Inside Australia's CREST proposal

Known and unknown

Much detail of what the fledging Australia and New Zealand chapters of CREST will do is unknown because both are in formative stages. They are eager to declare that final decisions ultimately rest with board members and are several months away, if not more. What is known is that the CREST bodies will require pen testers and their organisations to pass – and pay for – rigorous audits and examinations on a recurring basis. And chapter members have independently flagged their ambition to preserve uniformity where possible with the CREST model in Britain. 

If the British structures are maintained, it will likely mean CREST-certified pen testers could be recognised and find easy work within Australia, New Zealand, Britain and Canada, where a CREST chapter is also forming. McKitrick and others also are considering setting up buffers to prevent large Australian firms from “cannibalising” the smaller New Zealand market, and an trans-Tasman auditing model, under which Australian CREST companies will be audited by kiwi pen testing firms and vice-versa.

CREST examinations, audits and fee structures will need to be tweaked to suit local laws and regulations, even if chapters on both sides of the Tasman agree to implement them as uniformly as possible. In Britain, CREST charges £7000 ($A10,355) a year for company membership, £1600 ($A2367) plus tax for the senior CREST Certified Tester exam, and £395 ($A584) plus tax for its entry-level CREST Registered Tester exam. CREST certifications are valid for three years.

While CREST Australia will receive government funding, the New Zealand Government has yet to offer monetary support. But McKitrick says it has substantial industry support and has established a budget, though he did not reveal the figure. “We planned it early as a two-year project because we did not want to later make a knee-jerk reaction,” he said.

McKitrick, MacGibbon and others involved in the CREST initiatives say the certification was chosen by consensus after other security certifications were considered, including Britain’s TIGER certification which rivals CREST.

By the year’s end, CREST New Zealand hopes to set up a grandfathering program, under which pen testing firms will be encouraged to become CREST-certified. It is now drafting criteria for the program. McKitrick says the formation of CREST New Zealand has been predominantly led by pen testing customers, with a smaller representation from suppliers. “We wanted to start this from the buyers’ community because we wanted to make sure it is objective, unbiased, and that no one could say we had colluded with pen testing firms to set the bar too high for others.”

The CREST Australia board includes MacGibbon, colleague Nigel Phair, Datacom TSS general manager Richard Byfield, Telstra CISO Glenn Chisholm, AusCERT general manager Graham Ingram, StratSec CEO Tim Scully, and NGS Secure Asia Pacific general manager Wade Alcorn. The CREST NZ working group, established from the taskforce in late 2010 but not yet a registered company, is composed of representatives from the Bank of New Zealand, Kiwibank, the Department of Internal Affairs, the National Cyber Security Centre, and pen testing firms Insomnia Security and Lateral Security.

Next: Pressure test

Copyright © SC Magazine, Australia