We have included information about CHECK because we have done many assessments in the United Kingdom over the years; therefore, it is an important part of doing assessments there, especially when you are doing security assessments for the government or Ministry of Defence.

So, you are probably wondering what CHECK is. Before we can define it, we will provide additional details on the group that was part of the establishment of CHECK. This group is the National Technical Authority for Information Assurance, or as they are often known, the Communication-Electronics Security Group (CESG). CESG is a provider of IT health checks for the assessment of systems that handle market information.

When a company belongs to CHECK, it provides clients the assurance that the company will provide a high level of quality service if the CHECK guidelines are adhered to. CHECK can be used with systems that contain confidential information, but with secret information, additional permission is required from the CESG. One of the challenges of a company becoming a CHECK member is the requirement that to have access to protective marked information, the tester or team member has to hold at least a Security Check (SC) clearance. Additional information can be found at the following link:

https://www.cesg.gov.uk/scheme/penetration-testing.

Additionally, a team member can meet the requirements by successfully passing an examination. Details of the examinations will not be discussed here, but an example with additional reference information is shown in the following screenshot:

Now that we have briefly looked at what CHECK is, we can now look at what it provides for us when it comes to carrying out our pen testing or assessments. CHECK consists of fundamental principles that identify what the CHECK system's basic requirements are.

An example of the two components of membership and assignments is shown in the following screenshot:

The last thing we want to look at from CHECK is the reporting requirements. One of the most important things we do as professional security testers is developing a report. Unfortunately, it is one of the things that usually gets the least amount of attention. When it comes to testing, most classes will show you the showboat skills of exploitation and other things. However, the reality is that the more time you spend learning how to draft and create a report, the better you will be at delivering what the client wants, and that is a report on your findings and, moreover, a complete list of your recommendations to improve their security posture based on these findings. Throughout this chapter and the remaining parts of the book, we will continue to focus on the deliverable for the client, and that is the report.

An example of information on the report requirements submission in CHECK is shown in the following screenshot: