For more sensitive HMG or CNI systems and occasionally other agreed requirements, the penetration testing service will continue to be provided by experts from the NCSC. However, there may be occasions where it would be permissible for CHECK Service Providers to undertake tests on such systems. Potential customers of the CHECK Service should also note that if the information is not protectively marked then they do not need to specify membership of CHECK in their invitations to tender, and may be challenged if equally competent non-scheme members are prevented from bidding.
All of the CHECK service providers listed have been accredited by the NCSC and are considered capable of providing high quality penetration testing work at or above the minimum standard we set out and in line with our recommended methodology. However, only those that are classified as ‘Green Light’ are allowed to conduct work under the full Terms and Conditions of the CHECK Service. The following definition refers:
Green Light: The company has at least one full CHECK Team Leader and is able to conduct work under the Terms and Conditions of CHECK
Red Light: The company cannot conduct work under the Terms and Conditions of CHECK due to any of the following reasons:
- The company does not have anyone holding a valid SC clearance
- The company does not have a Team Leader with a valid exam pass
Whilst all members of a CHECK team hold at least Security Check (SC) clearance, we do not sponsor them all. The customer should confirm the individual's claim of security clearance status, and the review date, with the issuing authority. The NCSC is only responsible for the clearances it sponsors.
You should contact your chosen CHECK Service Provider directly and arrange to conduct a scoping meeting for the work to be carried out. For details of the service you should expect, please refer to the Service Provision Guidelines. The contract to perform testing of your system is between yourself and the CHECK Service Provider. The NCSC is not a party to these contracts. To ensure that the work is carried out under the Terms and Conditions of CHECK it may be prudent to stipulate this in your contract with the company.
Please note that although CHECK Service Providers hold the necessary clearances to work on systems containing information up to, and including, OFFICIAL or OFFICIAL SENSITIVE, not all of them have premises that have been granted List X status. It is imperative that information obtained during an testing is properly protected at all times. In the majority of cases this will involve prohibiting the removal of equipment used for the testing off-site unless all storage media has been removed and taken into your custody for local storage.
Where the network tested processes information at up to OFFICIAL or OFFICIAL SENSITIVE, at the end of the test you should ensure that you take ownership of all storage media used by the company during that test. The only exception to this is if the storage media is securely erased after completion of the testing, which should be carried out under your supervision, using an approved overwriting product to the correct standard. If there are any doubts, please consult your Departmental Security Officer, who will be able to advise on security standards and requirements.
You are also reminded that IPR conditions should be included in your contracts with the CHECK Service Provider, which ensure that all information collected or generated during the testing remains the intellectual property of your organisation.