FW: RE: Licencing of IT security consultants revisited

Brewis, Mark mark.brewis at edl.uk.eds.com
Thu, 10 May 2001 18:15:08 +0100 

This appears to have got lost originally...

> -----Original Message-----
> From:	Brewis, Mark 
> Sent:	Thursday, May 10, 2001 3:13 PM
> To:	'ukcrypto@chiark.greenend.org.uk'
> Subject:	 RE: Licencing of IT security consultants revisited
> 
> > -----Original Message-----
> > From: Nexus [mailto:nexus@patrol.i-way.co.uk]
> > 
> > ----- Original Message -----
> > >From: "Q G Campbell" <Q.G.Campbell@newcastle.ac.uk>
> > 
> > >I was wondering about how such vetting and approval might be 
> > carried out
> > >but it appears that CESG already operates an accreditation 
> > service for
> > >companies who carry out security reviews of other organisations' IT
> > >systems.
> > 
> > This is the CESG/DERA check scheme for accrediting security 
> > companies who
> > want to perform IT Security Health Checks on Government 
> > networks. ITSHCs
> > are a mixture of penetration test, vulnerability assessment and
> > configuration audit that was created by CESG/DERA in-house.
> 
> CHECK covers Government, Military and CNI organisations.
> 
> > 
> > >Could it be that Straw has it in mind to make it compulsory 
> > for all IT
> > >security consultants to be accredited by CESG before they can work in
> > >this field? If so, how might this affect academic research, 
> > practice and
> > >publication in this area?
> > 
> > The Check scheme itself would be impractical for this as it target a
> > specific skillset - ITSHCs and does not train people in 
> > general security
> > administration.
> 
> 
> CHECK was designed to cope with a highly specialised area of security
> work, not as the model for something sinister.  I doubt CESG would want
> the job, or have the resources to manage such a task.
> 
> > The Check accreditation is for companies - 
> > not individuals
> > as stated by the PSI Bill.
> 
> However, it is based upon the technical skills of individuals employed by
> those companies, who are examined for competency by CESG/DERA.
> 
> 
> >Also there are no background 
> > checks undertaken
> > as part of the Check accreditation - it is purely a technical 
> > certification.
> >
> 
> Not quite true - CHECK requires individuals to be eligible to work on
> Gov/Mil systems.
> 
> 
> Mark
> 
> Mark Brewis 
> EDS CLEF 
> Information Assurance Group 
> Wavendon Tower, Milton Keynes, MK17 8LX. 
> Tel: 01908 284234 
> e@: mark.brewis@edl.uk.eds.com 
> PGP Key ID: 
> BA44 0B30 74DB EB02 D545 90FE 1BBC E1F6 0F58 F12A 
> 
> Private Opinion expressed may not represent the Views of the Company.
> 
>