Security News > 2021 > August > Slap on wrist for NCC Group over CREST exam-cheating scandal as infosec org agrees to rewrite NDAs and more
British infosec firm NCC Group has been rapped over the knuckles after infosec accreditation body CREST found it was "Vicariously responsible" for employees who helped staff cheat certification exams.
"On two occasions between 2012 and 2014, the examination-related activities of one of more NCC Group employees and candidates breached the CREST Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at the time," said CREST. The certification body added that NCC Group's actions also breached its non-disclosure agreements, signed by exam candidates to confirm they won't reveal the exams' contents to anyone.
CREST had some of its exam assessors look at the NCC Group material leaked online.
CREST said there was no evidence that NCC exam candidates' pass rates were higher than its competitors, also pointing out that NCC has never been the top firm for passes as a percentage of candidates entered; though the company is many times bigger than most of the UK infosec sector and enters many more candidates as a result.
That seems to have been successful from NCC's point of view; CREST accepted that its NDAs created "a level of confusion" over "What is unacceptable" for companies and exam candidates alike to do when preparing for CREST exams, and the documents will be rewritten accordingly.
A UK infosec bod who asked for anonymity in case of reprisals told El Reg that he was happy the CREST statement was published, saying that no matter what CREST found he couldn't imagine it would ever eject NCC, one of its biggest backers, from membership.