CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

Size: px
Start display at page:

Download "CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS"

Transcription

1 CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS QUESTION General What is the Cyber Security Incident Response (CSIR) Scheme? What is the Cyber Incident Response (CIR) scheme? Why have these schemes been launched? A broadly based scheme led by CREST and endorsed by GCHQ and CPNI, which focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. A small and focussed Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance. All indications are that the level, sophistication and frequency of cyber security attacks are increasing. It has been accepted that the national security authorities do not have the capacity to directly support private sector organisations or government departments where the nature of the attack does not suggest a risk to national security. It was therefore decided that a much more collaborative approach would be required with strong well defined links between the industry and government. The schemes, CIR and CSIR, have therefore been launched to enable all those organisations that may be victims of cyber-attack SMEs, national and multinational industry, the CNI, the wider public sector and central government to source an appropriate incident response service tailored to their particular needs. CREST Cyber Security Incident Response Members with access to qualified personnel providing recovery and clean up services to the majority of organisations and government departments and allowing GCHQ and CPNI to focus on the attacks that have a potential impact on national security. It is also the case that organisations suffering a cyber-security attack do not know where to go for help; and have no way of assessing the quality of those helping them; nor the security arrangements and support provided by the organisations they work for. The CREST register of cyber security incident response organisations, the CREST qualifications and the CNI scheme will provide a much greater level of confidence to the buying community.

2 Why have government and industry collaborated in this initiative? What is the relationship between CESG/CPNI and CREST? Will there be any other bodies apart from CREST endorsed by CESG and CPNI? Government and industry have worked closely on a number of schemes and initiatives related to cyber security. It is recognised that lessons learnt from one type of attack will be of great value to a wide range of organisations. To be able to work collaboratively provides both scale and quality to combat cyber security attacks. CESG and CPNI have reviewed CREST s Cyber Security Incident Response (CSIR) scheme and endorsed it as setting appropriate processes, procedures, governance, qualifications, skills and experience to provide effective incident response for a significant proportion of cyber incidents. They have discussed the standard used for the scheme with CREST and endorsed the scheme as providing an appropriate standard for effective incident response. CESG has conducted a review of the market and there are not currently any other organisations that could provide these types of services today - technical examinations in Cyber Incident Response and company assessment. CESG has worked closely with CREST in the past on penetration testing and security architecture examinations and the CREST and CHECK schemes are well aligned. Whilst CREST is the only scheme currently endorsed, there is no restriction on other such bodies gaining endorsement in this important area both locally and internationally. Who can join the CSIR Scheme? Who can join the CIR Scheme? Any quality organisation providing cyber security incident response services. There is no restriction on size, where the organisation is domiciled or what specific industry sectors they work in. To become a member of the Scheme is not trivial. They will be required to pass a comprehensive assessment process demonstrating their knowledge and application in this area, their ability to protect client based information and their willingness to sign up to a comprehensive code of conduct. In addition to similar requirements to the CSIR Scheme, an organisation will be required to provide additional contractual information, demonstrate their ability to work on projects with a national security bias and have access to staff capable of meeting national security requirements.

3 Is it a two tier scheme? QUESTION No it is not a two tiered scheme. There is no implied indication that one scheme is more comprehensive nor that the companies or individuals are more capable or well qualified. The difference is those in the CIR scheme have the necessary attributes to deal with a very specific set of threats in a particular context. It is not implied that the cyber security incidents experienced by private sector organisations or government departments requires any less capability. Is membership of the CSIR Scheme a prerequisite for joining the CIR Scheme? There are no prerequisites for membership of the CIR Scheme; however, organisations that have met the stringent CREST requirements will be in a much stronger position to demonstrate their capability during the selection process. Company Application Process What is the process for applying for the CSIR scheme? Is the process the same for existing CREST penetration testing member companies? Organisations wishing to join the CSIR Scheme will need to sign a Non- Disclosure Agreement (NDA) with CREST. On receipt of the signed NDA CREST will issue an application form. The organisation will be required to complete all parts of the application and submit it to CREST. The application will be reviewed in detail and where necessary areas of concern will be highlighted in a formal letter to the applicant company. Once the paper application has been completed to a satisfactory standard, a site visit will be required to validate the claims made on the application and to remind the organisation of its obligations under the code of conduct. Once this has been completed and membership payment received the company will be entered onto the CREST register under the Cyber-Security category. Many of the questions regarding the quality of the service and the policies, processes and procedures for the protection of client based information will already have been completed and will have been assessed. Existing CREST Penetration Testing Member companies will also have already signed up to the CREST code of conduct and signed an NDA. An existing member company should therefore request an application form and will be required to complete the sections relating to the Cyber-Security Incident Response service. Once completed this section will be reviewed and assessed in line with the process for new members as outlined above.

4 Is the process the same for existing CREST penetration testing member companies? [cont d.] Who will conduct the CREST company assessments? There have been some updates to the existing CREST application form. All existing CREST organisations will be required to complete the new application form as part of their three year renewal cycle. The new questions reflect recognised best practice and therefore organisations should consider completing all parts of the new form. Details of the process are described on the CREST website or from new CREST fully recognises the sensitivity of the material provided as part of the company assessment process. All applications submitted to CREST are only seen by CREST employed staff. No information is passed to the member company representatives of either the CREST Executive or any other parties regarding the submission of an application, nor any correspondence relating to the application process. The member company representatives on the CREST Executive have no part in the decision to award or not to award CREST membership. What is the process for joining the CIR scheme Is membership of the CSIR scheme a mandatory requirement for the CIR scheme? See CESG website ( There is no prerequisite for a CIR company to have first passed the CSIR assessment; however, organisations that have met the stringent CREST requirements will be in a much stronger position to demonstrate their capability during the selection process. What are the costs for the CIR Scheme? Potential Scheme Members For companies that can demonstrate that they meet the CIR requirements and are existing CHECK companies there will a minimal charge of 1 plus VAT for companies certified during FY 2013/14. Whilst future fees will be kept to a minimum, CESG will reserve the right to increase the cost of CIR membership in subsequent years. For companies that can demonstrate that they meet the CIR requirements and are not existing CHECK companies there will be an initial charge of 7,500 plus VAT. These companies will derive the same benefits as existing CHECK companies. In subsequent years the cost will be kept in line with the CHECK scheme. CESG reserve the right to levy an additional cost for ongoing CIR membership.

