
The list of CHECK Service Providers
contains up-to-date contact details for all of the companies that are currently approved members of the CHECK Service. It gives the point of contact for each organisation and a contact address and telephone number.
All of the companies listed have been accredited by CESG and are considered capable of providing high quality IT health check work at or above the minimum standard set out by CESG and in line with CESG’s recommended methodology. However, only those that are classified as ‘Green Light’ are allowed to conduct work under the full Terms and Conditions of the CHECK Service. The following definition refers:
||'Green Light': The company has at least one full CHECK Team Leader and is able to conduct work under the Terms and Conditions of CHECK.|
||‘Red Light’: The company cannot conduct work under the Terms and Conditions of CHECK due to any of the following reasons: the company does not have anyone holding a valid SC clearance, the company is new to the scheme and is still being processed, the company does not have a Team Leader with a valid exam pass.|
All members of a CHECK team hold at least Security Check (SC) clearance. However, you should be aware that CESG does not sponsor all of them. CESG endeavours to check all claims of a clearance, however, we are not able to do this on a regular basis. Therefore, it is most strongly advised that the customer confirms the security clearance status and review date with the issuing authority which the individual claims to have a clearance with. CESG cannot be held responsible for the clearance of those it does nor sponsor.
You should contact your chosen CHECK Service Provider directly and arrange to conduct a scoping meeting for the work to be carried out. For details of the service you should expect, please refer to the "Service Provision Gudelines (PDF 43KB - January 2012)
". The contract to perform testing of your system is between yourself and the CHECK Service Provider. CESG is not a party to these contracts. However, to ensure that the work is carried out under the Terms and Conditions of CHECK it may be prudent to stipulate this in the contract.
Please note that although CHECK Service Providers hold the necessary clearances to work on systems containing information up, and including, CONFIDENTIAL, not all of them have premises that have been granted List X status. It is imperative that information obtained during an IT health check is properly protected at all times. In the majority of cases this will involve prohibiting the removal of equipment used for the IT health check off-site unless all storage media has been removed and taken into your custody for local storage. Where the network tested processes information at up to CONFIDENTIAL, then at the end of the CHECK test you should ensure that you take ownership of all storage media used by the company during that test. The only exception to this is if the storage media is securely erased after completion of the IT Health Check, which should be carried out under your supervision, using an approved overwriting product to the Enhanced standard (HMG Infosec Standard 5 refers). If there are any doubts please consult your Departmental Security Officer, who will be able to advise on security standards and requirements.
You are also reminded that IPR conditions should be included in your contracts with the CHECK Service Provider, which ensure that all information collected or generated during the IT Health Check remains the intellectual property of your organisation.