CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS QUESTION General What is the Cyber Security Incident Response (CSIR) Scheme? What is the Cyber Incident Response (CIR) scheme? Why have these schemes been launched? A broadly based scheme led by CREST and endorsed by GCHQ and CPNI, which focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. A small and focussed Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance. All indications are that the level, sophistication and frequency of cyber security attacks are increasing. It has been accepted that the national security authorities do not have the capacity to directly support private sector organisations or government departments where the nature of the attack does not suggest a risk to national security. It was therefore decided that a much more collaborative approach would be required with strong well defined links between the industry and government. The schemes, CIR and CSIR, have therefore been launched to enable all those organisations that may be victims of cyber-attack SMEs, national and multinational industry, the CNI, the wider public sector and central government to source an appropriate incident response service tailored to their particular needs. CREST Cyber Security Incident Response Members with access to qualified personnel providing recovery and clean up services to the majority of organisations and government departments and allowing GCHQ and CPNI to focus on the attacks that have a potential impact on national security. It is also the case that organisations suffering a cyber-security attack do not know where to go for help; and have no way of assessing the quality of those helping them; nor the security arrangements and support provided by the organisations they work for. The CREST register of cyber security incident response organisations, the CREST qualifications and the CNI scheme will provide a much greater level of confidence to the buying community.
Why have government and industry collaborated in this initiative? What is the relationship between CESG/CPNI and CREST? Will there be any other bodies apart from CREST endorsed by CESG and CPNI? Government and industry have worked closely on a number of schemes and initiatives related to cyber security. It is recognised that lessons learnt from one type of attack will be of great value to a wide range of organisations. To be able to work collaboratively provides both scale and quality to combat cyber security attacks. CESG and CPNI have reviewed CREST s Cyber Security Incident Response (CSIR) scheme and endorsed it as setting appropriate processes, procedures, governance, qualifications, skills and experience to provide effective incident response for a significant proportion of cyber incidents. They have discussed the standard used for the scheme with CREST and endorsed the scheme as providing an appropriate standard for effective incident response. CESG has conducted a review of the market and there are not currently any other organisations that could provide these types of services today - technical examinations in Cyber Incident Response and company assessment. CESG has worked closely with CREST in the past on penetration testing and security architecture examinations and the CREST and CHECK schemes are well aligned. Whilst CREST is the only scheme currently endorsed, there is no restriction on other such bodies gaining endorsement in this important area both locally and internationally. Who can join the CSIR Scheme? Who can join the CIR Scheme? Any quality organisation providing cyber security incident response services. There is no restriction on size, where the organisation is domiciled or what specific industry sectors they work in. To become a member of the Scheme is not trivial. They will be required to pass a comprehensive assessment process demonstrating their knowledge and application in this area, their ability to protect client based information and their willingness to sign up to a comprehensive code of conduct. In addition to similar requirements to the CSIR Scheme, an organisation will be required to provide additional contractual information, demonstrate their ability to work on projects with a national security bias and have access to staff capable of meeting national security requirements.
Is it a two tier scheme? QUESTION No it is not a two tiered scheme. There is no implied indication that one scheme is more comprehensive nor that the companies or individuals are more capable or well qualified. The difference is those in the CIR scheme have the necessary attributes to deal with a very specific set of threats in a particular context. It is not implied that the cyber security incidents experienced by private sector organisations or government departments requires any less capability. Is membership of the CSIR Scheme a prerequisite for joining the CIR Scheme? There are no prerequisites for membership of the CIR Scheme; however, organisations that have met the stringent CREST requirements will be in a much stronger position to demonstrate their capability during the selection process. Company Application Process What is the process for applying for the CSIR scheme? Is the process the same for existing CREST penetration testing member companies? Organisations wishing to join the CSIR Scheme will need to sign a Non- Disclosure Agreement (NDA) with CREST. On receipt of the signed NDA CREST will issue an application form. The organisation will be required to complete all parts of the application and submit it to CREST. The application will be reviewed in detail and where necessary areas of concern will be highlighted in a formal letter to the applicant company. Once the paper application has been completed to a satisfactory standard, a site visit will be required to validate the claims made on the application and to remind the organisation of its obligations under the code of conduct. Once this has been completed and membership payment received the company will be entered onto the CREST register under the Cyber-Security category. Many of the questions regarding the quality of the service and the policies, processes and procedures for the protection of client based information will already have been completed and will have been assessed. Existing CREST Penetration Testing Member companies will also have already signed up to the CREST code of conduct and signed an NDA. An existing member company should therefore request an application form and will be required to complete the sections relating to the Cyber-Security Incident Response service. Once completed this section will be reviewed and assessed in line with the process for new members as outlined above.
