Difference between revisions of "Cyber Essentials"

Cyber Essentials

Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. However, its scope and depth is so limited that in reality offers little protection from all but the most casual of attacks. We believe that our existing ISO polices and accreditation offer far more resilient cover and have therefore chosen not to undertake cyber Essentials certification at this time.

Nonetheless, we understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)

Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month

Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.

Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options 1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? Yes 2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? Yes 3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? Yes always 4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? Yes always 5. Have firewall rules that are no longer required been removed or disabled? Yes No No firewall present 6. Are firewall rules subject to regular review? Yes No No firewall present 7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? Yes No 8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? 8a. Does the administrative interface require second factor authentication or is access limited to a specific address? Yes No + Yes to 8a No Secure configuration Question Response Options 9. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? Yes always In most cases Sometimes Rarely Never 10. Have default passwords for any user accounts been changed to a suitably strong password? Yes always In most cases Sometimes Rarely Never CREST © 2017, All Rights Reserved. Page 5 Version 3.1 Commercial in Confidence 07/09/2017 Question Response Options 11. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? Yes always In most cases Sometimes Rarely Never 12. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? Yes always In most cases Sometimes Rarely Never 13. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? Yes always In most cases Sometimes Rarely Never 14. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? Yes always In most cases Sometimes Rarely Never 15. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? Yes always In most cases Sometimes Rarely Never 16. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? Yes always In most cases Sometimes Rarely Never 17. Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? Yes always In most cases Sometimes Rarely Never 18. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? Yes always In most cases Sometimes Rarely Never 19. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? Yes always No 20. Is there a corporate policy on log retention and the centralised storage and management of log information? Yes always In most cases No 21. Are log files retained for operating systems on both servers and workstations? Yes always In most cases Sometimes Rarely Never 22. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? Yes always In most cases Sometimes Rarely Never CREST © 2017, All Rights Reserved. Page 6 Version 3.1 Commercial in Confidence 07/09/2017 Question Response Options 23. Are Internet access (for both web and mail) log files retained for a period of least three months? Yes always In most cases Sometimes Rarely Never 24. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? Yes always For most devices Sometimes Rarely Never N/A 25. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? Yes always For most devices Sometimes Rarely Never N/A 26. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. Yes No Access control Question Response Options 27. Is user account creation subject to a full provisioning and approval process? Yes always In most cases Sometimes Rarely Never 28. Are system administrative access privileges restricted to a limited number of authorised individuals? Yes always In most cases Sometimes Rarely Never 29. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? Yes always In most cases Sometimes Rarely Never 30. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? Yes always In most cases Sometimes Rarely Never 31. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? 3 Failures 6 Failures 10 Failures >10 Failures Never CREST © 2017, All Rights Reserved. Page 7 Version 3.1 Commercial in Confidence 07/09/2017 Question Response Options 32. Is there a password policy covering the following points: a. How to avoid choosing obvious passwords (such as those based on easily-discoverable information). b. Not to choose common passwords (use of technical means, using a password blacklist recommended). c. No password reuse. d. Where and how they may record passwords to store and retrieve them securely. e. If password management software is allowed, if so, which. f. Which passwords they really must memorise and not record anywhere. All 6 items >4 items >2 items 1 item None 33. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? Yes always In most cases Sometimes Rarely Never 34. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (eg. 3 months)? Yes always In most cases Sometimes Rarely Never 35. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? Yes always In most cases Sometimes Rarely Never Malware protection Question Response Options 36. Which of the following is in use within the organisation: a. Anti-virus or Malware protection (continue to Q37-40) b. Application whitelisting (Continue to Q41-43) c. Application Sandboxing (Continue to Q44) a. b. c. 37. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? Yes always In most cases Sometimes Rarely Never 38. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? Yes always In most cases Sometimes Rarely Never 39. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? Yes always In most cases Sometimes Rarely Never 40. Has malware protection software been configured to perform regular periodic scans (eg daily)? Yes always In most cases Sometimes Rarely Never CREST © 2017, All Rights Reserved. Page 8 Version 3.1 Commercial in Confidence 07/09/2017 Question Response Options 41. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? Yes always In most cases Sometimes Rarely Never 42. Does the organisation maintain a list of approved application? Yes No 43. Are users prevented from installing any other applications and by what means? Yes No 44. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? Yes No Patch management Question Response Options 45. Do you apply security patches to software running on computers and network devices? Yes always In most cases Sometimes Rarely Never 46. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? Yes always In most cases Sometimes Rarely Never 47. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? Yes always In most cases Sometimes Rarely Never 48. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? Yes always In most cases Sometimes Rarely Never 49. Are all smart phones kept up to date with vendor updates and application updates? Yes always In most cases Sometimes Rarely No updates available N/A 50. Are all tablets kept up to date with vendor updates and application updates? Yes always In most cases Sometimes Rarely No updates available N/A 51. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? Yes always In most cases Sometimes Rarely No CREST © 2017, All Rights Reserved. Page 9 Version 3.1 Commercial in Confidence 07/09/2017 Question Response Options 52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? Yes always In most cases Sometimes Rarely No