Jisc is a CREST-accredited provider of penetration testing.
CREST membership is an internationally-recognised badge of excellence in information security.
In research and education, there is an increasing need for cost-effective penetration testing, which tests systems and networks against real-world cyber attack scenarios.
That’s not just so you can satisfy your own organisation that you’re mitigating cyber security risks – giving increased peace of mind – but also so you can comply with third-party standards, for example when you connect to public-sector networks, for GDPR, Cyber Essentials compliance or processing credit card payments (PCI-DSS).
For these reasons, we offer a penetration testing service, which helps you identify vulnerabilities, assess risks, and take corrective action, all at a cost-effective daily rate.
All work is carried out by our in-house cyber security experts, who are experienced, trained and certified.
We offer this service on a time-bound or scope-bound basis – so you only pay for the days you need. This means it’s cost-effective for you, and can be adapted to your needs and budget.
How does the penetration testing service help my organisation?
This service helps you to:
Evaluate your readiness against real-world attacks
During penetration testing, our experts mimic real-world attacks – looking for ways to circumvent your security systems and data, using tools and techniques commonly used by attackers.
We then provide a comprehensive report, helping you to determine:
Where your vulnerabilities lie – including how well your systems tolerate real-world attacks, and how successfully you detect and respond to them
What impact these vulnerabilities may have – and how likely they are to be exploited
What actions you can take to improve your security posture
Diagram - how the service works
The penetration testing service process:
Creating pivot points
Conduct varying tests according to your needs and budget
Because this is a flexible service, we offer varying scope and depth of penetration testing – making the service cost-effective for you.
Our service could range from a straightforward evaluation of your external networks, to many hours of involved on-campus manual testing.
Alternatively, you may simply be looking to have the security of an individual system or application tested before it is deployed – or you may be interested in the wider security of your network.
Either way, we can adapt our testing schedules to suit you.
Before testing begins, we can advise you on the level of service you are likely to need.
Why use Jisc?
We offer a very competitive member-only rate compared to commercial equivalents
Our expertise lies in testing the applications and systems our members use consistently such as VLEs and student and parent portals; the platforms and services only found in education and research
We feed back our threat findings to the sector, for the benefit of the whole community
We also feed back our findings to software vendors so remediation can take place quickly and fixes can be rolled out across the whole sector
In collaboration with the SOC and CSIRT teams who manage security across the Janet Network, our sector specific threat intelligence is always current and industry leading
We understand the security challenges facing education and research, from the annual influx of new students, to networks across different campuses, devolved IT departments and legacy systems and software
Our security experts can offer workshops as part of an engagement upskill your internal staff to and enhance your testing and security capability for the future
What information would you need to provide?
Different forms of penetration testing mean you need to provide different levels of information about your systems. These include:
White box testing – where you provide full network information
Grey box testing – where you allow the attacker user-level privileges
Black box testing – where you provide no privileged information
Typically you will be required to provide information such as IP ranges; domains; URLs of applications; which systems and applications you consider key; and what IP addresses and systems should be avoided.