Is the process the same for existing CREST penetration testing member companies? [cont d.] Who will conduct the CREST company assessments? There have been some updates to the existing CREST application form. All existing CREST organisations will be required to complete the new application form as part of their three year renewal cycle. The new questions reflect recognised best practice and therefore organisations should consider completing all parts of the new form. Details of the process are described on the CREST website www.crestapproved.org or from new members@crest-approved.org CREST fully recognises the sensitivity of the material provided as part of the company assessment process. All applications submitted to CREST are only seen by CREST employed staff. No information is passed to the member company representatives of either the CREST Executive or any other parties regarding the submission of an application, nor any correspondence relating to the application process. The member company representatives on the CREST Executive have no part in the decision to award or not to award CREST membership. What is the process for joining the CIR scheme Is membership of the CSIR scheme a mandatory requirement for the CIR scheme? See CESG website (www.cesg.gsi.gov.uk) There is no prerequisite for a CIR company to have first passed the CSIR assessment; however, organisations that have met the stringent CREST requirements will be in a much stronger position to demonstrate their capability during the selection process. What are the costs for the CIR Scheme? Potential Scheme Members For companies that can demonstrate that they meet the CIR requirements and are existing CHECK companies there will a minimal charge of 1 plus VAT for companies certified during FY 2013/14. Whilst future fees will be kept to a minimum, CESG will reserve the right to increase the cost of CIR membership in subsequent years. For companies that can demonstrate that they meet the CIR requirements and are not existing CHECK companies there will be an initial charge of 7,500 plus VAT. These companies will derive the same benefits as existing CHECK companies. In subsequent years the cost will be kept in line with the CHECK scheme. CESG reserve the right to levy an additional cost for ongoing CIR membership.
What are the costs for the CSIR Scheme? What are the costs for the CSIR Scheme? [cont d] CREST company membership is 7,000 plus VAT per annum. For existing CREST member companies there will be no additional membership charge although an administration fee of 250 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. For companies that are not current CREST members but would like to be CSIR members, the annual fee after passing the company assessment will be 7,000 per annum. This will provide the company will all the existing CREST member benefits. What is the renewals process for the CIR Scheme? What is the renewals process for the CSIR Scheme? Annual renewal is detailed in contract document. After the initial assessment there will be an annual renewal. This is designed to be relatively easy to complete and looks to validate certain essential elements of the membership process, confirm agreements between the company and CREST and providing an update where existing policies, processes and procedures have been amended or improved. Given that this is a new scheme, there may be some additional questions to answer over and above the initial assessment. These will be based in experience of operating the scheme. There is no charge for this annual review. Every three years the company will be subject to a full assessment requiring a full resubmission. There will be an assessment fee of 400 plus VAT for this. When will the CSIR scheme have company members? CREST has been publicising the scheme to existing CREST members, the companies that are were part of the CIR trial and others who it is believed have a capability in this area. A number of submissions have already been received and the process of reviewing them has commenced. It is our intention to be in a position to formally announce the first wave of memberships at the end of September 2013. This cannot be guaranteed as we do not currently know who if any will be able to pass the CREST assessment. We would prefer to do this in this way as it will create more of an announcement, but more importantly it will not allow any one organisation to say that they were first to market.
