ITHC

Last updated

An ITHC, or IT Health Check, is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. [1] [2]

An ITHC is generally performed by an external service provider, although NCSC personnel may perform ITHCs on especially sensitive systems. It can touch on both applications and infrastructure, and involves an element of penetration testing. [3] [4]

CHECK is a scheme for ITHC providers, run by NCSC.

Related Research Articles

A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

BrowseAloud is assistive technology software that adds text-to-speech functionality to websites. It is designed by Texthelp Ltd, a Northern Ireland based company that specialises in the design of assistive technology. BrowseAloud adds speech and reading support tools to online content to extend the reach of websites for people who require reading support. The JavaScript-based tool adds a floating toolbar to the web page being visited. The service is paid for by the website's publisher; and is free to website visitors.

IT security standards Technology standards and techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization

IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Metasploit Project Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Security testing The process of finding flaws in the security of information systems

Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Centre for the Protection of National Infrastructure (CPNI) is the United Kingdom government authority which provides protective security advice to businesses and organisations across the national infrastructure.

The International Council of Electronic Commerce Consultants (EC-Council) is an American organization that offers cybersecurity certification, education, training, and services in various cybersecurity skills. EC-Council is headquartered in Albuquerque, New Mexico, and has certified over 237,000 professionals from 145 countries.

Offensive Security Certified Professional (OSCP) is an ethical hacking certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution. The OSCP is a hands-on penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment. It is considered more technical than other ethical hacking certifications, and is one of the few certifications that requires evidence of practical penetration testing skills.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Core Security by HelpSystems is an American computer and network security company provides cyber threat prevention and identity access management software products and services, including penetration testing, network traffic analysis, threat detection, privileged access management, and identity governance The company’s research arm, CoreLabs, identifies new IT security vulnerabilities, publishes public vulnerability advisories, and works with vendors to assist in eliminating the exposures they find.

IASME

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

The cyber security community in the United Kingdom is diverse, with many stakeholders groups contributing to support the UK Cyber Security Strategy. The following is a list of some of these stakeholders.

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments.

Founded in 2010, ADISA Certification Limited is a certification body for companies who provide IT Asset Disposal services and to manufacturers and developers of software and hardware data sanitisation solutions.

Parrot OS

Parrot OS is a Linux distribution based on Debian with a focus on security, privacy, and development.

National Cyber Security Centre (Ireland)

The National Cyber Security Centre (NCSC) is a government computer security organisation in Ireland, an operational arm of the Department of the Environment, Climate and Communications. The NCSC was developed in 2013 and formally established by the Irish government in July 2015. It is responsible for Ireland's cyber security, with primary focus on securing government networks, protecting critical national infrastructure, and assisting businesses and citizens in protecting their own systems. The NCSC incorporates the Computer Security Incident Response Team (CSIRT-IE).

The National Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Based in London, it became operational in October 2016, and its parent organisation is GCHQ.

The zero trust security model, sometimes known as perimeterless security, describes an approach to the design and implementation of IT systems. The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified. In most modern enterprise environments, corporate networks consist of many interconnected segments, cloud-based services and infrastructure, connections to remote and mobile environments, and increasingly connections to non-conventional IT, such as IoT devices. The once traditional approach of trusting devices within a notional corporate perimeter, or devices connected to it via a VPN, makes less sense in such highly diverse and distributed environments. Instead, the zero trust approach advocates mutual authentication, including checking the identity and integrity of devices without respect to location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication.

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

References

  1. "CHECK - Fundamental Principles of the CHECK Service" . Retrieved 2017-06-02.
  2. "IT Health Check (ITHC): supporting guidance" . Retrieved 2017-06-02.
  3. "About Tigerscheme" . Retrieved 2010-10-13.
  4. About CREST Penetration Testing Archived 2011-08-02 at the Wayback Machine