For clients using commercially available vulnerability testing services, the TIGER Scheme provides a means of validating the credentials and ability of security testers.
The TigerScheme SST qualification is recognized as appropriate for testing the security of systems and networks with a Business Impact Level of 1 or 2 for Confidentiality (HMG IA Standard Number 1, Part 1)
The TigerScheme SST qualification is recognized by CESG (the UK National Technical Authority for IA) as equivalent to the CHECK Team Leader Assault Course. It is accepted by CESG as a qualification for CHECK Team Leaders employed by CHECK Scheme companies
The Operating Authority will maintain a web-accessible database of successfully qualified testers, together with their qualifications and the date of their examinations. Each qualified practitioner will be allocated a unique ID and a registration card, which can be used to locate their credentials on the web site.
The TIGER Scheme is aimed at individuals, and provides a yardstick for personal abilities. However, it is recognised that users of commercial services sometimes require more than a demonstration of personal ability, for example:
- Does the company employing the individual implement secure handling procedures for my vulnerability information?
- Does the company carry out reliability checks on the individuals they send out on assignment?
- Are there any references that I can see before using the service?
TigerScheme recommends that companies wishing to offer an independently validated service should use the CESG Claims Tested Mark Scheme.
Overall, the TIGER Scheme will lead to a market with variations in services, from singleton operators with baseline skills, to larger companies with verified supporting services and a range of practitioner skills. The TIGER Scheme is heavily driven by the needs of end users of vulnerability testing services, and aims to ensure that the range of requirements in this area is met with an equally diverse range of offerings.
