Cyber Essentials Toolkit Implementation Guide
Cyber Essentials Toolkit: Version 3 ©CertiKit
Cyber Essentials Toolkit v3 Implementation Guide
Contents 1
Foreword .................................................................................................................. 3 1.1
Email support .............................................................................................................. 3
1.2
Regular update service ................................................................................................. 3
1.3
Review of completed documents.................................................................................. 3
1.4
Exclusive access to customer discussion group .............................................................. 3
1.5
Video library subscription ............................................................................................ 3
1.6
Annual support extensions ........................................................................................... 4
2
Introduction.............................................................................................................. 5
3
Cyber Essentials certification ..................................................................................... 7
4
The Cyber Essentials Toolkit .................................................................................... 10
5
Implementation resources ...................................................................................... 11
6
Implementing the five controls of Cyber Essentials .................................................. 12 6.1
Control 1: Office firewalls and internet gateways ........................................................ 12
6.2
Control 2: Secure configuration .................................................................................. 13
6.3
Control 3: User and administrative accounts ............................................................... 14
6.4
Control 4: Malware protection ................................................................................... 15
6.5
Control 5: Software patching ...................................................................................... 16
7
Conclusion .............................................................................................................. 18
8
Frequently asked questions ..................................................................................... 19
9
8.1
Why should our organisation be Cyber Essentials certified? ........................................ 19
8.2
Is Cyber Essentials certification mandatory? ............................................................... 19
8.3
What does it cost? ..................................................................................................... 19
8.4
If we have multiple offices, can we certify just one?.................................................... 19
8.5
What else do I get for my money? .............................................................................. 19
8.6
How will people know we’re certified? ....................................................................... 20
8.7
Does Cyber Essentials Certification expire? ................................................................. 20
8.8
We already have the ISO27001 standard – do we still need Cyber Essentials? .............. 20
8.9
What is Cyber Essentials Plus? .................................................................................... 20
Glossary of terms used ............................................................................................ 21
Figures Figure 1: Boundary of scope - ©NCSC ........................................................................................... 9
www.certikit.com
Page 2 of 22
Cyber Essentials Toolkit v3 Implementation Guide
1 Foreword Thank you for your interest in the Cyber Essentials toolkit from CertiKit. Before we look at what is inside, here is our commitment to everyone who buys a copy in terms of support.
1.1 Email support We understand you may need some extra support and advice, so this is why we offer unlimited email support for 12 months after buying this toolkit. This can be extended annually as required.
1.2 Regular update service Cyber security is constantly changing, as is our toolkit product development, which is why we offer one year’s subscription to our Cyber Essentials toolkit update service. You will be notified via email as and when a new version of the toolkit becomes available.
1.3 Review of completed documents If you need that extra piece of mind once you have completed your documentation, our experts will review up to three of your documents to check everything is in order and complies to the Cyber Essentials controls.
1.4 Exclusive access to customer discussion group Complying to Cyber Essentials can be a daunting journey, which is why we offer a range of support channels to suit you. This includes our social media discussion group.
1.5 Video library subscription Your toolkit purchase comes with a 12-month subscription to the CertiKit video library. This can be accessed via your online CertiKit account, which will be automatically created when you buy the toolkit.
www.certikit.com
Page 3 of 22
Cyber Essentials Toolkit v3 Implementation Guide
1.6 Annual support extensions We recommend renewing your support package annually to benefit from ongoing support and toolkit updates. If a new version of Cyber Essentials is produced while you are subscribed, you will get the new toolkit, too. To benefit from an extended support period, you can either add a subscription extension when purchasing your toolkit, or you can extend between ten and 14 months after your initial purchase, via your online account.
