Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester...

24
OFFICIAL OFFICIAL August 2014 Issue No: 1.0 Application Guidance CCP Penetration Tester Role, Practitioner Level

Transcript of Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester...

Page 1: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

OFFICIAL

August 2014 Issue No: 1.0

Application Guidance CCP Penetration Tester Role,

Practitioner Level

Page 2: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Issue No: 1.0 August 2014

This document is for the purposes of issuing advice to UK Government, public and private sector organisations and/or related organisations. The copying and use of this

document for any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.

The copyright of this document is reserved and vested in the Crown.

Document History

Version Date Comment

1.0 August 2014 First issue

Page 3: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 1

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information

legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Purpose & Intended Readership

This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Penetration Tester at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Specialists’ Standard (reference [a]) and the CESG ‘Guidance to Certification for IA Specialists’ document (reference [b]), to be found at http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx

Executive Summary

CESG has developed a framework for certifying IA Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Adviser Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Penetration Tester at Practitioner level.

Feedback

CESG Information Assurance Guidance and Standards welcomes feedback and encourage readers to inform CESG of their opinions, positive or otherwise, in respect to this document. Please email: [email protected]

Page 4: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 2

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information

legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Contents:

Purpose & Intended Readership ..... 1

Executive Summary ......................... 1

Feedback ........................................... 1

Overall Requirements for the Penetration Tester Role, Practitioner Level .................................................. 3

Key Principles .................................. 3

Penetration Testing ......................... 4 Practitioner Penetration Tester Role Headline Statement – SFIA Responsibility Level 3 ...................... 4

Applying for CCP Scheme Certification ...................................... 4 Knowledge ....................................... 8

Skills ................................................ 9 Experience ..................................... 16

The Certification Process – next steps .............................................. 17 The CCP Scheme Certification Learning Cycle ............................... 19

References ...................................... 20

Glossary .......................................... 21

Page 5: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 3

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Overall Requirements for the Penetration Tester Role, Practitioner Level

Key Principles

This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Penetration Tester at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Specialists’ Standard (reference [a]) and the CESG ‘Guidance to Certification for IA Specialists’ document (reference [b]). Learning comes through acquiring skills and knowledge (from training, experience and seeing how others work) and putting these into practice. Some Penetration Testers will have carried out other roles previously, e.g. Systems Administration or working in a Security or Network Operations Centre. Most Practitioner Penetration Tester candidates will need at least 6-12 months of penetration testing experience before applying, although some will gain the required skills in a longer or shorter period. This document outlines the basic knowledge, skills and experience you need. You are encouraged to follow the advice in each section when completing your written submission of evidence.

Page 6: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 4

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Penetration Testing

Penetration testing is an independent assessment of the different elements that comprise an information system or product, with the goal of finding and documenting the vulnerabilities present. The resultant report is considered with threat reports and other information sources in order to derive a risk assessment that can be used to drive security improvements. The role of a penetration tester is to:

Ensure that any testing activity is lawful, compliant with all relevant regulations and within the agreed scope

Conduct technical security tests against the information system or product, with the aim of identifying vulnerabilities

Communicate the results of the tests at a level tailored to the audience

Provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated

Practitioner Penetration Tester Role Headline Statement – SFIA Responsibility Level 3

Applies knowledge and contributes to the successful delivery of penetration testing services

Applying for CCP Scheme Certification

No specific qualifications are mandated but you must have appropriate practical experience, either through employment as a penetration tester, or in another technical or information security role, such as a system administrator, security administrator or SOC/NOC analyst. You need to show that you have the skills, knowledge and experience listed in the following pages and you should check the website of the Certification Body (CB) you wish to use, for any additional requirements they may have. If you consider that there are gaps in your skills, knowledge and experience, agree a plan with your manager to address these – e.g. through placements, projects, training, coaching - before you apply for CCP certification

Page 7: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 5

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Your written submission must show that you:

meet the Role Headline Statement for the Penetration Tester role (‘Applies knowledge and contributes to the successful delivery of penetration testing services’ – see above)

work under general supervision and on discrete tasks when performing penetration tests

demonstrate an analytical and systematic approach to penetration testing, and are able to apply their own initiative and discretion

understand and are able to apply appropriate tools and techniques during a penetration test, and works in accordance with relevant legislation and standards

perform penetration tests in a variety of environments

work as part of a larger team and assists senior colleagues in delivering successful penetration tests

demonstrate effective communication skills with colleagues, and when providing input to written reports and presentations

have regular working level-contact with customers

actively develop your understanding of penetration testing, and understand how penetration testing is to be applied and delivered to a customer

demonstrate the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework

demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for the Information Age (SFIA)1 at level 3. Alternatively you can show evidence of least level 2 for the IISP J skills

1 SFIA Foundation at www.sfia.org.uk

Page 8: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 6

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Page 9: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 7

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

The key to good penetration testing is combining technical, business and people skills to provide information on security system vulnerabilities which is accessible to and understood by the people who need to take action on the advice you give. You need to understand the business objectives, strategy and risk appetite, as well as the system and applications you work on. You need people skills to ensure that you explain your findings and secure all the information you need, for example when considering security incidents. You also need to ensure that all your testing operates within the appropriate legal frameworks. In no priority order, you need: Skills:

