CHECK Penetration Testing
As a CESG CHECK Service Provider and CHECK green light company, ReactionIS are authorised to carry out penetration testing on HMG systems protectively marked up to CONFIDENTIAL and with CESG approval, up to SECRET. All our CHECK tests are led by Joseph Sheridan, Director and Owner of Reaction. Reaction's CHECK status can be found on CESG's website.
CHECK penetration testing is performed under specific terms and conditions defined by CESG. CHECK penetration tests are often referred to as 'IT Health Checks'. IT Health Checks or CHECK penetration tests can only be undertaken by 'green light' companies authorised by CESG with at least one CHECK Team Leader in the testing team. Green light CHECK service companies/providers are required to agree to various conditions of service including rules on reporting, staff clearance, staff qualifications, sub-contracting, green light status and data handling and protection.
CHECK Penetration Testing Engagements
CHECK penetration tests must be lead at all times by a CHECK Team Leader. The CHECK Team Leader must be present on-site for the length of the penetration test. The CHECK Team Leader can be assisted during the testing and report generation phases by CHECK Team Members (but CHECK team members cannot carry out CHECK work on their own). Within four weeks of completion, CESG must recieve a copy of the IT Health CHECK report, as per the reporting guidelines below. The CHECK member company should notify CESG at least five days before commencement of the CHECK test.
CHECK Team Leaders
CHECK Team Leaders must have considerable experience and expertise in the field of penetration testing. To qualify, a CHECK Team Leaders must hold current security clearance at a minimum of SC level and must have passed an authorised CHECK assault course such as the CREST Infrastructure/CREST Web Applications or TigerScheme Senior Tester qualification. These exams usually require the equivalent of five years hands-on experience in penetration testing. The CHECK Team Leader must also operate through a CHECK scheme member company. Check Team Leaders are authorised to perform CHECK work without additional staff present.
CHECK Team Members
CHECK Team members under the old scheme were required to have at least one year's experience working as a full time penetration tester at a CHECK member company. The new scheme requires the prospective CHECK Team Member to pass a CESG authorised CHECK assault course by CREST or TigerScheme. They must also hold current security clearance at a minimum of SC level. CHECK Team Members can assist in delivering CHECK work but require at least one CHECK Team Leader to be present for the duration of the test.
CHECK Service Provider Reporting Requirements
- CHECK service providers must ensure that the classification of the report is clearly shown and that the marking is appropriate for the sensitivity of the data/network and is agreed with the customer.
- The scope of testing and overall aims should be clearly identified in the report.
- Identified security issues should indicate the severity and impact of the vulnerability
- Remedial actions should always be given for each identified vulnerability
- CHECK penetration testing companies must ensure that reports are readable to technical and non-technical audience alike.
- CHECK penetration testing companies must ensure that the report author and CHECK Team Leader is clearly identified and any other staff working on the project.
- The CESG CHECK logo must be displayed on all CHECK engagements.
Reaction currently work with local and central government departments to help secure their information assets and comply with regulations.
Please get in touch for more details.