www.certikit.com
Page 4 of 22
Cyber Essentials Toolkit v3 Implementation Guide
2 Introduction This concise guide takes you through the process of implementing the five Cyber Essentials controls using the CertiKit Cyber Essentials Toolkit. Cyber Essentials is a UK government scheme designed to protect companies and organisations, whatever their size, against a range of the most common cyberattacks. Most of these attacks are basic and carried out by relatively unskilled people. They have been described as the digital equivalent of a thief trying a home’s front door to see if it is unlocked. The Cyber Essentials certification scheme was launched in 2014 by the UK Department for Business, Innovation and Skills (now the Department for Business, Energy and Industrial Strategy) and from April 2020 is operated by the IASME Consortium as a partner to the National Cyber Security Centre (NCSC). The scheme is open to organisations in all countries, so it’s possible to become certified despite not being based in the UK. Not everyone has the time or money needed to develop a comprehensive cyber security system, so Cyber Essentials has been designed to fit in with whatever level of commitment you are able to sustain. There are three main levels of engagement: • • •
The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT systems, without becoming certified. If you need more certainty in your cyber security (or you want to show others that you’re taking it seriously), you can apply for basic Cyber Essentials certification. The CertiKit toolkit aims to help you with that process and make it quicker and easier. For those who want to take cyber security a bit further, Cyber Essentials Plus certification is also available. The five controls are the same as for the basic level, but Plus also includes a more detailed vulnerability scan from inside your network (i.e. someone comes onsite), to check your devices are configured correctly.
The self-assessment option (i.e., without going for certification) still gives you protection against a wide variety of the most common cyberattacks, so we’d encourage you to do this as a minimum. This is important because vulnerability to simple attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others. Certification gives you increased peace of mind that your defences will protect against the majority of common cyberattacks simply because these attacks are looking for “soft” targets which do not have the Cyber Essentials technical controls in place. If you would like to bid for central government contracts which involve handling sensitive and personal information, or the provision of certain technical products and services, you may need to have Cyber Essentials certification, at either the basic or Plus level. Of course, every organisation is different, and there are many valid ways to embed the basic disciplines of information security. The best way for you may well depend upon a number of factors, including: • • • •
The size of your organisation. The culture your organisation has adopted. The industry you operate within. The resources you have at your disposal.
www.certikit.com
Page 5 of 22
Cyber Essentials Toolkit v3 Implementation Guide •
Your legal, regulatory and contractual environment.
So, view this guide simply as a pointer to where you could start and a broad indication of the order in which you could do things. There is no single “right way” to implement information security; the important thing is that you end up with a cyber security system which is relevant and appropriate for your specific organisation’s needs.
www.certikit.com
Page 6 of 22
Cyber Essentials Toolkit v3 Implementation Guide
3 Cyber Essentials certification The process of obtaining Cyber Essentials certification is relatively simple and generally costs between £300 and £600 plus VAT, depending on which certification body you choose (see below for some advice on this). Cyber Essentials shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds (although this varies – shop around for the most appropriate deal for you). Cyber Essentials is also useful for those with an eye on the GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union. The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process. While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold the GDPR in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data. So, what does Cyber Essentials actually consist of? Well, there are five technical controls (a “control” is simply a way to address a risk) you will need to put in place, which are: 1. Office Firewalls and Internet Gateways: Secure your internet connection with boundary and host-based firewalls. 2. Secure Configuration: Device settings, passwords and two-factor authentication. 3. User and Administrative Accounts: Securing user and administrator accounts and limiting access to data and services. 4. Malware Protection: Viruses, whitelisting and sandboxing (described later). 5. Software Patching: Keep your devices and software up to date. Cyber Essentials guidance from the UK National Cyber Security Centre and their partner IASME breaks these down into finer details. These controls have been chosen as the highest priority ones from other, more detailed, available guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Governance standard, although Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk assessment. For those organisations considering ISO27001 certification (possibly in addition to Cyber Essentials), CertiKit has a separate toolkit here. Cyber Essentials certification involves three simple steps: 1. Select a Certification Body or go directly to IASME themselves (see below). 2. Verify that your computer systems that are in scope are suitably secure and meet the standards set by Cyber Essentials. 3. Complete and submit the questionnaire – your certification body will provide this and verify your answers.