When will the new CIR scheme announce members and will the existing four companies continue to be included? Will the application process be continual or will there be set times for companies to apply for CSIR membership? Will the application process be continual or will there be set times for companies to apply for CIR membership? What qualifications are currently available that are recognised under the new schemes? CIR was announced on 13 August 2013. The original 4 pilot companies are all required to reapply under the new CIR requirements. CREST accepts applications for company membership and membership applications to be included in the CSIR through the year. Continual There are four qualifications that are available from CREST that relate to this area of business. The first is the CREST Registered Intrusion Analyst (CRIA). The (CRIA) examination tests a candidates knowledge across host and network based malware analysis and reverse engineering of a malware attack. This examination has been designed for individuals with in the region of 6,000 hours relevant and frequent experience in this area. It will expect candidates to have an in depth understand of certain parts of the intrusion analyst role and a good broad understanding of all aspects. It will expect the candidate to be able to work in this area independently of support. The next is CREST Certified Host Intrusion Analyst (CCHIA). The (CCHIA) examination has been designed for individuals with in the region of 10,000 hours of practical and relevant experience. It tests candidates knowledge of analysing Windows hosts for evidence of potential compromise. The CREST Certified Malware Reverse Engineer (CCMRE) identifies at a high level a candidate s ability to reverse engineer malware, particularly remote access Trojans. It also includes a core skills exam covering network and host intrusion. The candidate will be expected to possess not only the technical ability to find security weaknesses and vulnerabilities, but also the skills to ensure findings are presented in a clear, concise and understandable manner. The CCMRE examination has been designed for individuals with in the region of 10,000 hours of practical and relevant experience.
What qualifications are currently available that are recognised under the new schemes? [cont d.] Are there any specific roles that relate to the schemes and will they be mandatory? The last is the CREST Certified Network Intrusion Analyst (CCNIA). The (CCNIA) examination tests candidates knowledge and expertise in analysing data sources for evidence relating to potential network compromise. It has been designed for individuals with in the region of 10,000 hours of practical and relevant experience. Details of all of these examinations can be found on the CREST website http://www.crest-approved.org/information-security-testers/index.html CREST is also working with industry and government on another examination for a Senior Cyber Security Incident Response Manager role. It is planned to have this examination formally launched before the end of the year. All of the intrusion analyst and malware reverse engineering roles described above are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted an individual will only be allowed to be associated with one member organisation. They will be responsible for conduct of all members of the team that they are responsible for. It will be clear from the CREST website which qualifications they have within their organisation. When will the Senior Cyber Security Incident Manager examination be available? By the end of 2013. Alpha and beta testing will have been conducted prior to this date.
Individual Consultants What will be the criteria for sitting the Senior Cyber Security Incident Response Manager examination? Will any other qualifications be recognised by the two schemes There are no plans for any prerequisites for sitting the new Senior Cyber Security Incident Response Manager examination. It is however being designed for individuals with 10,000 hours experience in the management of significant technical incidents. Individuals will have to be technically competent, understand technical risks and be able to assemble and manage teams to deal with a wide range of technical attacks. It is also likely that there will be soft skills requirements that not only allow them to manage the team effectively but also deal with senior management and the media. Specific qualifications in other related areas are being considered particularly in related disciplines, however currently no other qualifications are recognised under the CSIR Scheme. Further analysis will be carried out within the UK and internationally. Who will set and administer the Senior Cyber Security Incident Response Manager role examinations? How are the Assessors selected? As a certification organisation, CREST operates a small network of Assessors drawn from CREST Member Companies to manage the examination process. This includes collectively devising syllabus content, invigilating, marking and generally operating the exam environment on behalf of CREST. The Assessors, jointly, comprise the CREST Assessors Panel. When new Assessors are required, either as replacements to previous incumbents or as an additional resource, the CREST member company main points of contact and previous successful candidates from within member companies are contacted in writing seeking CVs with letters of application from individuals with current CREST Certified Tester (CCT) qualifications interested in taking on the role. Potential Assessors are invited to explain: Their experience within the industry and examples of team leadership ; Their technical skills and how these could help the progression of the CREST assessments and rigs. Details of other technical areas that could be championed within the Assessors group (eg. mobile, code review, wireless, architecture, etc.).
