IT health checks identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.
CESG has traditionally provided IT health check services for HMG and the wider public sector of systems handling protectively marked information. Demand for these services has grown. Therefore, in line with similar CESG initiatives, a special partnership with industry is the most appropriate way of meeting this demand. The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK.
Under the new classification policy, the CHECK scheme enables penetration testing by CESG approved companies, employing penetration testing personnel qualified to assess HMG and other public sector bodies. These interim guidelines below are subject to change:
HMG Central Government Department and their associated agencies:
- When performing penetration tests, all systems processing data protectively marked OFFICIAL will be assessed under CHECK.
- When performing penetration tests, all systems processing data protectively marked SECRET will be assessed under CHECK and subject to prior approval by CESG.
Other public sector bodies:
- Where a system processes data protectively marked OFFICIAL with the handling caveat SENSITIVE, CESG strongly recommends and advises it be assessed under CHECK unless the System Accreditor explicitly advises otherwise.
- Where a system processes data protectively marked OFFICIAL with no handling caveat, the preferred assurance mechanism will be a CESG approved Industry led scheme; however, CHECK may be mandated at the discretion of the Accreditor.
In all cases, where the most appropriate penetration testing scheme is ambiguous or not determined, the System Accreditors decision must be sought and will be final.
In order to have access to protectively marked information, all members of a CHECK team hold at least Security Check (SC) clearance. However, you should be aware that CESG does not sponsor all of them. CESG endeavors to check all claims of a clearance, however, we are not able to do this on a regular basis. Therefore, it is most strongly advised that the customer confirms the security clearance status and review date with the issuing authority which the individual claims to have a clearance with. CESG cannot be held responsible for the clearance of those it does not sponsor.
CESG will accept a pass from one of the following examinations when approving CHECK Team Leader and Team Member status.
A pass in any one of these examinations merely demonstrates technical competence and does not replace the other requirements to attain CHECK Team Leader/Member status. Only CESG may confer CHECK Team Leader/Member status. The examining organisation, CREST, Cyber or Tiger Scheme, will pass all relevant information to CESG.