IT health checks identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.
CESG has traditionally provided IT health check services for HMG and the wider public sector of systems handling protectively marked information. Demand for these services has grown. Therefore, in line with similar CESG initiatives, a special partnership with industry is the most appropriate way of meeting this demand. The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK.
CHECK Service Providers are currently permitted to work on systems processing protectively marked information up to, and including, CONFIDENTIAL (and also SECRET with CESG approval – see CIAN 2009/08 for details). For the more sensitive HMG or CNI systems, and occasionally other agreed requirements, the IT Health Check service will continue to be provided by CESG personnel. However, there may be occasions where it would be permissible for CHECK Service Providers to undertake tests on such systems. Potential customers of the CHECK Service should also note that if the information is not protectively marked then they do not need to specify membership of CHECK in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding.
In order to have access to protectively marked information, all members of a CHECK team hold at least Security Check (SC) clearance. However, you should be aware that CESG does not sponsor all of them. CESG endeavors to check all claims of a clearance, however, we are not able to do this on a regular basis. Therefore, it is most strongly advised that the customer confirms the security clearance status and review date with the issuing authority which the individual claims to have a clearance with. CESG cannot be held responsible for the clearance of those it does not sponsor.
The welcome emergence of the CREST and TIGER Schemes has allowed us to consider different ways of operating the scheme and presents an opportunity for CHECK to focus on that for which it was established: the provision of appropriately skilled staff to conduct IT Health Checks for Government.
CESG will accept a pass from one of the following examinations when approving CHECK Team Leader and Team Member status.
|CHECK Team Leader|
||CHECK Team Leader (Infrastructure)
||CREST Infrastructure Certification Examination (www.crest-approved.org)|
Tiger Scheme Senior Security Tester (www.tigerscheme.org)
||CHECK Team Leader (Web applications)
||CREST Certified Web Application Tester (www.crest-approved.org)|
Tiger Scheme Web Application Tester (www.tigerscheme.org)
|CHECK Team Member|
||CHECK Team Member
||CREST Registered Tester Examination (www.crest-approved.org)|
Tiger Scheme Qualified Security Tester Examination (www.tigerscheme.org)
A pass in any one of these examinations merely demonstrates technical competence and does not replace the other requirements to attain CHECK Team Leader/Member status. Only CESG may confer CHECK Team Leader/Member status. The examining organisation, CREST or Tiger Scheme, will pass all relevant information to CESG.