5 What are the costs for the CSIR Scheme? What are the costs for the CSIR Scheme? [cont d] CREST company membership is 7,000 plus VAT per annum. For existing CREST member companies there will be no additional membership charge although an administration fee of 250 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. For companies that are not current CREST members but would like to be CSIR members, the annual fee after passing the company assessment will be 7,000 per annum. This will provide the company will all the existing CREST member benefits. What is the renewals process for the CIR Scheme? What is the renewals process for the CSIR Scheme? Annual renewal is detailed in contract document. After the initial assessment there will be an annual renewal. This is designed to be relatively easy to complete and looks to validate certain essential elements of the membership process, confirm agreements between the company and CREST and providing an update where existing policies, processes and procedures have been amended or improved. Given that this is a new scheme, there may be some additional questions to answer over and above the initial assessment. These will be based in experience of operating the scheme. There is no charge for this annual review. Every three years the company will be subject to a full assessment requiring a full resubmission. There will be an assessment fee of 400 plus VAT for this. When will the CSIR scheme have company members? CREST has been publicising the scheme to existing CREST members, the companies that are were part of the CIR trial and others who it is believed have a capability in this area. A number of submissions have already been received and the process of reviewing them has commenced. It is our intention to be in a position to formally announce the first wave of memberships at the end of September This cannot be guaranteed as we do not currently know who if any will be able to pass the CREST assessment. We would prefer to do this in this way as it will create more of an announcement, but more importantly it will not allow any one organisation to say that they were first to market.

6 When will the new CIR scheme announce members and will the existing four companies continue to be included? Will the application process be continual or will there be set times for companies to apply for CSIR membership? Will the application process be continual or will there be set times for companies to apply for CIR membership? What qualifications are currently available that are recognised under the new schemes? CIR was announced on 13 August The original 4 pilot companies are all required to reapply under the new CIR requirements. CREST accepts applications for company membership and membership applications to be included in the CSIR through the year. Continual There are four qualifications that are available from CREST that relate to this area of business. The first is the CREST Registered Intrusion Analyst (CRIA). The (CRIA) examination tests a candidates knowledge across host and network based malware analysis and reverse engineering of a malware attack. This examination has been designed for individuals with in the region of 6,000 hours relevant and frequent experience in this area. It will expect candidates to have an in depth understand of certain parts of the intrusion analyst role and a good broad understanding of all aspects. It will expect the candidate to be able to work in this area independently of support. The next is CREST Certified Host Intrusion Analyst (CCHIA). The (CCHIA) examination has been designed for individuals with in the region of 10,000 hours of practical and relevant experience. It tests candidates knowledge of analysing Windows hosts for evidence of potential compromise. The CREST Certified Malware Reverse Engineer (CCMRE) identifies at a high level a candidate s ability to reverse engineer malware, particularly remote access Trojans. It also includes a core skills exam covering network and host intrusion. The candidate will be expected to possess not only the technical ability to find security weaknesses and vulnerabilities, but also the skills to ensure findings are presented in a clear, concise and understandable manner. The CCMRE examination has been designed for individuals with in the region of 10,000 hours of practical and relevant experience.

7 What qualifications are currently available that are recognised under the new schemes? [cont d.] Are there any specific roles that relate to the schemes and will they be mandatory? The last is the CREST Certified Network Intrusion Analyst (CCNIA). The (CCNIA) examination tests candidates knowledge and expertise in analysing data sources for evidence relating to potential network compromise. It has been designed for individuals with in the region of 10,000 hours of practical and relevant experience. Details of all of these examinations can be found on the CREST website CREST is also working with industry and government on another examination for a Senior Cyber Security Incident Response Manager role. It is planned to have this examination formally launched before the end of the year. All of the intrusion analyst and malware reverse engineering roles described above are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted an individual will only be allowed to be associated with one member organisation. They will be responsible for conduct of all members of the team that they are responsible for. It will be clear from the CREST website which qualifications they have within their organisation. When will the Senior Cyber Security Incident Manager examination be available? By the end of Alpha and beta testing will have been conducted prior to this date.

8 Individual Consultants What will be the criteria for sitting the Senior Cyber Security Incident Response Manager examination? Will any other qualifications be recognised by the two schemes There are no plans for any prerequisites for sitting the new Senior Cyber Security Incident Response Manager examination. It is however being designed for individuals with 10,000 hours experience in the management of significant technical incidents. Individuals will have to be technically competent, understand technical risks and be able to assemble and manage teams to deal with a wide range of technical attacks. It is also likely that there will be soft skills requirements that not only allow them to manage the team effectively but also deal with senior management and the media. Specific qualifications in other related areas are being considered particularly in related disciplines, however currently no other qualifications are recognised under the CSIR Scheme. Further analysis will be carried out within the UK and internationally. Who will set and administer the Senior Cyber Security Incident Response Manager role examinations? How are the Assessors selected? As a certification organisation, CREST operates a small network of Assessors drawn from CREST Member Companies to manage the examination process. This includes collectively devising syllabus content, invigilating, marking and generally operating the exam environment on behalf of CREST. The Assessors, jointly, comprise the CREST Assessors Panel. When new Assessors are required, either as replacements to previous incumbents or as an additional resource, the CREST member company main points of contact and previous successful candidates from within member companies are contacted in writing seeking CVs with letters of application from individuals with current CREST Certified Tester (CCT) qualifications interested in taking on the role. Potential Assessors are invited to explain: Their experience within the industry and examples of team leadership ; Their technical skills and how these could help the progression of the CREST assessments and rigs. Details of other technical areas that could be championed within the Assessors group (eg. mobile, code review, wireless, architecture, etc.).