Who will set and administer the Senior Cyber Security Incident Response Manager role examinations? How are the Assessors selected? [cont d.] A confirmation of their ability to commit the requisite resource to the CREST Assessors group. There is a limit of two assessors per CREST Member Company. Once applications have been received, the Chair and Vice-Chair of the Assessors Panel will review and score them using a predefined weighting scheme CREST pays for the services of the assessors and requires them to sign a specific NDA relating to the services required. How much are the existing CREST intrusion analysis and malware reverse engineering examinations? How much will the Senior Cyber Security Incident Manager examination cost to sit? CREST Registered Intrusion Analyst examination costs 395 + VAT CREST Certified Tester examinations (NIA, HIA, MRE) cost 1,600 + VAT This has not been formally agreed but is likely to be aligned with existing CREST Certified level examinations. How do I book for the examinations? Bookings for the existing examinations can be made by email to admin@crest-approved.org. CREST would be willing to take pre bookings for the Senior Cyber Incident Response Manager examination. It will obviously not be possible to confirm a date. There may also be opportunities for participating in the alpha or beta testing of the examinations. Successes in the alpha and beta testing will be recognised under the scheme, there may however be a requirement to provide structured feedback on the examination content, detail and timings. Is there an annual membership for individuals? There is no requirement for an annual fee for individuals who have passed the CREST examinations. All those who have passed the examination do however receive CREST benefits including attendance to CRESTCon, access to CREST workshops, access to CREST research material etc. As with all other CREST qualifications there is a requirement to re-sit the examination every three years to ensure the currency of knowledge and application.
Is there a requirement for CPD s? How can I prepare staff to be in a position to sit the existing cyber-security incident response examinations? Under the CREST scheme there are currently no requirements to provide evidence of CPD s. Currency of knowledge, skill and competence is assessed by the retaking of the examination after three years. Whilst the need to manage technical security incidents has existed for a relatively long period of time, some of the knowledge and skill required to manage some cyber security attacks is still evolving. There is not currently a recognised body of knowledge from which potential candidates can draw. The CREST syllabus will provide a basis for an individual to assess whether they have knowledge, skill and competence in the required areas. CREST is working to provide access to state of the art research and case study material. It is also hoped that access to information provided by the UK Cert will also be available. How can I prepare staff to be in a position to sit the existing cyber-security incident response examinations? [cont d.] In penetration testing, CREST is working with e-skills to established agreed development pathways. These pathways will be used to help an individual create a professional development plan based on training, personal research and experience. This will also be used to assess training courses and to try and stimulate training activity in the market. The same approach will be adopted for the intrusion analysis, malware reverse engineering and incident management roles. CREST will also be willing to provide access to assessors who will talk through the requirements of the examinations, without providing any hints, tips or guidance on examination questions. Are there any requirements to employ staff with specific qualifications? All of the intrusion analyst and malware reverse engineering roles are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted, an individual will only be allowed to be associated with one member organisation.
Are there any requirements to employ staff with specific qualifications? [cont d.] When will it become mandatory to employ a cyber-security incident manager to be part of the CIR scheme? Is there a requirement to carry a national security clearance? It will be clear from the CREST website which qualifications they have within their organisation. One year after the formal introduction of the examination. There is no requirement to hold a national security clearance to take any CREST examinations. There is no requirement for a CREST member company to be able to issue government security clearances under the CSIR scheme. As part of the audit there is a requirement to demonstrate effective personal vetting in line with standards such as BS7858. For the vast majority of work in the private sector there is no requirement for an individual to carry a national security clearance. Where the incident investigation and clean up services are being provided to a government department operating at IL3 or below there is no requirement for a national security clearance. For government departments operating at above IL3 there will be specific clearance requirements. The nature of information handled, companies certified for the CESG/CPNI CIR scheme require at least one member of staff to be DV cleared. Where a company meets all requirements excepting DV clearance, a suitable candidate from the company will be sponsored for DV clearance. Will it be mandatory to employ a Senior Cyber-Security Incident Manager under the CSIR scheme? All of the intrusion analyst and malware reverse engineering roles are relevant to the schemes. There will be other qualifications in areas such as forensics and business continuity management that may well be required in order to form an effective team to facilitate certain types of recovery. Having direct access to individuals holding these types of qualifications will be viewed as beneficial but will not currently be mandatory. Once the Senior Cyber Security Incident Response Manager examination has been formally launched, the intention is to make this a mandatory role within the CIR Scheme within a year of the launch. It is likely that the CREST CSIR Scheme will follow a similar route but may allow an individual to contract to an organisation. If this is approach is adopted, an individual will only be allowed to be associated with one member organisation.