www.certikit.com
Page 7 of 22
Cyber Essentials Toolkit v3 Implementation Guide
Your first step is to choose a certification body. These are accredited (accreditation is a kind of approval process) by the Cyber Essentials Partner, IASME. Previously, there were five accreditation bodies, but the scheme has recently been simplified to one. IASME has a directory of certification bodies that it has accredited. It is up to you to choose one which feels right for your organisation. It is the certification body which will perform your evaluation and award your Cyber Essentials certificate, but what factors come into play when making your decision? In our experience asking the following questions will help you to choose: •
• • •
•
•
Do they audit for both Basic and Plus? Check the certification body has the capability to audit the scheme you are going for and if so, how many customers they have for that level. How long have they been auditing for Cyber Essentials and how many qualified people do they have? How long will it take? What sort of availability do they have to process your application and how far in advance will you need to book to meet your own timescales for certification? How much will it cost? Charges can vary, particularly if you’re going for the advanced version of Cyber Essentials, so it’s best to understand this from the start. What is their reputation? Even amongst accredited certification bodies, there are more and less well-known names. Since a lot of the reason for going for certification is to gain credibility with your customers and perhaps regulators, consider which certification body would carry most weight with them. How good is their administration? A lot of the frustration we see with certification bodies is not due to the quality of their auditors but their administration processes. You need an auditing company that will arrange the audits professionally and issue your certificate promptly, providing additional materials to help you advertise your certification. When you contact them initially, do they return your call and sound knowledgeable? Do they have experience of your industry? Some certification bodies specialise in particular industries and build up a strong knowledge of the issues relevant to their customers. This can be helpful during the audit as basic industry concepts and terms will be understood and time will be saved. Check whether they have audited similar organisations in your industry.
Making a good choice based on the above factors can’t guarantee that the certification process will run smoothly, but by having a good understanding of the accreditation regime and by asking the right questions early on you will have given yourself the best chance possible to have a long and happy certification relationship. Cyber Essentials defines a set of requirements in the five control areas and you will need to make sure your systems and software meet these before you move on to the next stage of certification (see the guidance in the rest of this guide). You may be required to supply various forms of evidence before your chosen certification body can award certification at the level you seek, so it’s best to have this available in case it’s asked for.
www.certikit.com
Page 8 of 22
Cyber Essentials Toolkit v3 Implementation Guide
You will also need to define the scope of your intended certification. This determines what is certified and, in the case of Cyber Essentials Plus, what is tested. Generally, the scope will be defined by a physical location, such as your main office, but you can choose whether or not to include other aspects, such as remote offices too.
Figure 1: Boundary of scope - ©NCSC
Having understood the requirements which Cyber Essentials puts on the installation, configuration and maintenance of your IT, you are ready to complete the certification questionnaire and submit this to your certification body. The certification body may come back to you with some clarification questions and, once you have answered these, a decision will be reached about whether or not your answers meet the requirements for certification. Once the certification body says you’ve passed, you will be awarded your Cyber Essentials certificate and can use the logo on your website and marketing materials, if you want to. Your certificate remains valid for one year, after which you will need to recertify if you want to stay on the list of certified organisations on the NCSC website. So, the process for Cyber Essentials certification is relatively straightforward. And the CertiKit Cyber Essentials Toolkit aims to make it even more so. www.certikit.com
Page 9 of 22
Cyber Essentials Toolkit v3 Implementation Guide
