Regions icon
Membership icon
Certification icon

NCSC (Penetration Testing)

The UK National Technical Authority for Information Assurance (CESG), which is now part of the National Cyber Security Centre, traditionally provided IT health check services to identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system for HM Government and the wider public sector of systems handling protectively marked information.

In line with similar NCSC initiatives, a special partnership with industry was deemed the most appropriate way of meeting this demand. The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by the NCSC.

The NCSC and CREST work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors. The NCSC now requires all existing and future CHECK Team Leaders and Members to have passed an approved professional examination designed to test for a basic grounding in the discipline.

NCSC will accept a pass from one of the following examinations when approving CHECK Team Leader and Team Member status.

A pass in any one of these examinations merely demonstrates technical competence and does not replace the other requirements to attain CHECK Team Leader/Member status.

The NCSC CIAN 2009/08, in referring to IS6 paragraph, mandates that “All Departments whose delivery chain involves the handling of information relating to 100,000 or more identifiable individuals MUST engage independent experts to carry out penetration testing of their ICT systems.”

The table reproduced below maps system security test recommendations to typical ILs (Impact Levels):

Any ITHC must be led by a Team Leader who is present on site for the duration of the testing. For systems handling protectively marked material at SECRET, it is highly recommended that customers employ a minimum of 2 CHECK Team Leaders for an ITHC.

In line with the CHECK process any candidate failing an examination must wait for three months before re-sitting it.

Re-Certification
CHECK Team Member and CHECK Team Leader certifications are valid for three year periods. If candidates seek to re-certify before the expiry of their current certification period (for example after two years) and fail, their existing certification will be null and void immediately. This applies to CHECK Team Member and within individual CHECK Team Leader specialisms. For example, if a CHECK Team Leader Infrastructure candidate sits and fails an Assessment after two years of previously qualifying, they will cease to be a CHECK Team Leader Infrastructure specialist with immediate effect, whilst any existing CHECK Team Leader Web Application specialism will remain unaffected.

More information on the CHECK scheme can be found at www.ncsc.gov.uk.