Mike, This is the official explanation I got about CHECK:
Protective Marking: UNCLASSIFIED
Further to your request, I am pleased to enclose some background information about the CESG IT Health CHECK Service.
The CHECK Service
CHECK is an initiative designed to meet the increasing demand for IT health check services within HMG and the wider public sector. In a world which relies increasingly on IT systems, security breaches are becoming commonplace. CHECK aims to combat this by linking the unique Infosec knowledge of CESG with the expertise and resources of the private sector, thus creating a pool of private sector companies who are qualified to provide IT security health check services to government in line with HMG policy.
Membership of the Service is open to all private sector companies who meet the qualifying requirements and agree to the membership conditions. Service costs are recovered through an annual subscription fee.
Membership
Membership of CHECK entitles your company to a range of services including the following:
� Promotion of the CHECK Service to a wide customer base;
� Listing of your company on our web site;
� The opportunity to take the highly regarded CHECK Service Assault Course, a rigorous test of penetration testing skills in which experts from CESG assess a candidates ability. Access to this test is limited to CHECK Service members only;
� Access to a range of support material, including relevant HMG policy and guidance and UK government CERT (UNIRAS) reports;
� Specialist briefings on topics of interest to the IT Health check community;
� Advice on respected vulnerabilities sources;
� Access to advice and assistance on the application of CHECK Service Guidelines;
� Sponsorship and maintenance of security clearances where required;
� Updates on new developments through newsletters and e-mails.
The cost for membership (Firm Non-Refundable Price) is �7000.00 (VATEX). This covers a twelve month period commencing on the date that we receive confirmation of your acceptance of the contract terms and conditions and includes one free place on the CHECK Service Assault Course (subject to normal booking conditions).
Application
e-mail HYPERLINK "<mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED] for an application pack. In completing the application you will be required to provide the following information:
Company Background
In support of your application you will be requested to provide details of relevant company background to include:
� Details of your company methodology. This should be a detailed description of how your company conducts IT Security Health Check work and should include information on initial scoping and the tools and techniques you employ.
� The number of health checks undertaken by your company in the last 12 months. Any company applying for CHECK membership must have conducted IT Security Health Checks in that company name for a minimum of twelve months;
� Copies of at least two reports of IT Health Check work conducted by your company, covering scope, findings, results, etc. (copies of customer reports will be treated as confidential and, if required, returned after selection. We understand that there may be issues concerning disclosure and are happy to accept sanitised documents omitting company names, ip addresses etc). The reports submitted should demonstrate the companys experience in testing complex, heterogeneous networks. Tests should not be overly dependent on automatic scanning tools. Results from such tools should be backed up by manual tests. The submitted reports will also be assessed for the quality of the recommendations provided to the customer based on the test results.
� We will also require two independent references from companies/organisations for which your company has conducted IT Security Health Check work;
You will also be requested to supply details of current and proposed company quality procedures (eg ISO accreditation) and how these will be applied to work undertaken as a CHECK Service Provider.
Staff Resources
You will need to identify all employees who will conduct IT health checks under the terms of CHECK. You may include as many of your staff as you wish, although each one must be able to demonstrate a sound background in IT health check work. You will need to include:
� Full name;
� Date of birth;
� Nationality (All members of an IT Health CHECK team must be British nationals.
We will require a CV outlining relevant qualifications and relevant IT health check experience for each individual.
At least one member of the Health Check team will be required to attend and pass the CHECK Service Assault Course before the team will be eligible to conduct unsupervised work under the CHECK Service. All other team members should expect to work towards successful completion of the Assault Course in the future. The Assault Course is a rigorous half-day assessment designed to test the competence of individuals wishing to lead and supervise IT health checks. Attendance on this course costs �750.00. Places are only available to current scheme members.
Selection
A panel of CESG personnel will review the candidates identified for conducting IT health check work under CHECK and confirm their suitability. We will also confirm their current security clearance level and initiate clearance procedures where necessary.
The Contract
You will receive a copy of the Terms and Conditions of Contract and Service Provision Guidelines as part of the Application Pack. Once we have received your application and can confirm you meet all of our qualifying requirements, we will send a Contract Acceptance Form. This should be signed by an appropriately authorised member of your organisation. Your contract year will begin when CESG receives the signed Contract Acceptance Form.
Further Information
If you have any questions about the application process or any other aspect of the CHECK Service, please contact me or any member of the CHECK support team.
Wendy Taylor
CHECK Service Administrator