4 The Cyber Essentials Toolkit The CertiKit Cyber Essentials Toolkit (referred to within this document simply as “the Toolkit”) provides an array of useful documents which provide a starting point for addressing the five controls covered by the scheme. The documents are in Microsoft Office format and consist of Word documents, Excel workbooks and PowerPoint presentations. To open and edit the documents you will need to use the relevant Microsoft application at version 2010 or later. The documents themselves have a common layout, look and feel, and adopt the same conventions for attributes such as page widths, fonts, headings, version information, headers and footers. Custom fields are used for the common items of information that need to be tailored. The layout and headings of each document have been designed to guide you carefully towards meeting the requirements of Cyber Essentials, and example content has been provided to illustrate the type of information that should be given in the relevant place. This content is based upon an understanding of what a “typical” organisation might want to say, but it is likely that your situation will vary from this profile in some ways, so you will need to think carefully about what content to keep and what to change. The key to using the Toolkit successfully is to review and update each document in the context of your specific organisation. Don’t accept the contents without reading them and thinking about whether they meet your needs – does the document say what you want it to say, or do you need to change various aspects to make it match the way you do things? This is particularly relevant for policies and procedures where there is no “right” answer. The function of the document content is to help you assess what’s right for you, so use due care when considering it. Where the content is likely to need to be amended, we have highlighted these sections. But please be aware that other non-highlighted sections may also make sense for you to update for your organisation. The remainder of this guide will take you through what you may need to do in each control area and show how the various items in the CertiKit Cyber Essentials Toolkit will help you to meet the requirements quickly and effectively. As we’ve said earlier, regard this guide as helpful advice rather than as a detailed set of instructions to be followed without thought; every organisation is different and the idea of the Toolkit is that it moulds itself over time to fit your specific needs and priorities. We also appreciate that you may be limited for time and so we have kept the guidance short and to the point, covering only what we think you might need to know to achieve certification to Cyber Essentials.
www.certikit.com
Page 10 of 22
Cyber Essentials Toolkit v3 Implementation Guide
5 Implementation resources Relevant Toolkit documents: • • • • • • • • • • • • • •
Toolkit Completion Instructions Cyber Essentials Implementation Guide Cyber Essentials Overview Cyber Essentials Toolkit Index Cyber Essentials Evidence Documentation Log Project Definition Cyber Essentials Project Plan Information Security Policy Awareness Training Presentation Acceptable Use Policy Remote Working Policy Gap Assessment Tool Progress Report
We know from experience that better cyber security doesn’t happen by accident and adding a layer of basic project management to the exercise will make things run a lot more smoothly. So, within the Toolkit we have provided a number of resources that will help you to define your project, manage it and communicate effectively with the relevant people within your organisation. In addition to a project definition, progress report and documentation log, we have added a presentation to be used to raise awareness among your staff and a couple of useful policies which address information security at an overview level. We have also included an overall Information Security Policy which is intended to act as a high-level guide to how your organisation approaches information security. Although this is not explicitly required by Cyber Essentials, you may find that various parties such as big customers may want to see this document, so it can come in very useful. The policy lists the supporting policies within the toolkit (such as Mobile Device Policy and Access Control Policy) and It’s fine to keep it this way; some organisations decide to combine these policies into a single document, and that’s fine too, there’s no right or wrong way to structure your approach to policies. The Gap Assessment Tool will help you judge how close you currently are to meeting the certification requirements of Cyber Essentials, identify specific actions to be carried out, and provide charts and reports to management on where things stand. Having defined what it is you’re trying to achieve and set the scene within your organisation, it’s time to start looking at the specific controls that Cyber Essentials requires to be in place.