9 Who will set and administer the Senior Cyber Security Incident Response Manager role examinations? How are the Assessors selected? [cont d.] A confirmation of their ability to commit the requisite resource to the CREST Assessors group. There is a limit of two assessors per CREST Member Company. Once applications have been received, the Chair and Vice-Chair of the Assessors Panel will review and score them using a predefined weighting scheme CREST pays for the services of the assessors and requires them to sign a specific NDA relating to the services required. How much are the existing CREST intrusion analysis and malware reverse engineering examinations? How much will the Senior Cyber Security Incident Manager examination cost to sit? CREST Registered Intrusion Analyst examination costs VAT CREST Certified Tester examinations (NIA, HIA, MRE) cost 1,600 + VAT This has not been formally agreed but is likely to be aligned with existing CREST Certified level examinations. How do I book for the examinations? Bookings for the existing examinations can be made by to admin@crest-approved.org. CREST would be willing to take pre bookings for the Senior Cyber Incident Response Manager examination. It will obviously not be possible to confirm a date. There may also be opportunities for participating in the alpha or beta testing of the examinations. Successes in the alpha and beta testing will be recognised under the scheme, there may however be a requirement to provide structured feedback on the examination content, detail and timings. Is there an annual membership for individuals? There is no requirement for an annual fee for individuals who have passed the CREST examinations. All those who have passed the examination do however receive CREST benefits including attendance to CRESTCon, access to CREST workshops, access to CREST research material etc. As with all other CREST qualifications there is a requirement to re-sit the examination every three years to ensure the currency of knowledge and application.

10 Is there a requirement for CPD s? How can I prepare staff to be in a position to sit the existing cyber-security incident response examinations? Under the CREST scheme there are currently no requirements to provide evidence of CPD s. Currency of knowledge, skill and competence is assessed by the retaking of the examination after three years. Whilst the need to manage technical security incidents has existed for a relatively long period of time, some of the knowledge and skill required to manage some cyber security attacks is still evolving. There is not currently a recognised body of knowledge from which potential candidates can draw. The CREST syllabus will provide a basis for an individual to assess whether they have knowledge, skill and competence in the required areas. CREST is working to provide access to state of the art research and case study material. It is also hoped that access to information provided by the UK Cert will also be available. How can I prepare staff to be in a position to sit the existing cyber-security incident response examinations? [cont d.] In penetration testing, CREST is working with e-skills to established agreed development pathways. These pathways will be used to help an individual create a professional development plan based on training, personal research and experience. This will also be used to assess training courses and to try and stimulate training activity in the market. The same approach will be adopted for the intrusion analysis, malware reverse engineering and incident management roles. CREST will also be willing to provide access to assessors who will talk through the requirements of the examinations, without providing any hints, tips or guidance on examination questions. Are there any requirements to employ staff with specific qualifications? All of the intrusion analyst and malware reverse engineering roles are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted, an individual will only be allowed to be associated with one member organisation.

11 Are there any requirements to employ staff with specific qualifications? [cont d.] When will it become mandatory to employ a cyber-security incident manager to be part of the CIR scheme? Is there a requirement to carry a national security clearance? It will be clear from the CREST website which qualifications they have within their organisation. One year after the formal introduction of the examination. There is no requirement to hold a national security clearance to take any CREST examinations. There is no requirement for a CREST member company to be able to issue government security clearances under the CSIR scheme. As part of the audit there is a requirement to demonstrate effective personal vetting in line with standards such as BS7858. For the vast majority of work in the private sector there is no requirement for an individual to carry a national security clearance. Where the incident investigation and clean up services are being provided to a government department operating at IL3 or below there is no requirement for a national security clearance. For government departments operating at above IL3 there will be specific clearance requirements. The nature of information handled, companies certified for the CESG/CPNI CIR scheme require at least one member of staff to be DV cleared. Where a company meets all requirements excepting DV clearance, a suitable candidate from the company will be sponsored for DV clearance. Will it be mandatory to employ a Senior Cyber-Security Incident Manager under the CSIR scheme? All of the intrusion analyst and malware reverse engineering roles are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted, an individual will only be allowed to be associated with one member organisation.

12 Will it be mandatory to employ a Senior Cyber-Security Incident Manager under the CSIR scheme? [cont d.] Will CSIR Scheme members be able to provide cyber incident response and clean up services to UK Government Departments? It will be clear from the CREST website which qualifications they have within their organisation. Yes the scheme has been designed by a group representing the supply industry and government and private sector buying communities. It has then been reviewed and endorsed by CESG and CPNI. At IL3 and below any CREST Cyber Security member company can provide services. Above IL3 there will be other specific requirements laid down by CESG. Is there a requirement to carry a national security clearance? Is there a requirement to carry a national security clearance? [cont d.] What are the costs of joining the CIR scheme? CREST company membership is 7,000 plus VAT per annum. There is a 400 plus VAT assessment fee for company membership. This includes all support and liaison with CREST regarding the application. The fee will cover both Cyber Incident Response membership and Penetration Testing membership. There is no discount for applying for only one of the membership categories. For existing CREST member companies there will be no additional membership charge although an administration fee of 250 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. On successful completion of the assessment there is an annual charge of 7,000 plus VAT: this provides the organisation with all the benefits associated with CREST membership. Every three years, the company will be subject to a full assessment requiring a full resubmission. There will be an assessment fee of 400 plus VAT for this re-assessment. There is an annual fee associated with award of a certification mark along similar lines to other CESG certified services. This will be reviewed annually. For companies certified during FY 2013/14 this will be 1 plus VAT.

13 Companies Looking For Cyber Security Incident Response Service Under the CSIR scheme will there be any requirement to provide information on incidents to GovCert or any other security bodies? No there will be no requirements, with the exception of where there is a legal requirement to report certain types of information. No information will be provided to any government authority of the fact that an incident is being investigated or any details of the incident. CREST does, however, work closely with GovCertUK and other similar organisations and would where possible recommend that some anonymous information is provided for the common good of enhancing cyber security taking account of confidentiality. Will it be possible to contract cyber incident response services under existing government procurement frameworks? Will the companies within the CSIR Scheme be allowed to use contractors? CREST, CESG and CPNI are discussing this and will keep members of both schemes informed of progress. Under the CSIR Scheme it will be possible to utilise contracted staff to help make up the recovery and clean up teams. The organisation should look to contract to CREST qualified contractors as these will be bound by the CREST individuals code of conduct and therefore will have to adhere to the policies, processes and procedures of the member company. In the same way there will be an obligation on the CREST member company to inform the contractor of the company s policies, processes and procedures and to ensure compliance. As this type of contract is often procured very quickly, it is recommended that a CREST member company has pre-trained potential contracting staff or has a process for a quick start induction. Can more than one CREST company work in consortia to deliver these types of services? There may in the future be a requirement to employ or have direct access to a Senior Cyber Security Incident Response Manager. There would be no problem with this and the Scheme has been designed to recognise that very few companies will have the full range of services required to deal with a major Cyber Attack. To work with other CREST registered companies would generally work better than work with others outside of the Scheme as the common code of conduct will apply and assurances on important aspects such as contractual arrangements, scope and protection of client information will already have been assessed. It will be possible from the CREST website to see the capabilities of other CREST member companies.