Negotiating

Influencing

Information-gathering

Communication – able to talk to non-techies and techies alike

Vulnerability assessment and management

Business writing (all the information needed for a decision, on 1 side of A4)

Presentation

Stakeholder management

And familiarity with the following:

Penetration testing methodologies

Penetration testing standards and policies

The CESG Certification for IA Professionals and Guidance to CESG Certification for IA Professionals documents

Technical IA controls

Page 10: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 8

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Knowledge

Your evidence should show that you: know that at least the following statutes apply to the penetration testing process: Computer Misuse Act 1990; Data Protection Act 1998; Human Rights Act 1998; Police and Justice Act 2006; Police and Criminal Evidence Act 1984; Regulation of Investigatory Powers Act 2000 and Understand:

the ethical issues associated with penetration testing

CHECK standards and methodology, local standards and regulations for information security

risk assessment tools, techniques and methodologies

vulnerability detection tools

current research trends

what risk appetite and risk tolerance are

basic information systems engineering and development

what good and bad security look like and how to test for vulnerabilities, including in the

development lifecycle

common causes of security vulnerabilities

common sources of information to support penetration testing

Page 11: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 9

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Skills

When presenting your skills evidence, use the ‘STAR’ format: ‘Situation, Task, Action, Result’

Use a narrative form, e.g. ‘... I produced ...My decision was...’

Explain what accreditation decision you made and how the measures you required were proportionate and effective

You must meet the required levels at all 4 core skills - (A2 Policy and Standards, D2 Security Testing, E3 Vulnerability Assessment, I3 Applied Research)

You must meet 75% of the remaining skills

A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one situation

The following table provides suggestions for starting points in evidence.

Technical Skills

SKILL EVIDENCE OF SKILL A2 – Policy & Standards, Level 1 - Core Skill Understands the need for policy and standards to achieve Information Security (IS)

Give examples of: - your experience of IS policies and standards. How does penetration testing fit within your company’s information security policy?

Page 12: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

SKILL EVIDENCE OF SKILL A6 – Legal & Regulatory Environment, Level 1 Is aware of major pieces of legislation relevant to Information Security and of regulatory bodies relevant to the sector in which they work

Give examples from different work environments of how you: - ensured that your work didn’t contravene relevant statue/regulations and how you explained this to your customer(s). For example, the Computer Misuse Act prohibits breaking into a system but the contract you were employed on might require or permit this.

A7 – Third Party Management2 Level 1 Is aware of the need for organisations to manage the information security of third parties

Give examples of how you: - advised a customer’s supplier about the vulnerabilities in their information systems.

B1 – Risk Assessment, Level 1 Demonstrates awareness of the causes of information risk and their implication

Give examples of how you: - Identified vulnerabilities and risks in a number of different systems.

B2 – Risk Management, Level 1 Demonstrates awareness of techniques to manage information risk

Give examples of how: - IT systems’ risk and vulnerabilities are managed and advice you have given to mitigate these.

2 Skill only required if information systems or services are provided by a third party

Page 13: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 11

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

SKILL EVIDENCE OF SKILL C1 – Security Architecture, Level 1 Is aware of the concept of architecture to reduce information risk

Describe how you have advised on modifications to IA architecture to mitigate potential information risk. What was the outcome?

C2 – Secure Development, Level 1 Is aware of the benefits of addressing security during system development

Explain how security and secure development of products and systems are improved by penetration testing.

D1 – IA Methodologies Level 1 Is aware of the existence of methodologies, processes and standards for providing Information Assurance

How is appropriate and proportionate penetration testing carried out in your organisation?

D2 – Security Testing, Level 1 - Core Skill Is aware of the role of testing to support IA

Give examples over a range of environments of: different ways in which you have tested the security of systems. Which frameworks did you use? Explain what level of security was achieved and what system vulnerabilities remained. What was the outcome of your work?

E1 – Secure Operations Management, Level 1 Is aware of the need for secure management of information systems

Give examples of tests you have carried out to detect vulnerabilities – how did you do this? What changes to corporate security processes or systems could you recommend to mitigate vulnerabilities?

Page 14: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 12

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

SKILL EVIDENCE OF SKILL E2 – Secure Ops & Service Delivery, Level 1 Is aware of the need for information systems and services to be operated securely

Give examples of how you have influenced a customer to mitigate security risks.

E3 – Vulnerability Assessment, Level 2 - Core Skill Obtains and acts on vulnerability information in accordance with Security Operating Procedures

Give examples from different work environments of occasions when you identified vulnerabilities in a system or application. What tools and methodologies did you use and how did you make colleagues and/or customers aware of the vulnerabilities? What did you do to mitigate the vulnerabilities and what was the outcome?

F1 – Incident Management, Level 1 Is aware of the benefits of managing security incidents

Provide examples of how security incidents are managed in the organisation(s) you work in. How does this improve cyber security?

F2 – Investigation, Level 1 Is aware of basic principles of investigations

Give examples of how information is collected in order to investigate a security incident. What sources can be used and why?