Will it be mandatory to employ a Senior Cyber-Security Incident Manager under the CSIR scheme? [cont d.] Will CSIR Scheme members be able to provide cyber incident response and clean up services to UK Government Departments? It will be clear from the CREST website which qualifications they have within their organisation. Yes the scheme has been designed by a group representing the supply industry and government and private sector buying communities. It has then been reviewed and endorsed by CESG and CPNI. At IL3 and below any CREST Cyber Security member company can provide services. Above IL3 there will be other specific requirements laid down by CESG. Is there a requirement to carry a national security clearance? Is there a requirement to carry a national security clearance? [cont d.] What are the costs of joining the CIR scheme? CREST company membership is 7,000 plus VAT per annum. There is a 400 plus VAT assessment fee for company membership. This includes all support and liaison with CREST regarding the application. The fee will cover both Cyber Incident Response membership and Penetration Testing membership. There is no discount for applying for only one of the membership categories. For existing CREST member companies there will be no additional membership charge although an administration fee of 250 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. On successful completion of the assessment there is an annual charge of 7,000 plus VAT: this provides the organisation with all the benefits associated with CREST membership. Every three years, the company will be subject to a full assessment requiring a full resubmission. There will be an assessment fee of 400 plus VAT for this re-assessment. There is an annual fee associated with award of a certification mark along similar lines to other CESG certified services. This will be reviewed annually. For companies certified during FY 2013/14 this will be 1 plus VAT.
Companies Looking For Cyber Security Incident Response Service Under the CSIR scheme will there be any requirement to provide information on incidents to GovCert or any other security bodies? No there will be no requirements, with the exception of where there is a legal requirement to report certain types of information. No information will be provided to any government authority of the fact that an incident is being investigated or any details of the incident. CREST does, however, work closely with GovCertUK and other similar organisations and would where possible recommend that some anonymous information is provided for the common good of enhancing cyber security taking account of confidentiality. Will it be possible to contract cyber incident response services under existing government procurement frameworks? Will the companies within the CSIR Scheme be allowed to use contractors? CREST, CESG and CPNI are discussing this and will keep members of both schemes informed of progress. Under the CSIR Scheme it will be possible to utilise contracted staff to help make up the recovery and clean up teams. The organisation should look to contract to CREST qualified contractors as these will be bound by the CREST individuals code of conduct and therefore will have to adhere to the policies, processes and procedures of the member company. In the same way there will be an obligation on the CREST member company to inform the contractor of the company s policies, processes and procedures and to ensure compliance. As this type of contract is often procured very quickly, it is recommended that a CREST member company has pre-trained potential contracting staff or has a process for a quick start induction. Can more than one CREST company work in consortia to deliver these types of services? There may in the future be a requirement to employ or have direct access to a Senior Cyber Security Incident Response Manager. There would be no problem with this and the Scheme has been designed to recognise that very few companies will have the full range of services required to deal with a major Cyber Attack. To work with other CREST registered companies would generally work better than work with others outside of the Scheme as the common code of conduct will apply and assurances on important aspects such as contractual arrangements, scope and protection of client information will already have been assessed. It will be possible from the CREST website to see the capabilities of other CREST member companies.