14 Under the CIR scheme will there be any mandatory requirements to report incidents to any other regulatory bodies? In the interests of enhancing cyber security and enabling CESG and CPNI to support incident response companies, service providers and organisations affected by cyber incidents are encouraged to share technical information with CESG about incidents. This exchange of information will take into account any confidentiality agreements between organisations and service providers. Direct engagement of a Service Provider by an organisation does not require CESG or CPNI to be notified, although organisations and service providers are encouraged to do so. Can more than one CIR Scheme member work in consortia to deliver the required services? Can a CIR Member Company contract work in consortia with a CREST member company to deliver the required services? How will it be possible to differentiate between incidents that are appropriate for the CSIR scheme and those that should be passed to the CIR scheme? I am a private sector company and have experienced a cyber-attack. What scheme should I utilise? I am part of the critical national infrastructure and have experienced a cyberattack. What scheme should I utilise? I am a government department and have experienced a cyber-attack. What scheme should I utilise? Yes, providing the component consortia companies meet the criteria Depending on the level or severity of the incident and the clearances that may be required and provided also that the CREST Member Company is a CSIR scheme member it would be acceptable. In essence, the CREST CSIR scheme encompasses SMEs, national and multinational industry, the CNI, the wider public sector and central government. The CESG CIR scheme will respond sophisticated, targeted attacks against networks of national significance. Therefore, for the majority, if an incident has a potential impact on any element of national security, including critical infrastructure or national prosperity, it will be handled under the CIR Scheme. That does not mean to say that CREST member Companies will not be involved if they possess the necessary credentials. In the first instance, approach a CREST Cyber Security Incident Response Member Company. Their integrity should be trusted that if it is an incident outside of their sphere of expertise or qualification, they will refer you. Companies who run Critical National Infrastructure networks are recommended to use the CIR service in order to benefit from the assured procurement that it offers. In the first instance, approach a CREST Cyber Security Incident Response Member Company. Their integrity should be trusted that if it is an incident outside of their sphere of expertise or qualification, they will refer you. In the selection of a suitable company national security requirements should be considered where the information is at IL3 and above.

15 I am a government department and have experienced a cyber-attack. What scheme should I utilise? [cont d.] Does the CSIR scheme operate on an international basis? If GCHQ finds evidence of a Cyber incident in a Government or CNI organisation, depending on the severity the affected organisation may be informed by GovCERTUK or CPNI. It is then be up to that organisation to identify and undertake any remediation activity, which may or may not include engaging the technical assistance of a security provider. CESG/GovCertUK/CPNI expect to receive feedback on the remedial action taken. Some CREST Member Companies have international operations. This requirement should be stated during initial contact with a service provider in the event of an incident. CREST Member Companies that are CSIR Scheme members should state this capability. CREST international chapters and overseas affiliates will be fully informed of the schemes. How do I identify what company I should use to help me recover from a cyber-security incident? Consumer organisations should look for the following from a reputable commercial supplier: People who are trained and proficient (experienced) Clear, repeatable methodology Appropriate tools for the technology Cyber insurance and liability insurance Relevant understanding of current environments may be sector specific Ability to contract in additional cyber specialisms if required Accreditations aligned to industry standards Necessary qualifications/ability (eg. clearances) to work within client s environment A clear, shared understanding of the scope regarding skills, output - and a matched breadth of business An upfront service delivery schedule with the necessary detail (which should be transparent whether there is a managed service in place or not) - and include a minimum/baseline standard (or common framework) to ensure expectations are met Transparency and independence of service offering a distinction between a managed service and an incident response service.

16 How do I identify what company I should use to help me recover from a cyber-security incident? [cont d.] All organisations should put a mutual NDA in place from the outset to cover initial conversations. The Guide needs to highlight this as an essential prerequisite. A CREST Guide to procuring cyber security incident response services will be published by the end of If you would like to pre-reserve a copy of this guide please admin@crest-approved.org What does the CSIR code of conduct provide? Is there any guidance on how to select a suitable supplier from the CSIR register? The CREST Code of Conduct describes the standards of practice expected of CREST Member Companies providing technical information security services and offers assurance of the qualifications and integrity of member companies and their CREST Qualified employees. It also contains the guarantee of a robust complaints handling process in the unlikely event of any problems. Consumer organisations should look for the following from a reputable commercial supplier: People who are trained and proficient (experienced) Clear, repeatable methodology Appropriate tools for the technology Cyber insurance and liability insurance Relevant understanding of current environments may be sector specific Ability to contract in additional cyber specialisms if required Accreditations aligned to industry standards Necessary qualifications/ability (eg. clearances) to work within client s environment A clear, shared understanding of the scope regarding skills, output - and a matched breadth of business An upfront service delivery schedule with the necessary detail (which should be transparent whether there is a managed service in place or not) - and include a minimum/baseline standard (or common framework) to ensure expectations are met Transparency and independence of service offering a distinction between a managed service and an incident response service. All organisations should put a mutual NDA in place from the outset to cover initial conversations. The Guide needs to highlight this as an essential prerequisite.