www.certikit.com
Page 11 of 22
Cyber Essentials Toolkit v3 Implementation Guide
6 Implementing the five controls of Cyber Essentials 6.1 Control 1: Office firewalls and internet gateways Relevant Toolkit documents: • • • • • • •
Network Security Policy Firewall Rule Removal Process Firewall Configuration Standard Firewall Rule Change Log Firewall Review Form EXAMPLE Firewall Configuration Standard Network Diagram Example
Cyber Essentials certification requires that you configure and use one or more firewalls to protect all your devices from the Internet, including those that connect to public or other untrusted Wi-Fi networks. A firewall simply uses rules to block or allow traffic entering or leaving your network, and these rules can be changed according to what you need to achieve e.g. if you need to be able to log on to a work computer from home. A “Boundary Firewall” is a software or hardware device used to shield your internal network as a whole from the Internet. For a more complicated set-up with more than one location, you might require multiple boundary firewalls. Personal, or “host-based”, firewalls are usually included on desktop and laptop computers with operating systems, such as Windows, often at no extra charge, or they may be part of an anti-virus suite. Make sure these are enabled on every device that has one. Some internet routers (for example, broadband routers) also act as boundary firewalls. But a firewall can also be a stand-alone piece of hardware connected to the router (search for “SOHO firewall” to see some examples). If you’re not sure, it may be appropriate to ask your internet service provider if your router contains a boundary firewall. To configure the firewall rules on a typical Internet router, you will connect to it from within your internal network using a browser such as Google Chrome and log on to the admin panel. We recommend starting with a Network Security Policy that defines your approach to securing your network(s) and provides some context to the setup of your firewall(s). Once that’s defined, it’s a case of making sure that your firewall rules are appropriate for your organisation and that any changes to them are properly justified so that holes which unwanted network traffic can exploit are not introduced over time. In the Toolkit, we provide a template standard for your firewall configuration and a way of recording changes to, and reviews of, your firewall rulesets. We also provide a diagram of a small network to show how the different components may fit together. It’s a good idea to create a picture of your own network both to aid understanding and document how it is structured.
www.certikit.com
Page 12 of 22
Cyber Essentials Toolkit v3 Implementation Guide
6.2 Control 2: Secure configuration Relevant Toolkit documents: • • • • • • • • • • • • •
Logging and Monitoring Policy Software Policy Mobile Device Policy Backup Policy Cloud Computing Policy Password Policy Hardware Inventory Configuration Standard BYOD Policy Configuration Specification EXAMPLE Configuration Specification EXAMPLE Configuration Standard EXAMPLE Hardware Inventory
This control involves choosing the most secure settings for your devices and software. Cyber Essentials certification requires that only necessary software, accounts and apps are used. Most “out-of-the-box” hardware such as laptops are shipped with a set of added-value software and default settings that encourage you to use them, rather than to make them as secure as possible. Attackers often know this, and it makes new computers and devices particularly vulnerable. This means that a process often known as “hardening” is needed, to remove anything that is not required and bring the configuration to a secure starting point. This may involve uninstalling software, amending configuration settings and changing passwords. Those items that are permitted may be defined in a Configuration Standard, which is a document that sets out how a particular device should be set up. It’s important to know what hardware you have, so that you can verify that it is all configured correctly. The Toolkit includes a Hardware Inventory spreadsheet to record details of your devices, and you may be able to obtain some of this information from software tools you already use, such as Microsoft InTune (available as an add-on to Office365). When implemented correctly, passwords are an easy and effective way to prevent unauthorised users accessing your devices. Unfortunately, they can also represent the weakest link in your cyber defences. Passwords should be easy to remember and hard for someone else to guess. The default usernames and passwords which come with new devices, such as “admin” and “password” are the easiest of all for attackers to guess and lists of these may be freely available on the Internet. Change all default passwords before devices are made live (especially your Internet router). The use of other techniques such as PINs and fingerprint recognition (or more recently, facial recognition) can also help secure your devices, such as smartphones.
www.certikit.com
Page 13 of 22
Cyber Essentials Toolkit v3 Implementation Guide
For higher-risk accounts, such as those with access to financial and administration functions, two-factor authentication, or “2FA” (also known as multi-factor authentication, or “MFA”) is a highly desirable addition. This usually involves a code being texted to your smartphone which must then be entered after your password. Various authentication apps are also available and widely used, such as Google Authenticator. This means that just knowing the password is not enough, and you must also be in possession of the smartphone (or other type of device, such as the calculator-like gadgets used with many banking websites) to be able to log on. So, someone on the other side of the world who has discovered or guessed your password will be frustrated. The National Cyber Security Centre has issued updated guidance on how to approach passwords, and the Password Policy in the Toolkit takes account of this. Within the Toolkit, we also provide a range of policy documents which help to define your approach to areas such as event logging (important for spotting when someone is trying to hack into your systems), backups (vital to recover from a ransomware attack), mobile devices (often a weak link in cyber security) and cloud computing (vulnerable as it is outside your internal network).
6.3 Control 3: User and administrative accounts Relevant Toolkit documents: • • • • • • • • • •
Access Control Policy Internet Acceptable Use Policy User Access Management Process Cryptographic Policy Physical Security Policy System Owners Admin User Accounts Cyber Essentials Poster - Passwords EXAMPLE System Owners EXAMPLE Admin User Accounts
Cyber Essentials certification requires that you control access to your data through user accounts, and that administrative privileges (e.g. the ability to create users and define who can access what) are only given to those who need them. An Access Control Policy and a User Access Management Process are included in the Toolkit to help you define how this will work within your organisation. To be able to control your user access, it’s important to know what systems your company uses and the user accounts that are registered within them. This can be more difficult than it sounds, especially if you make significant use of cloud services available via the Internet. The Toolkit provides spreadsheets that help to define your systems, establish who your system owners are (these are the people who will decide who should have access to the systems or
www.certikit.com
Page 14 of 22
Cyber Essentials Toolkit v3 Implementation Guide
not) and record users (especially admin users) and their current access levels. For a large number of users this information may be better produced from each application itself via reports. Check regularly that only the right users have access, and that no rogue accounts have been created without your knowledge. Cyber Essentials emphasises that admin accounts should only be used for admin work, and that separate standard user accounts should be in place for everyday computer use, including accessing the Internet. It’s a good idea to prevent users from installing software on their own computers or, if you find this too restrictive, to only allow software from recognised sources, such as the Microsoft Store, to be downloaded. We provide a number of other policies in the Toolkit that cover related areas such as use of encryption, physical security and what constitutes acceptable use of the Internet. We also provide an awareness-raising poster for you to print out (ideally A3 size) and place in user areas. The poster emphasises the need to choose strong passwords and how this may be done.
6.4 Control 4: Malware protection Relevant Toolkit documents: • • • •
Anti-Malware Policy Electronic Messaging Policy Incident Response Plan Ransomware Cyber Essentials Poster – Phishing
The term Malware comes from “malicious software”, a general term for computer programs that are designed to have some form of adverse impact on computers on which they run. This includes ransomware, which makes files unusable (because it has encrypted them) until the victim pays a ransom, often in a form of cryptocurrency such as Bitcoin, to obtain the key to decrypt the files. Malware, such as a virus, can be transmitted in an increasing variety of ways, including via an infected email attachment, a compromised website or a user inserting an infected USB stick into their computer. The Toolkit provides a policy covering the correct use of email and a poster to raise awareness of Phishing – the sending of fake emails with malicious intent. Cyber Essentials requires that you use one or more of three common techniques to address malware, namely anti-virus software, whitelisting and sandboxing. Anti-virus software is generally included on the main operating systems used on user computers e.g. Windows 10 and nowadays it does a reasonable job of identifying malware. However, this is very much an “arms-race” situation between the anti-virus software vendor
www.certikit.com
Page 15 of 22
Cyber Essentials Toolkit v3 Implementation Guide
and the writers of the viruses, and you may decide that paid-for alternatives provide a better solution. These solutions are often the subject of magazine and online reviews so it’s worth Googling to see what the latest views from the technical community are of their relative merits. Depending on how many computers you are managing, it may be important that some form of central management console is available to be able to assess the health of anti-virus controls across the organisation’s computer population as a whole. Whitelisting requires that you create a list of programs that are allowed to run on the computer and prevent anything else being installed on it. This is useful if the software you use is predictable but can be unwieldy if you need to be able to move quickly to install a new application for urgent business needs. Sandboxing is a technique used in some software programs that involves segregating a program from everything else on the computer, so that it can’t spread. Look for software that uses this technique and use it in preference to equivalents that don’t. In the Toolkit, we provide a policy document that covers anti-malware which will supplement your malware protection approach.
