Penetration Testing Security Clearance

Many penetration testing assignments are related to highly secure and sensitive environments and so require that the pentesting team holds an appropriate level of security clearance. This clearance ensures that the individual is suitable and can be trusted to access classified or protectively marked materials.

Security Clearance For Pen Testing

Security clearances are defined at different levels depending on the nature of the work and the sensitivity of the target. In the UK, a pentester will often need a Security Check (SC), which involves checking that their criminal record is clear and that they don’t have a dossier in the intelligence services. It is a formal requirement when working for central government, law enforcement (police or forensic science services) or the military.

Security Clearance in the UK

In the UK, security clearance checks are performed by the United Kingdom Security Vetting (UKSV) upon request from a government department, organisation or a List-X company. Here, we’ll mainly discuss the UK, but the principles are similar in the US, EU and NATO.

Regardless of the clearance level, protectively marked material should only be available to personnel with a ‘need-to-know clearance’. For example, Developed Vetting (DV) will not give you access to everything that is TOP SECRET, just what is relevant to your role. Some of the main principles of allowing security clearance include:

• The level of clearance issued should be appropriate to a person’s position and need
• Security clearances should be reviewed regularly – the frequency of the reviews increases, the higher the clearance level

Levels of Security Clearance

There are different levels and types of security clearance that you might need.

Basic Personnel Security Standard (BPSS, formerly Basic Check)

• Provides a basic level of assurance about the trustworthiness and integrity of an individual
• Reviews official identity documents, verifying:
  • Identity
  • Signature
  • Address
  • Employment history
  • Education
• Allows access to CONFIDENTIAL assets and information
• Does not give access to protectively-marked assets and information

Counter-Terrorist Check (CTC)

• Required for personnel working on places close to public or sensitive figures
• Gives access to information/material vulnerable to terrorist attack
• Gives unrestricted access to certain government or commercial establishments
• Does not give access to protectively-marked assets and information

Security Check (SC)

• Involves all the checks carried out for BC, plus:
  • UK criminal and security checks
  • A credit check to ensure that you have good control over your finances and aren’t vulnerable to financial incentives
• Requires you to have been a UK resident for a minimum of five years, but is actually usually given only to British citizens (or citizens of their close allies)
• Must be renewed when you change employer or every 10 years
• Allows uncontrolled access to SECRET and controlled access to TOP SECRET assets and information

Developed Vetting (DV)

This is the highest official level of security clearance. It is required for people who have regular access to TOP SECRET assets/information or work for the intelligence or security services.

• Involves:
  • All the checks carried out for an SC
  • Completion of a DV questionnaire
  • A detailed financial check
  • Checking of references
  • A detailed interview with a vetting officer, which may involve your family members and some probing questions
• Requires a minimum of 10 years’ residence in the UK, though virtually given only to British citizens
• Given only on a project-by-project, need-to-know basis

Your task

Find out the equivalent security clearance levels and requirements in your country. If you’re from the UK, choose another country to explore.

How do they compare to the UK?

Further reading

United Kingdom Security Vetting