17 Is there any guidance on how to select a suitable supplier from the CSIR register? [cont d.] Is there any guidance available to help me to prepare for managing a cyberattack? A CREST Guide to procuring cyber security incident response services will be published by the end of To be effectively prepared, you should be able to determine the criticality of your key assets; analyse threats to them; and implement a set of complimentary controls to provide an appropriate level of protection. Considering the implications of people, process, technology and information; you can then update your cyber security response capability and review your state of readiness in cyber security response. A CREST Cyber Security Incident Response Guide will be published by the end of Are the existing roles part of the CESG Certified Professional (CCP) Scheme? Will the new Cyber Security Incident Response Manager Role be part of the CCP scheme? Who derived the requirements for company membership of the CSIR scheme? Who derived the requirements for the company membership of the CIR scheme? Who derived the requirements for the company membership of the CIR scheme? [cont d.] The current CCP scheme does not include the roles described in this FAQ. There is however a plan to include all IA roles under the scheme in some form so as the roles mature it is likely that they will be included. It is likely that some of the existing participants under the CCP scheme would be capable of applying for the roles described. The current CCP scheme does not include the Senior Cyber Security Incident Response role. There is however a plan to include all IA roles under the scheme in some form so as the roles mature it is likely that they will be included. It is likely that some of the existing participants under the CCP scheme would be capable of applying for this role. A team drawn from industry and government experts in the CSIR field devised the questions and identified the optimum answers against which applicants are assessed. The selected team had to provide evidence of their expertise in this area prior to being allowed to participate. Determination of requirements for the CESG/CPNI scheme was led by CESG in its role as National Technical Authority for IA, drawing on the experience and contribution of GovCERTUK and CPNI.

18 Who developed the syllabus and examination for the existing examinations? A team drawn from industry and government experts in the various fields devised the questions. The team had to provide written evidence of their expertise in this area. All participates had to sign an NDA regarding the information provided for the examinations. Separate teams where utilised so that no members had access to all information. Where short or long form written questions were devised, the team also identified the optimum answers against which candidates are assessed. A series of alpha and beta examinations with volunteer candidates were also held and any appropriate observations were fed back into the syllabus. The syllabus and detail was also assessed by CESG. Who is developing the syllabus and examination for the Senior Cyber Security Incident Response Manager examination? A team drawn from industry experts in the CSIR field devised the questions. The team had to provide written evidence of their expertise in this area. All participates had to sign an NDA regarding the information being provided for the examination. Where short or long form written questions are required the team will also identify the optimum answers against which candidates are assessed. A series of alpha and beta examinations with volunteer candidates will also be held and any appropriate observations will be fed back into the syllabus. CESG, CPNI and GovCert are participating in the development of the syllabus and detailed questions. I need more information where can I go? CREST Tel: admin@crest-approved.org Web: CESG Tel: enquiries@cesg.gsi.gov.uk Web:

A Guide to the Cyber Essentials Scheme

A Guide to the Cyber Essentials Scheme A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane

More information

CREST EXAMINATIONS. CREST (GB) Ltd 2016 All Rights Reserved

CREST EXAMINATIONS. CREST (GB) Ltd 2016 All Rights Reserved CREST EXAMINATIONS This document and any information therein are the property of CREST and without infringement neither the whole nor any extract may be disclosed, loaned, copied or used for manufacturing,

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

CBEST Implementation Guide

CBEST Implementation Guide CBEST Implementation Guide Introduction Existing penetration testing services conducted within the financial services sector are well understood and utilised. Whilst these services have provided a good

More information

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13 Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...

More information

North East Regional Bias Against Information Security Threat

North East Regional Bias Against Information Security Threat Summary Information Security North East () is a forum for council and public service information security managers from Northumberland, Tyne and Wear, Durham and the Tees Valley 1. is also the Warning,

More information

Cyber Security Incident Response Supplier Selection Guide

Cyber Security Incident Response Supplier Selection Guide Cyber Security Incident Response Supplier Selection Guide Version 1 Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jason Creasey,

More information

Application Guidance CCP Penetration Tester Role, Practitioner Level

Application Guidance CCP Penetration Tester Role, Practitioner Level August 2014 Issue No: 1.0 Application Guidance CCP Penetration Tester Role, Practitioner Level Application Guidance CCP Penetration Tester Role, Practitioner Level Issue No: 1.0 August 2014 This document

More information

CBEST FAQ February 2015

CBEST FAQ February 2015 CBEST Frequently Asked Questions: February 2015 At this time, the UK Financial Authorities have only made CBEST available to firms and FMIs which they consider to be core to the UK financial system. Those

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information

CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM

CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM CFTC BRIEFING 2 JUNE 2015 CYBERSECURITY CONSIDERING BANK OF ENGLAND S CBEST PROGRAM Objectives Provide an overview of the CBEST program Overview will include answers to the following questions: What types

More information

Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May 2014. Dear Sir or Madam,

Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May 2014. Dear Sir or Madam, Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET 7 th May 2014 Dear Sir or Madam, The Federation of Small Businesses (FSB) welcomes the opportunity to respond to this consultation

More information

Australia. CREST in. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. September 2013. Also Inside

Australia. CREST in. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. September 2013. Also Inside Script The September 2013 THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST CREST in Australia Also Inside Update from Ian Glover CESG and CPNI launch new schemes CRESTCon 2014 The CCP Report New Members

More information

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Practitioner Certificate in Information Assurance Architecture (PCiIAA) Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

Assessment plan: Mortgage Adviser

Assessment plan: Mortgage Adviser Assessment plan: Mortgage Adviser ST0182/AP 1. Introduction and Overview Mortgage advice is provided by a number of different types of businesses; direct to consumer through banks & building societies

More information

ESKISP6046.02 Direct security architecture development

ESKISP6046.02 Direct security architecture development Overview This standard covers the competencies concerned with directing security architecture activities. It includes setting the strategy and policies for security architecture, and being fully accountable

More information

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification Cyber Essentials Scheme Protect your business from cyber threats and gain valuable certification Why you need it Cybercrime appears in the news on an almost daily basis - but it s not just the large and

More information

Cyber Security Incident Response coordinators. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. January 2014 ALSO INSIDE

Cyber Security Incident Response coordinators. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. January 2014 ALSO INSIDE Script January 2014 Incident Response coordinators Update from Ian Glover CRESTCon & IISP Congress Careers New Members CSIR coordinators First CSIR certified companies have been announced Put into Context

More information

Good Practice Guide Security Incident Management

Good Practice Guide Security Incident Management October 2015 Issue No: 1.2 Good Practice Guide Security Incident Management Customers can continue to use this guidance. The content remains current, although may contain references to legacy SPF policy

More information

Advance with CIMA. Applying for CIMA Accreditation of Higher Education Programmes

Advance with CIMA. Applying for CIMA Accreditation of Higher Education Programmes Advance with CIMA Applying for CIMA Accreditation of Higher Education Programmes Education Directorate February 2014 Contents Contents... 2 Introduction... 3 1.0 Core Principles of Accreditation... 3 1.1

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

How To Help Your Business Succeed

How To Help Your Business Succeed G Cloud III Framework Lot 4 (SCS) CHECK Accredited Penetration Testing Services Contents Executive Summary 3 CHECK Accredited Penetration Testing Services 4 Why Deloitte? 5 Package Cost 7 Contact 9 Service

More information

A GOOD PRACTICE GUIDE FOR EMPLOYERS

A GOOD PRACTICE GUIDE FOR EMPLOYERS MITIGATING SECURITY RISK IN THE NATIONAL INFRASTRUCTURE SUPPLY CHAIN A GOOD PRACTICE GUIDE FOR EMPLOYERS April 2015 Disclaimer: Reference to any specific commercial product, process or service by trade

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

MANAGING CYBERSECURITY INVESTIGATIONS

MANAGING CYBERSECURITY INVESTIGATIONS MANAGING CYBERSECURITY INVESTIGATIONS Tara Swaminatha, Of Counsel, Washington, DC Sam Millar, Partner, London May 12, 2016 If you cannot hear us speaking, please make sure you have called into the teleconference

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

G-Cloud Definition of Services Security Penetration Testing

G-Cloud Definition of Services Security Penetration Testing G-Cloud Definition of Services Security Penetration Testing Commercial in Confidence G-Cloud Services An Overview Inner Security is a leading CREST registered information security services provider. We

More information

Vocational Education and Training Reform Submission

Vocational Education and Training Reform Submission Vocational Education and Training Reform Submission Prepared by: Suresh Manickam Date: 23 rd July 2014 Page 1 NECA response to VET reform draft RTO standards As a lead player in the electrical training

More information

The standard for extraordinary project professionals...

The standard for extraordinary project professionals... The standard for extraordinary project professionals... Registered Project Professional RPP Candidate Guidance RPP the standard for extraordinary project professionals from the RPP the standard for extraordinary

More information

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas

More information

IRAP Policy and Procedures up to date as of 16 September 2014.

IRAP Policy and Procedures up to date as of 16 September 2014. Australian Signals Directorate Cyber and Information Security Division Information Security Registered Assessors Program Policy and Procedures 09/2014 IRAP Policy and Procedures 09/2014 1 IRAP Policy and

More information

Why compromise on the quality of your cyber security training? How APMG, CESG and QA accreditations ensure the highest possible training standards

Why compromise on the quality of your cyber security training? How APMG, CESG and QA accreditations ensure the highest possible training standards Why compromise on the quality of your cyber security training? How APMG, CESG and QA accreditations ensure the highest possible training standards Cyber Security CESG Certified Training // 2 Contents 3

More information

Lot 1 Service Specification MANAGED SECURITY SERVICES

Lot 1 Service Specification MANAGED SECURITY SERVICES Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services

More information

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

February 2015 Issue No: 5.2. CESG Certification for IA Professionals February 2015 Issue No: 5.2 CESG Certification for IA Professionals Issue No: 5.2 February 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

ISO 27001 Information Security Management Services (Lot 4)

ISO 27001 Information Security Management Services (Lot 4) ISO 27001 Information Security Management Services (Lot 4) CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. EXPERIENCE...

More information

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level April 2015 Issue No:1.0 Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level Application Guidance CCP Security and Information Risk Advisor Role, Practitioner Level

More information

Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com

Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com Managing IT Fraud Using Ethical Hacking Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com Agenda Introductions Context for Ethical Hacking Effective use of ethical hacking in fraud

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

IT Security Testing Services

IT Security Testing Services Context Information Security T +44 (0)207 537 7515 W www.contextis.com E gcloud@contextis.co.uk IT Security Testing Services Context Information Security Contents 1 Introduction to Context Information

More information

Internal Audit - progress report 2015-16 and 2016-17 plan

Internal Audit - progress report 2015-16 and 2016-17 plan Audit Committee, 16 March 2016 Internal Audit - progress report 2015-16 and 2016-17 plan Executive summary and recommendations Introduction Grant Thornton have prepared the attached report which sets out

More information

CESG Certified Professional

CESG Certified Professional CESG Certified Professional Verify your skills and competence in information assurance Now open to cyber security professionals working in UK industry CONTENTS 1. Introduction 2. IA in Context: Why Professionalism

More information

Procurement Policy Note Use of Cyber Essentials Scheme certification

Procurement Policy Note Use of Cyber Essentials Scheme certification Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply

More information

Network Rail Infrastructure Projects Joint Relationship Management Plan

Network Rail Infrastructure Projects Joint Relationship Management Plan Network Rail Infrastructure Projects Joint Relationship Management Plan Project Title Project Number [ ] [ ] Revision: Date: Description: Author [ ] Approved on behalf of Network Rail Approved on behalf

More information

G Cloud III Framework Lot 4 (SCS) Project Management

G Cloud III Framework Lot 4 (SCS) Project Management G Cloud III Framework Lot 4 (SCS) Project Management Contents Executive Summary 3 Project Management 4 Why Deloitte? 6 SFIA Rate Card 7 Contact 8 Service Definition (a) to (p) 9 Executive Summary PROJECT

More information

Define & Assess Skills - Smart Grid Security Specialists

Define & Assess Skills - Smart Grid Security Specialists Define & Assess Skills - Smart Grid Security Specialists SANS 2011 North American SCADA & Process Control Summit Michael Assante President & CEO NBISE michae.assante@nbise.org 208-557-8026 Cyber Security:

More information

Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company)

Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company) Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company) ACN 145 989 644 Committee Charter 1 MEMBERSHIP OF THE COMMITTEE The Committee must consist of: only non-executive

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

strategic plan and implementation framework 2013-2018

strategic plan and implementation framework 2013-2018 strategic plan and implementation framework 2013-2018 contents Introduction 3 Strategic Plan 2013-2018 4 Strategic Priorities 4 2 Implementing the Plan 5 Measuring and Monitoring 5 Communicating and Reporting

