Full Report
First, some background on CREST in the form of blatant plagiarism… CREST – The Council for Registered Ethical Security Testers – exists to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing capability. They provide globally recognised, up to date certifications for organisations and individuals providing penetration testing services. For organisations, CREST provides a provable validation of security testing methodologies and practices, aiding with client engagement and procurement processes, and proving that your company is committed to providing testing services to the highest standard.
Analysis Summary
Based on the provided article, the content is introductory and promotional, focusing on the *existence*, *purpose*, and *upcoming organizational activities* related to CREST (The Council for Registered Ethical Security Testers) in the context of South Africa.
**Crucially, the article does not contain specific, technical, or actionable security recommendations, implementation guidance, configuration best practices, or step-by-step instructions.** It primarily advocates for the *adoption and validation* of professional security testing standards.
Therefore, the resulting summary template will focus on the recommendations implied by participating in or adopting a professional standard like CREST, rather than specific technical controls mentioned within the text itself.
# Best Practices: Adopting Professional Security Testing Standards (CREST Alignment)
## Overview
These practices address the governance and quality assurance of external security testing services. By adhering to recognized professional standards like those promoted by CREST, organizations ensure that penetration testing and security assessments are conducted using validated methodologies, leading to higher quality findings and improved risk management.
## Key Recommendations
### Immediate Actions
1. **Acknowledge the Need for Regulated Testing:** Immediately recognize that relying on unregulated, ad-hoc testing exposes the organization to inconsistent quality and methodology risks.
2. **Identify Key Stakeholders for Quality Assurance:** Determine which internal teams (Procurement, Risk, IT Security) need to be involved in vetting and selecting external security testing providers.
### Short-term Improvements (1-3 months)
1. **Establish Procurement Criteria for Testing:** Update Request for Proposal (RFP) documentation to require evidence of recognized, up-to-date security testing certifications (e.g., CREST organizational membership or individual certifications) for all prospective vendors.
2. **Evaluate Current Vendor Capabilities:** Review contracts and recent test reports from existing penetration testing vendors to assess their adherence to globally recognized, professional methodologies.
### Long-term Strategy (3+ months)
1. **Pursue Formal Compliance Validation:** For internal testing teams or external partners, begin the process of achieving organizational accreditation or certification with recognized bodies (like CREST) to provide provable validation of security testing methodologies.
2. **Integrate Standards into Governance:** Formally integrate the standards and demonstrable commitment required by professional bodies into the organization's overall Information Security Governance framework.
## Implementation Guidance
### For Small Organizations
- **Focus on Individual Credibility:** Prioritize procuring services where key personnel hold globally recognized individual certifications, even if organizational accreditation is not immediately feasible.
- **Mandate Thorough Reporting:** Require that all procured tests include detailed methodology descriptions proving adherence to recognized frameworks.
### For Medium Organizations
- **Develop Formal Vetting Checklists:** Create specific checklists based on recognized standards to score prospective security testing vendors during procurement reviews.
- **Budget for Certified Training:** Allocate funds for staff involved in managing security assurance programs to understand the expectations of professional testing standards.
### For Large Enterprises
- **Establish Organizational Validation:** Make achieving and maintaining organizational accreditation (like CREST validation) a mandatory requirement for all third-party penetration testing contracts.
- **Drive Industry Discussion:** Participate in local security community forums or standards workshops to influence the adoption of high standards within the national security marketplace.
## Configuration Examples
*The source article does not provide technical configuration details.*
## Compliance Alignment
The adoption of professional testing standards aligns indirectly with requirements for robust governance and third-party risk management found in:
- **ISO/IEC 27001:** Specifically related to supplier relationships (A.15) and competence/awareness (A.7).
- **NIST SP 800-53 (SA series):** Requirements for security assessment and testing procedures.
- **CIS Critical Security Controls (Control 17):** Focusing on third-party governance and oversight.
## Common Pitfalls to Avoid
- **Assuming Certification Equals Quality:** Do not assume an organization is qualified simply because they claim to perform testing; verify their adherence to standardized, validated methodologies.
- **Focusing Solely on Price:** Prioritizing the lowest cost vendor over one that provides provable validation of their security testing practices will likely result in overlooked critical vulnerabilities.
- **Ignoring Professional Development:** Failing to require ongoing professional development and certification renewal for security testers leads to outdated testing practices that miss modern threats.
## Resources
- **Standards Bodies:** Investigate the official documentation provided by The Council for Registered Ethical Security Testers (CREST) or equivalent recognized bodies to understand their required methodologies.
- **Local Security Summits:** Attend local industry events organized by groups such as ITWeb Cybersecurity Summits to engage directly with standards bodies and subject matter experts regarding local adoption pathways.