Under the CIR scheme will there be any mandatory requirements to report incidents to any other regulatory bodies? In the interests of enhancing cyber security and enabling CESG and CPNI to support incident response companies, service providers and organisations affected by cyber incidents are encouraged to share technical information with CESG about incidents. This exchange of information will take into account any confidentiality agreements between organisations and service providers. Direct engagement of a Service Provider by an organisation does not require CESG or CPNI to be notified, although organisations and service providers are encouraged to do so. Can more than one CIR Scheme member work in consortia to deliver the required services? Can a CIR Member Company contract work in consortia with a CREST member company to deliver the required services? How will it be possible to differentiate between incidents that are appropriate for the CSIR scheme and those that should be passed to the CIR scheme? I am a private sector company and have experienced a cyber-attack. What scheme should I utilise? I am part of the critical national infrastructure and have experienced a cyberattack. What scheme should I utilise? I am a government department and have experienced a cyber-attack. What scheme should I utilise? Yes, providing the component consortia companies meet the criteria Depending on the level or severity of the incident and the clearances that may be required and provided also that the CREST Member Company is a CSIR scheme member it would be acceptable. In essence, the CREST CSIR scheme encompasses SMEs, national and multinational industry, the CNI, the wider public sector and central government. The CESG CIR scheme will respond sophisticated, targeted attacks against networks of national significance. Therefore, for the majority, if an incident has a potential impact on any element of national security, including critical infrastructure or national prosperity, it will be handled under the CIR Scheme. That does not mean to say that CREST member Companies will not be involved if they possess the necessary credentials. In the first instance, approach a CREST Cyber Security Incident Response Member Company. Their integrity should be trusted that if it is an incident outside of their sphere of expertise or qualification, they will refer you. Companies who run Critical National Infrastructure networks are recommended to use the CIR service in order to benefit from the assured procurement that it offers. In the first instance, approach a CREST Cyber Security Incident Response Member Company. Their integrity should be trusted that if it is an incident outside of their sphere of expertise or qualification, they will refer you. In the selection of a suitable company national security requirements should be considered where the information is at IL3 and above.
I am a government department and have experienced a cyber-attack. What scheme should I utilise? [cont d.] Does the CSIR scheme operate on an international basis? If GCHQ finds evidence of a Cyber incident in a Government or CNI organisation, depending on the severity the affected organisation may be informed by GovCERTUK or CPNI. It is then be up to that organisation to identify and undertake any remediation activity, which may or may not include engaging the technical assistance of a security provider. CESG/GovCertUK/CPNI expect to receive feedback on the remedial action taken. Some CREST Member Companies have international operations. This requirement should be stated during initial contact with a service provider in the event of an incident. CREST Member Companies that are CSIR Scheme members should state this capability. CREST international chapters and overseas affiliates will be fully informed of the schemes. How do I identify what company I should use to help me recover from a cyber-security incident? Consumer organisations should look for the following from a reputable commercial supplier: People who are trained and proficient (experienced) Clear, repeatable methodology Appropriate tools for the technology Cyber insurance and liability insurance Relevant understanding of current environments may be sector specific Ability to contract in additional cyber specialisms if required Accreditations aligned to industry standards Necessary qualifications/ability (eg. clearances) to work within client s environment A clear, shared understanding of the scope regarding skills, output - and a matched breadth of business An upfront service delivery schedule with the necessary detail (which should be transparent whether there is a managed service in place or not) - and include a minimum/baseline standard (or common framework) to ensure expectations are met Transparency and independence of service offering a distinction between a managed service and an incident response service.
