Licencing of IT security consultants revisited

Brewis, Mark mark.brewis at edl.uk.eds.com
Thu, 10 May 2001 15:13:20 +0100 

> -----Original Message-----
> From: Nexus [mailto:nexus@patrol.i-way.co.uk]
> 
> ----- Original Message -----
> >From: "Q G Campbell" <Q.G.Campbell@newcastle.ac.uk>
> 
> >I was wondering about how such vetting and approval might be 
> carried out
> >but it appears that CESG already operates an accreditation 
> service for
> >companies who carry out security reviews of other organisations' IT
> >systems.
> 
> This is the CESG/DERA check scheme for accrediting security 
> companies who
> want to perform IT Security Health Checks on Government 
> networks. ITSHCs
> are a mixture of penetration test, vulnerability assessment and
> configuration audit that was created by CESG/DERA in-house.

CHECK covers Government, Military and CNI organisations.

> 
> >Could it be that Straw has it in mind to make it compulsory 
> for all IT
> >security consultants to be accredited by CESG before they can work in
> >this field? If so, how might this affect academic research, 
> practice and
> >publication in this area?
> 
> The Check scheme itself would be impractical for this as it target a
> specific skillset - ITSHCs and does not train people in 
> general security
> administration.


CHECK was designed to cope with a highly specialised area of security work,
not as the model for something sinister.  I doubt CESG would want the job,
or have the resources to manage such a task.

> The Check accreditation is for companies - 
> not individuals
> as stated by the PSI Bill.

However, it is based upon the technical skills of individuals employed by
those companies, who are examined for competency by CESG/DERA.


>Also there are no background 
> checks undertaken
> as part of the Check accreditation - it is purely a technical 
> certification.
>

Not quite true - CHECK requires individuals to be eligible to work on
Gov/Mil systems.


Mark

Mark Brewis 
EDS CLEF 
Information Assurance Group 
Wavendon Tower, Milton Keynes, MK17 8LX. 
Tel: 01908 284234 
e@: mark.brewis@edl.uk.eds.com 
PGP Key ID: 
BA44 0B30 74DB EB02 D545 90FE 1BBC E1F6 0F58 F12A 

Private Opinion expressed may not represent the Views of the Company.