Licencing of IT security consultants revisited
Brewis, Mark
mark.brewis at edl.uk.eds.com
Thu, 10 May 2001 18:03:08 +0100
> -----Original Message-----
> From: Jonathan Care [mailto:jonc@lacunae.org]
> Sent: Thursday, May 10, 2001 5:16 PM
> To: ukcrypto@chiark.greenend.org.uk
> Subject: RE: Licencing of IT security consultants revisited
>
> In fact, nearly all of them do. My concern was not over the
> training aspect,
> more over the fact that a competitor in the marketplace is
> certifying its
> fellow competitors. Despite all the good intentions, chinese
> walls, that are
> certainly present in DERA/QinetiQ, I see this as a situation
> introducing
> commercial risk and pressure.
>
DERA were never solely responsible for this - it was always in partnership
with CESG. I believe CESG have taken full control, now that DERA/QinetiQ is
commercialised.
Owen Lewis wrote:
>Two things seemed to be muddled up here. CESG, as the responsible
department
>of HMG, licences a small and select band of IT companies to undertake for
>HMG the evaluation of IT security products that are voluntarily submitted
>for that purpose.
Different Scheme. Evaluation to ITSEC or Common Criteria isn't CHECK. It
may be the same organisations, although there are more CHECK providers than
CLEFs (CommerciaL Evaluation Facility).
>This is analogous to the Ministry of Transport licensing
>certain motor repair companies to operate govt's (compulsory) MOT checks on
>motor vehicles.
This analogy isn't correct. Evaluation is voluntary. CHECK only applies to
those organisations which are Govt., where it is mandatory under certain
criteria, or who choose to undergo CHECK e.g. CNI.
>Conversely, it is perhaps inevitable that IT security consultants will at
>some point be required to evidence qualification and/or competence to
>practice the trade - as garage mechanics, doctors, lawyers and others are
>already required so to do in their trades.
Quite possibly; but the CHECK scheme is a Government scheme which exists to
"licence" those who do Government work. You don't have to join the club if
you don't want to be a member.
Mark
Private Opinion expressed may not represent the Views of the Company.