From: Carrick, Brian A (brian.carrick@eds.com)
Date: Mon Jan 26 2004 - 09:36:10 EST
Andy
The easy way would be to go here and choose one or more 'green light' CHECK providers:
http://www.cesg.gov.uk/site/check/index.cfm?menuSelected=11&displayPage=111
UK Government has already done some of the work for you in that all are considered to be reputable companies and all the green light ones have at least one person that has passed the CHECK assault course. BTW it's difficult. At least I thought so. Historically, I think that only about a third or so pass it.
The list includes contact details to get you on your way.
If geography is an issue, and you can't tell where the company is from the address, you could plug the postcode into multimap. This is where I am, for example:
http://www.multimap.com/map/browse.cgi?client=public&db=pc&addr1=&client=public&addr2=&advanced=&addr3=&pc=MK178LX&quicksearch=mk17+8lx&cidr_client=none
In case you need it, here's some background info on CHECK that I tend to use in proposals:
CHECK is a formal Scheme for penetration testing run by the Communications - Electronics Security Group (CESG - part of GCHQ Cheltenham) on behalf of UK Government. Fundamentally, it provides confidence that penetration tests of UK Government and Critical National Infrastructure (CNI) are performed to an appropriate and exacting standard. Targets that are not part of UK Government nor considered part of the UK's CNI do not qualify for CHECK but will be tested to the same exacting standards.
A penetration test run under the CHECK Scheme is known as an IT Security Health Check (ITSHC).
>From a customer perspective, CHECK provides the following benefits:
* An assurance that the organisation and the individuals performing the ITSHC are sufficiently competent and qualified to perform the ITSHC.
* Oversight of the ITSHC to ensure the test is correctly planned, performed, and reported.
Each organisation proving an ITSHC must be registered with CESG as a CHECK Service provider. Each individual performing an ITSHC must be approved by CESG, which mostly involves checking the individual's clearance and vetting their CV. Each ITSHC must be led by a CHECK Team Leader, a coveted status, obtained by passing an extremely rigorous examination and hacking "assault course" at CESG. Moreover, to attain the status of a 'Green Light' CHECK Provider, the organisation must have at least one CHECK Team Leader. At the time of writing (December 2003), there were 71 CHECK Team Leaders.
Running a penetration test under the CHECK scheme benefits from CESG oversight. As a minimum, CESG will read the final report to ensure that the test has been properly conducted and recorded to an acceptable standard for a CHECK ITSHC. CESG may also choose to witness some or all of the testing. It is CESG's policy to periodically witness an ITSHC to ensure the CHECK provider (EDS Information Assurance in this case) is properly conducting ITSHCs.
Further information on CHECK, including a qualifications checker, may be found on CESG's website:
http://www.cesg.gov.uk/site/check/index.cfm
HTH
Brian Carrick
Penetration Testing Manager
EDS information Assurance
Wavendon Tower
Milton Keynes, MK17 8LX
Phone: +44 1908 284253
Fax: +44 1908 284393
-----Original Message-----
From: Andy Paton [mailto:aoyt78@dsl.pipex.com]
Sent: 25 January 2004 21:54
To: pen-test@securityfocus.com
Subject: How to pick the right company for penetration testing?
Hi Guys & Girls
I have a customer who would like to engage with a security partner for penetration testing service in the UK.
I'm in a position to recommend a company and would like to know, what credentials/information/references should I ask for from a company who offers such services.
Regards
AP
P.S. I don't mind obvious touting for business (I will only pick a UK company)
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT