HOME >PANEL OF INFORMATION SECURITY AUDITING ORGANISATIONS


Decisions taken by TEC in the meeting dated 21/01/2009

  • CERT-In would like to ensure that the empanelled auditors do have the capabilities to detect 100% of vulnerabilities.  Since this is the first attempt in empanelling the auditors based on practical skill test, CERT-In has taken a lenient approach for the time being.  However, from next time onwards auditors will have to acquire expertise and create resources in their organizations to ensure capabilities to detect the vulnerabilities as well as penetration to a level of more than 95%.  CERT-In would like to work with empanelled auditors and all aspirants to create facilities where they can depute their persons to undergo training in vulnerability detection and penetration. CERT-In, DIT would facilitate this training with participation from all of them at a nominal cost.
  • In the present circumstances, the cut-off percentage in respect of the recently conducted practical skill tests has been kept at 60% and above. The list of qualified organizations will be put up on CERT-In web site after completion of approval formalities within DIT, in couple of days.  In case the cut-off level is increased beyond 60%, it will result in a panel with only two organizations who also could not detect vulnerabilities more than 70%. Such a situation is not desirable and would have a negative impact.
  • Since the results are not on expected lines, TEC recommends a phased approach to lift the level of test reporting. The organizations that qualify in the recently concluded tests will be provisionally empanelled for the time being. These organizations will be given a set of DVDs that contain the vulnerabilities built for the recent practical tests, which they can test and should report at least 90% of known set of vulnerabilities within a time frame of 2 months. After the two month period, the provisionally qualified organizations will have to take a re-test either online or through DVDs, as decided by CERT-In, on a new set of known vulnerabilities. In this re-test, the organizations are required to report at least 75% of known set of vulnerabilities to qualify for re-empanelment. Any failure to report 90% vulnerabilities within the two month time period or failure to take the re-test within the third month or failure in re-test will result in cancellation of their provisional empanelment.
  • For organizations that have not qualified in this round of tests, a set of DVDs that contain the vulnerabilities built for the recent practical tests will be given. These organizations are required to test the DVDs and report at least 90% of known set of vulnerabilities within a time frame of 2 months. If, as per CERT-In's evaluation, the reported vulnerabilities are 90% or more of the master list, CERT-In will empanel the respective organisation provisionally up to April 30, 2009, after the completion of necessary approvals and other formailities. After the two month period, that is during April 2009, these organizations will have to take a re-test either online or through DVDs, as decided by CERT-In, on a new set of known vulnerabilities. In this re-test, the organizations are required to report at least 75% of known set of vulnerabilities to qualify for re-empanelment. Any failure to report 90% vulnerabilities within the two month time period or failure to take the re-test within the third month or failure in re-test will result in disqualification for empanelment.
  • The empanelment term will be for three years with review tests each year. The conditions will remain same as mentioned above.
  • Due weightage to penetration tests will be given in future empanelment. At present, CERT-In has not given any negative weightage for reporting false positives.  In future, this will also be taken into account appropriately.
  • Provisions will be made for online access to test bed from locations like CERT-In, IISc and few other places.
  • After an unsuccessful attempt in practical tests, there will be a cooling period of 3 months. After 3 unsuccessful attempts, organizations will be barred from empanelment unless otherwise suitable justification is provided.
  • Future empanelment will have a three step process:
    • Step 1 – empanelment application and document verification
    • Step 2 – DVDs based trails with a requirement to report at least 90% of known set of vulnerabilities with in a time frame of 2 months.
    • Step 3 - After the two month period, the organizations will have to take a practical test either online or through DVDs, as decided by CERT-In, on a new set of known vulnerabilities. In this practical test, the organizations are required to report at least 75% of known set of vulnerabilities to qualify for empanelment. Any failure to report 90% vulnerabilities within the two month time period or failure to take the practical test within the third month or failure in the practical test will result in disqualification for empanelment.
  • For all future empanelments, Rs.5000/- will be charged at the time of application and renewal thereafter.