How do I identify what company I should use to help me recover from a cyber-security incident? [cont d.] All organisations should put a mutual NDA in place from the outset to cover initial conversations. The Guide needs to highlight this as an essential prerequisite. A CREST Guide to procuring cyber security incident response services will be published by the end of 2013. If you would like to pre-reserve a copy of this guide please email admin@crest-approved.org What does the CSIR code of conduct provide? Is there any guidance on how to select a suitable supplier from the CSIR register? The CREST Code of Conduct describes the standards of practice expected of CREST Member Companies providing technical information security services and offers assurance of the qualifications and integrity of member companies and their CREST Qualified employees. It also contains the guarantee of a robust complaints handling process in the unlikely event of any problems. Consumer organisations should look for the following from a reputable commercial supplier: People who are trained and proficient (experienced) Clear, repeatable methodology Appropriate tools for the technology Cyber insurance and liability insurance Relevant understanding of current environments may be sector specific Ability to contract in additional cyber specialisms if required Accreditations aligned to industry standards Necessary qualifications/ability (eg. clearances) to work within client s environment A clear, shared understanding of the scope regarding skills, output - and a matched breadth of business An upfront service delivery schedule with the necessary detail (which should be transparent whether there is a managed service in place or not) - and include a minimum/baseline standard (or common framework) to ensure expectations are met Transparency and independence of service offering a distinction between a managed service and an incident response service. All organisations should put a mutual NDA in place from the outset to cover initial conversations. The Guide needs to highlight this as an essential prerequisite.
Is there any guidance on how to select a suitable supplier from the CSIR register? [cont d.] Is there any guidance available to help me to prepare for managing a cyberattack? A CREST Guide to procuring cyber security incident response services will be published by the end of 2013. To be effectively prepared, you should be able to determine the criticality of your key assets; analyse threats to them; and implement a set of complimentary controls to provide an appropriate level of protection. Considering the implications of people, process, technology and information; you can then update your cyber security response capability and review your state of readiness in cyber security response. A CREST Cyber Security Incident Response Guide will be published by the end of 2013. Are the existing roles part of the CESG Certified Professional (CCP) Scheme? Will the new Cyber Security Incident Response Manager Role be part of the CCP scheme? Who derived the requirements for company membership of the CSIR scheme? Who derived the requirements for the company membership of the CIR scheme? Who derived the requirements for the company membership of the CIR scheme? [cont d.] The current CCP scheme does not include the roles described in this FAQ. There is however a plan to include all IA roles under the scheme in some form so as the roles mature it is likely that they will be included. It is likely that some of the existing participants under the CCP scheme would be capable of applying for the roles described. The current CCP scheme does not include the Senior Cyber Security Incident Response role. There is however a plan to include all IA roles under the scheme in some form so as the roles mature it is likely that they will be included. It is likely that some of the existing participants under the CCP scheme would be capable of applying for this role. A team drawn from industry and government experts in the CSIR field devised the questions and identified the optimum answers against which applicants are assessed. The selected team had to provide evidence of their expertise in this area prior to being allowed to participate. Determination of requirements for the CESG/CPNI scheme was led by CESG in its role as National Technical Authority for IA, drawing on the experience and contribution of GovCERTUK and CPNI.
Who developed the syllabus and examination for the existing examinations? A team drawn from industry and government experts in the various fields devised the questions. The team had to provide written evidence of their expertise in this area. All participates had to sign an NDA regarding the information provided for the examinations. Separate teams where utilised so that no members had access to all information. Where short or long form written questions were devised, the team also identified the optimum answers against which candidates are assessed. A series of alpha and beta examinations with volunteer candidates were also held and any appropriate observations were fed back into the syllabus. The syllabus and detail was also assessed by CESG. Who is developing the syllabus and examination for the Senior Cyber Security Incident Response Manager examination? A team drawn from industry experts in the CSIR field devised the questions. The team had to provide written evidence of their expertise in this area. All participates had to sign an NDA regarding the information being provided for the examination. Where short or long form written questions are required the team will also identify the optimum answers against which candidates are assessed. A series of alpha and beta examinations with volunteer candidates will also be held and any appropriate observations will be fed back into the syllabus. CESG, CPNI and GovCert are participating in the development of the syllabus and detailed questions. I need more information where can I go? CREST Tel: 0845 686 5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org CESG Tel: 01242 709141 Email: enquiries@cesg.gsi.gov.uk Web: www.cesg.gsi.gov.uk