Difference between revisions of "Cyber Essentials"

Cyber Essentials

Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. However, its scope and depth is so limited that in reality offers little protection from all but the most casual of attacks. We believe that our existing ISO polices and accreditation offer far more resilient cover and have therefore chosen not to undertake cyber Essentials certification at this time.

Nonetheless, we understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)

Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month

Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.

Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options 1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? Yes

2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? Yes

3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? Yes always

4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? Yes always

5. Have firewall rules that are no longer required been removed or disabled? Yes

6. Are firewall rules subject to regular review? Yes

7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? Yes

8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? Yes

8a. Does the administrative interface require second factor authentication or is access limited to a specific address? Yes

9. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? Yes always

10. Have default passwords for any user accounts been changed to a suitably strong password? Yes always

11. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? Yes always 12. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? Yes always

13. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? Yes always

14. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? Yes always

15. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? Yes always

16. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? Yes always

17. Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? Yes always

18. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? Never

19. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? Yes always

20. Is there a corporate policy on log retention and the centralised storage and management of log information? Yes always

21. Are log files retained for operating systems on both servers and workstations? Yes always

22. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? Yes always

23. Are Internet access (for both web and mail) log files retained for a period of least three months? Yes always

24. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? Yes always

25. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? Yes always

26. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. Yes

27. Is user account creation subject to a full provisioning and approval process? Yes always

28. Are system administrative access privileges restricted to a limited number of authorised individuals? Yes always

29. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? Yes always

30. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? Yes always

31. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? 3 Failures

32. Is there a password policy covering the following points: - Yes All 6 Points a. How to avoid choosing obvious passwords (such as those based on easily-discoverable information). b. Not to choose common passwords (use of technical means, using a password blacklist recommended). c. No password reuse. d. Where and how they may record passwords to store and retrieve them securely. e. If password management software is allowed, if so, which. f. Which passwords they really must memorise and not record anywhere.

33. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? Yes always

34. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (eg. 3 months)? Yes always

35. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? Yes always

Malware protection

36. Which of the following is in use within the organisation: a. Anti-virus or Malware protection (continue to Q37-40) - Yes b. Application whitelisting (Continue to Q41-43) - Yes c. Application Sandboxing (Continue to Q44) - Yes

37. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? In most cases

38. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? Yes always

39. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? Yes always

40. Has malware protection software been configured to perform regular periodic scans (eg daily)? Yes always

41. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? Yes always

42. Does the organisation maintain a list of approved application? Yes

43. Are users prevented from installing any other applications and by what means? Yes

44. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? Yes

Patch management

45. Do you apply security patches to software running on computers and network devices? In most cases

46. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? In most cases

47. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? In most cases

48. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? In most cases

49. Are all smart phones kept up to date with vendor updates and application updates? In most cases

50. Are all tablets kept up to date with vendor updates and application updates? In most cases

51. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? Yes always

52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? Yes always