More information

Cyber Essentials Scheme. Summary

Cyber Essentials Scheme. Summary Cyber Essentials Scheme Summary June 2014 Introduction... 3 Background... 4 Scope... 4 Assurance Framework... 5 Next steps... 6 Questions about the scheme?... 7 2 Introduction The Cyber Essentials scheme

More information

Associate Engineer. Regulations for the title of Associate Engineer

Associate Engineer. Regulations for the title of Associate Engineer Associate Engineer Regulations for the title of Associate Engineer FOREWORD Engineers Ireland is the operating title of the Institution of Engineers of Ireland. Engineers Ireland, founded in 1835, represents

More information

A Best Practice Guide

A Best Practice Guide A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Level 5 Diploma in Compliance Risk Management. Meeting your professional development needs

Level 5 Diploma in Compliance Risk Management. Meeting your professional development needs Level 5 Diploma in Compliance Risk Management Meeting your professional development needs Contents Introduction Qualification overview About this qualification Assessment methods The Legal and Regulatory

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Committees Date: Subject: Public Report of: For Information Summary

Committees Date: Subject: Public Report of: For Information Summary Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security

More information

INTRODUCTION. The Merlin Principles. The Elements of each Principle

INTRODUCTION. The Merlin Principles. The Elements of each Principle 0 INTRODUCTION The development of the Merlin Standard has been progressed as a joint exercise between the Department for Work and Pensions (DWP) and its providers operating in the Welfare to Work (W2W)

More information

Professional Marketing Qualifications

Professional Marketing Qualifications Professional Qualifications Smart and flexible qualifications from CIM Foundation Certificate in Certificate in Professional Diploma in Professional Chartered Postgraduate Diploma in Smart, flexible and

More information

Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security

Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security OFFICIAL Certified Master s Briefing Meeting 14 April 2014 Certification of Master s Degrees Providing a General Broad Foundation in Cyber Security Chris Ensor Michael Kirton Ellie England Graeme Dykes

More information

The Institute of Car Fleet Management. Education & Training Syllabus

The Institute of Car Fleet Management. Education & Training Syllabus The Institute of Car Fleet Management Education & Training Syllabus The Route to Professional Competence DIPLOMA IN CAR FLEET MANAGEMENT PLUS 5 years strategic car fleet management, demonstrated personal

More information

1.1 Terms of Reference Y P N Comments/Areas for Improvement

1.1 Terms of Reference Y P N Comments/Areas for Improvement 1 Scope of Internal Audit 1.1 Terms of Reference Y P N Comments/Areas for Improvement 1.1.1 Do Terms of Reference: a) Establish the responsibilities and objectives of IA? b) Establish the organisational

More information

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES G Cloud IV Framework Lot 4 DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES Service Description - ANSEC IA Limited CONTENTS 1 Company Profile. 2 The ANSEC Effect 3 Qualifications 4 Service Description..

More information

Cyber Security Issues - Brief Business Report

Cyber Security Issues - Brief Business Report Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

This Unit is a mandatory Unit within the National Progression Award in Cyber Security at SCQF 6.

This Unit is a mandatory Unit within the National Progression Award in Cyber Security at SCQF 6. National Unit specification General information Unit code: H9E2 46 Superclass: CC Publication date: September 2015 Source: Scottish Qualifications Authority Version: 02 Unit purpose The purpose of this

More information

Mode of Study The MPH course will be delivered full-time and part-time on campus at the Kedleston Road site

Mode of Study The MPH course will be delivered full-time and part-time on campus at the Kedleston Road site PROGRAMME SPECIFICATION DOCUMENT SECTION ONE: GENERAL INFORMATION Programme Title/ Subject Title: Master of Public Health Award title and Interim awards: Postgraduate Certificate in Public Health Postgraduate

More information

Project Management Certification Options within Australia

Project Management Certification Options within Australia Project Services Pty Ltd 13 Martin Street South Melbourne VIC 3205 A.C.N. 074 006 081 Tel. (03) 9696 8684 Fax. (03) 9686 1404 Project Management Certification Options within Australia Overview Professional

More information

Certified Installer Partnership Code of Practice

Certified Installer Partnership Code of Practice Certified Installer Partnership Code of Practice Proper practice guidelines for our accredited tradesmen Find an installer you know you can trust with Certified Installer Partnership When looking for an

More information

CASSIDIAN CYBERSECURITY

CASSIDIAN CYBERSECURITY CASSIDIAN CYBERSECURITY ADVANCED PERSISTENT THREAT (APT) SERVICE In a world where cyber threats are emerging daily, often from unknown sources, information security is something no organisation can afford

More information

ESKISP6056.01 Direct security testing

ESKISP6056.01 Direct security testing Direct security testing Overview This standard covers the competencies concerning with directing security testing activities. It includes setting the strategy and policies for security testing, and being

More information

Career Paths in Information Security v6.0

Career Paths in Information Security v6.0 Career Paths in Information Security v6.0 Have you ever considered a career in computer security but didn t know how to get started? The Information Security industry is an exciting and diverse place to

More information

Financial Services Industry - Pros and Cons of the PJC Model

Financial Services Industry - Pros and Cons of the PJC Model Lifting the professional, ethical and education standards in the financial services industry Consultation on recommendations of the Parliamentary Joint Committee on Corporations and Financial Services

More information

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?

More information

How To Manage Risk In Ancient Health Trust

How To Manage Risk In Ancient Health Trust SharePoint Location Non-clinical Policies and Guidelines SharePoint Index Directory 3.0 Corporate Sub Area 3.1 Risk and Health & Safety Documents Key words (for search purposes) Risk, Risk Management,

More information

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems Certification Services Division Newton Building, St George s Avenue Northampton, NN2 6JB United Kingdom Tel: +44(0)1604-893-811. Fax: +44(0)1604-893-868. E-mail: pcn@bindt.org CP14 ISSUE 5 DATED 1 st OCTOBER

More information

1. Why did MICPA and ACCA enter into this agreement?

1. Why did MICPA and ACCA enter into this agreement? ACCA to MICPA FAQs 1. Why did MICPA and ACCA enter into this agreement? This Mutual Recognition Agreement (MRA) strengthens the already excellent relationship between the two bodies. It provides a route

More information

SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services

SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services Contents 1 Introduction...2 2 IA, CLAS Consulting and CHECK Testing...3 3 Information Assurance...4 4 Accreditation...5

More information

ICT and Information Security Resources

ICT and Information Security Resources Methods GCloud Service Definition ICT and Information Security Resources HEAD OFFICE: 125 Shaftesbury Avenue, London WC2H 8AD Scottish Office: Exchange Place 2, 5 Semple Street, Edinburgh, EH3 8BL t: +44

More information

MANAGE THIRD PARTY RISKS

MANAGE THIRD PARTY RISKS SECURITY FOR INDUSTRIAL CONTROL SYSTEMS MANAGE THIRD PARTY RISKS A GOOD PRACTICE GUIDE Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,

More information

Digital Industries Apprenticeship: Assessment Plan. Cyber Security Technologist. April 2016

Digital Industries Apprenticeship: Assessment Plan. Cyber Security Technologist. April 2016 Digital Industries Apprenticeship: Assessment Plan Cyber Security Technologist April 2016 1 Digital Industries Apprenticeships: Assessment Plan 1. General Introduction and Overview The apprenticeship Standard

More information

Awarding body monitoring report for: English Speaking Board (International) Ltd (ESB) May 2009. Ofqual/09/4637

Awarding body monitoring report for: English Speaking Board (International) Ltd (ESB) May 2009. Ofqual/09/4637 Awarding body monitoring report for: English Speaking Board (International) Ltd (ESB) May 2009 Ofqual/09/4637 2009 Office of the Qualifications and Examinations Regulator 2 Contents Introduction...4 Regulating

More information

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

erisks Policyholder s Guide to Privacy & Security Breach Response Planning erisks Policyholder s Guide to Privacy & Security Breach Response Planning Professional Indemnity Financial Institutions Directors & Officers Management Liability Medical Malpractice Media Liability Level

More information

BYOD Guidance: Architectural Approaches

BYOD Guidance: Architectural Approaches GOV.UK Guidance BYOD Guidance: Architectural Approaches Published Contents 1. Service separation 2. Scenario 1: Exposing internal web applications 3. Scenario 2: Exposing email, calendar and contacts This

More information

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy and Business Continuity Management System Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

More information

Programme Specification for MSc Applied Sports Performance Analysis

Programme Specification for MSc Applied Sports Performance Analysis PROGRAMME SPECIFICATION Postgraduate Courses Programme Specification for MSc Applied 1. Awarding institution/body University of Worcester 2. Teaching institution University of Worcester 3. Programme accredited

More information

Audit and Performance Committee Report

Audit and Performance Committee Report Audit and Performance Committee Report Date: 3 February 2016 Classification: Title: Wards Affected: Financial Summary: Report of: Author: General Release Maintaining High Ethical Standards at the City

More information

The Audit Committee self-assessment checklist

The Audit Committee self-assessment checklist GOOD PRACTICE The Audit Committee self-assessment checklist 2nd edition January 2012 Financial Management and Reporting 2 The Audit Committee self-assessment checklist Our vision is to help the nation

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

Internal Audit Quality Assessment Framework

Internal Audit Quality Assessment Framework Internal Audit Quality Assessment Framework May 2013 Internal Audit Quality Assessment Framework May 2013 Crown copyright 2013 You may re-use this information (excluding logos) free of charge in any format

More information

Procurement guidance Prequalifying suppliers

Procurement guidance Prequalifying suppliers Procurement guidance Prequalifying suppliers Procurement guidance: Prequalifying suppliers Page 2 of 21 Table of contents Table of contents... 2 Purpose of this Guide... 4 Who should read this Guide?...

More information

foundation programs and Explanatory Guide

foundation programs and Explanatory Guide National Standards FOR foundation programs and Explanatory Guide national standards for foundation programs Contents National Standards for Foundation Programs Preamble...1 Requirements: Standard 1...3

More information

Level 2 Certificate in Understanding the Safe Handling of Medicines (QCF)

Level 2 Certificate in Understanding the Safe Handling of Medicines (QCF) Skillsfirst Awards Handbook Level 2 Certificate in Understanding the Safe Handling of Medicines (QCF) SHMC2 Suite 215 Fort Dunlop Fort Parkway Birmingham B24 9FD www.skillsfirst.co.uk Contents Page Section

More information

06100 POLICY SECURITY AND INFORMATION ASSURANCE

06100 POLICY SECURITY AND INFORMATION ASSURANCE Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information

More information

DAQ Guide 9 December 2008. A Good Practice Guide to Accreditation of Prior Achievement (APA)

DAQ Guide 9 December 2008. A Good Practice Guide to Accreditation of Prior Achievement (APA) DAQ Guide 9 December 2008 A Good Practice Guide to Accreditation of Prior Achievement (APA) This guide is for De Montfort University staff who want to introduce Accreditation of Prior Achievement (APA),

More information

Sorrento Group. Sorrento Group Caters for four main services: Sorrento Electrical Contracting, Sorrento Data Centre Consultancy

Sorrento Group. Sorrento Group Caters for four main services: Sorrento Electrical Contracting, Sorrento Data Centre Consultancy Company Profile Table of Contents About Sorrento Group 3 Sorrento Educational Consultancy 4 About Educational Consulting 5 Mission, Vision and Our Aims 6 Our services 7 Services 8 Specialised Services

More information

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0 DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0 2013, Data Centre Alliance Limited (www.datacentrealliance.org). All rights reserved. This publication may not be reproduced

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Qualification details

Qualification details Qualification details Title New Zealand Diploma in Organisational Risk and Compliance (Level 6) Version 1 Qualification type Diploma Level 6 Credits 120 NZSCED 080317 Quality Management DAS classification

More information

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template G-Cloud Service Pan Government Security Accreditation Scope This form is intended for Suppliers of services on the G-Cloud to complete. Upon receipt, the G-Cloud Programme will check Section A, Reference

More information

UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.

UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved. CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION Version 1.0 Crown Copyright 2012 All Rights Reserved Page 1 Document History Version Date Description 0.1 June 2012 Initial Draft Version 1.0 July

More information