GCHQ?
If someone selected by GCHQ had just checked my computers for malware, I would be confident that malware was installed, working properly and well hidden. It would be time to throw out the lot and replace it all.
The UK has launched two cyber incident response schemes geared towards helping businesses cope better with the aftermath of malware outbreaks and other hacking attacks. The schemes were launched on Tuesday by the Communications Electronics Security Group (known as CESG), the information security arm of GCHQ, and the Centre for …
I wouldn't let anybody who had been within a whiff of GCHQ anywhere near my servers, even people I suspected of being ex-employees. It's just asking for trouble now they've proven they and the government can't be trusted around innocent people/businesses.
If the government tried to force this crap on the tech industry I'd go abroad too.
"In the same way that SMEs look for a CORGI-certified gas fitter when they are seeking to install a gas boiler, the idea is that the CREST certifications will keep the cowboys out and help to ensure good standards in the tricky world of computer security incident response."
<pedant>Corgi is no longer the register for certified Gas and Heating engineers, that is now under the Auspices of Gas Safe.</pedant>
This does not indemnify the Engineer from being held responsible should he not notice a leak, (though he should), and s subsequent explosion takes out your dwelling. I wonder if this having this certification will mean anything other than "They look like they know what they are doing". Which is something, I suppose.
Plus, you may as well put a great big sign saying "Please Hack Me" in a suitably animated gif in the corporate website who are either providing the service, or have received the service. Plus I would put money on the service providers in question hiring decent people in the first place, show this is little more than a PR exercise. Plus, the amount of small shops who provider service for other small shops - will this really get taken on board?
My money is on this disappearing into obscurity.
Unless I have completely mis-understood the article.
All certification is "They look like they know what they are doing".
Even to some extent is accreditation - it's just a question of how much paperwork/evidence you can stack up to show that you do meet the specification.
even then accrediting bodies are at pains to point out that there may be faults with your (eg) quality system in areas that they haven't assessed.
I don't expect anyone to advertise they have taken up the CREST response service. No-one wants to advertise "We got hacked but we used government approved people to investigate it"
To address your point about take-up of the service. It will work something like this:
1. All companies who process Government material MUST report any breaches to HMG.
2. To ensure confidentiality, those companies must use a CREST approved supplier to perform the investigation / cleanup.
3. CREST suppliers must pay CESG to have their personnel certified and renewed (As they currently do with CLAS and CHECK)
So, in short, I do not expect the scheme to flounder, I expect it to thrive. The additional costs that the company receiving the CREST service will no doubt incur will be passed on to the Government department for which they are subcontracted which, in turn, will come out of our tax pounds. It's just another way to feed our tax money into the OBN.