F3 – Forensics, Level 1 Is aware of the capability of forensics to support investigations

What information can be recovered through the use of forensic tools?

Page 15: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 13

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

SKILL EVIDENCE OF SKILL G1 – Audit and Review, Level 2 Audits compliance with security criteria in accordance with an appropriate methodology

Give examples of auditing a system to test for vulnerabilities. How did this improve the scope of the vulnerability testing? How did you communicate the results to information risk owners and what was the outcome of this?

H1 – Business Continuity Planning and H2 – Business Continuity Management, Level 1 Understands how Business Continuity Planning & Management contributes to information security

Describe how you incorporated business continuity management into your vulnerability testing and your advice on vulnerability mitigations.

I3 – Applied Research, Level 1 – Core Skill Understands the fundamental concepts of applied research but does not yet have the knowledge needed to apply this skill in an operational context

Give examples from different work environments of: - how you have used your research as part of penetration testing. How did that research support the overall security assessment process? - areas you have found where further research is needed. How could that research be used to enhance levels of security? - research you have used when considering how vulnerability testing tools or techniques could be improved

Page 16: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 14

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

PEOPLE SKILLS ‘J skills’ (instead of SFIA level 3 – see p4)

SKILL EVIDENCE OF SKILL

J1 - Teamwork and Leadership - Level

2 Is encouraging and supportive and provides a lead within the local area. Task-based team working

Give examples of: - sharing information and knowledge with others to promote team objectives.

J2 - Delivering – Level 2 Responsibility for an element of delivery against one or more business objectives, balancing priorities to achieve this

Give examples of : - tasks which you delivered to deadlines.

J3 – Managing Customer

Relationships – Level 2 Negotiates with customers to improve the service to them and to manage their expectations

Describe ways in which you have worked with customers to agree solutions.

J4 - Corporate Behaviour – Level 2 Understands the aims of own and related areas across an organisation

Give examples of proposals you have made to mitigate security vulnerabilities.

J5 – Change and Innovation – Level 2 Generates creative ideas and demonstrates sensitivity in implementing local change

What changes have you introduced – what did you do, what techniques did you use and why? How did you consider the impact on other people and processes?

Page 17: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 15

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

SKILL EVIDENCE OF SKILL J6 - Analysis and Decision Making – Level 2 Makes effective decisions in consultation with others and/or solves complex problems in immediate area

Give examples of: - recommendations and solutions you have suggested. What was the outcome in these cases?

J7 – Communication and Knowledge Sharing – Level 2 Encourages and contributes to discussion. Is proactive in sharing information in own work area

Give examples of how you have adapted your communication to suit different media, including face to face, over the phone, emails, presentations and meetings: eg: - contributing to reports - stand up briefings What outcomes have you achieved?

Page 18: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 16

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Experience

Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below.

Your evidence should show that you have:

Assisted in, or carried out penetration testing under supervision or in a team, in a variety of environments and ensured that the testing was consistent with risk appetite and tolerance, as well as conforming to all legal requirements and regulations Or

Have experience in a technical/information security role (such as a System Administrator) or SOC/NOC analyst You must show that you

Do penetration testing and that your testing follows a systematic and appropriately analytic process

Have some experience of using penetration testing tools and techniques

Effectively communicate the outcomes and implications of penetration tests to colleagues and/or customers and ensure that they understand them

Can recognise when a decision must be escalated because of implications beyond your level of responsibility or experience

Are developing your understanding of penetration testing and associated research

Page 19: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 17

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

The Certification Process – next steps

This Application Guidance contains material designed to help individuals applying for Practitioner Penetration Tester. The certification processes for the different CBs follow below.

1. If you are considering applying for the Senior or Principal level, you will need to show wider experience of more complex systems and satisfy the requirement for higher skill levels and the appropriate technical qualifications(s). Supervisory experience to show evidence of coaching and developing other Penetration Testers would also be helpful for the Senior level and consultancy experience would be appropriate for the Principal level.

2. If you are applying for the Lead level, you will need to show that you influence and direct the penetration testing function at an organisational or inter-organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise a Directors’ Board in this regard.

Page 20: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 18

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

There are 3 CBs: the APM Group (www.apmg-ia.com ), BCS, the Chartered Institute for IT (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ). Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.

Page 21: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 19

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email

[email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

The CCP Scheme Certification Learning Cycle

Page 22: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Page 20

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information

legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected]

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

References

[a] CESG Certification for IA Specialists’ Standard

[b] CESG Guidance to Certification for IA Specialists

Page 23: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

Application Guidance CCP Penetration Tester Role, Practitioner Level

Glossary

CHECK IT Health Check Service NOC Network Operations Centre SOC Security Operations Centre

Page 24: Application Guidance CCP Penetration Tester Role ... · Application Guidance CCP Penetration Tester Role, Practitioner Level Overall Requirements for the Penetration Tester Role,

OFFICIAL

OFFICIAL

IA CESG A2i Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Fax: +44 (0)1242 709193 Email: [email protected] © Crown Copyright 2014. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes. This information is exempt under the Freedom of Information Act 2000 and may be exempt under other UK Information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected] .