6.5 Control 5: Software patching Relevant Toolkit documents: • • •
Patch Management Policy Software Inventory EXAMPLE Software Inventory
Cyber Essentials requires that patches (also known as updates) are applied promptly to the software in use within the organisation, so that the bugs that they fix can’t be exploited by an attacker. There are several ways of doing this and, in the toolkit, we provide a Patch Management Policy to define your organisation’s approach to patching. Of course, it’s difficult to know whether your software is being patched if you’re not aware of what software you’re using, so we also provide a Software Inventory to help you to identify the programs that should be patched and whether they are still under support from the vendor. For instance, Microsoft ended its support for Windows XP in 2014 and that for Windows Vista in 2017. In many cases, it may be as simple as turning on the auto-patching function within the software program so that it identifies that a patch is available, downloads it and applies it without any human intervention. But sometimes patches go wrong (this has been the case with some Windows updates in the past) so it’s a good idea to put some thought into your approach. For a larger computer population, software inventory and patch management software is very useful in this area to identify what is installed where, and the status of patching on
www.certikit.com
Page 16 of 22
Cyber Essentials Toolkit v3 Implementation Guide
specific computers. Two examples of this are Microsoft InTune (variously known previously as SMS and SCCM) and Desktop Central from ManageEngine.
www.certikit.com
Page 17 of 22
Cyber Essentials Toolkit v3 Implementation Guide
7 Conclusion This implementation guide has taken you through the process of helping your organisation to achieve Cyber Essentials certification, supported by the CertiKit Cyber Essentials Toolkit. Implementing the steps contained in the scheme is always a culture change towards becoming more proactive as an organisation and, with the day-to-day reactive pressures of running a business, it can sometimes seem daunting. However, we hope you will find that the Toolkit is of value in clarifying what needs to be done and speeding up the process of compliance. We wish you good luck in your work and, as always, we welcome any feedback you wish to give us via feedback@certikit.com.
www.certikit.com
Page 18 of 22
Cyber Essentials Toolkit v3 Implementation Guide
8 Frequently asked questions 8.1 Why should our organisation be Cyber Essentials certified? A virus could result in your organisation losing company and client data, disrupting cashflow and taking up staff time. An attack could also put off customers, damage your reputation and even prevent you from trading. Loss of personal data could breach laws such as the GDPR or the Data Protection Act and lead to fines or prosecution. Obtaining the certification will protect your organisation against common cyber threats, show your customers you take cyber security seriously and enable you to bid for government contracts.
8.2 Is Cyber Essentials certification mandatory? Simply put, no it isn’t. But since October 2014, it has been mandatory for suppliers of more sensitive contracts with the British Government to be certified. If your organisation is not certified, you may not be entitled to bid for those lucrative public sector contracts.
8.3 What does it cost? Different certification bodies charge different amounts, but you should expect to pay between £300 and £600 for the basic Cyber Essentials certification.
8.4 If we have multiple offices, can we certify just one? Yes! The boundary of scope would then be limited to that one office. The Cyber Essentials certificate would state that the office that is certified, rather than the entire company.
8.5 What else do I get for my money? As well as peace of mind, you will get a numbered certificate, which lists your boundary of scope. You will also be given permission to display a Cyber Essentials logo on your stationery, website and email signature. It looks like this:
www.certikit.com
Page 19 of 22
Cyber Essentials Toolkit v3 Implementation Guide
8.6 How will people know we’re certified? The National Cyber Security Centre (NCSC) lists all certified organisations on its website. Click here and then enter an organisation’s name in the search box to see whether or not it is certified to basic or Cyber Essentials Plus level.
8.7 Does Cyber Essentials Certification expire? Organisations must re-certify every year to ensure their equipment and processes are secure. The NCSC removes organisations from its certified list if they have not been certified in the past 12 months.
8.8 We already have the ISO27001 standard – do we still need Cyber Essentials? ISO 27001 is an information security standard published by the International Organization for Standardization. There is increasing demand for organisations to have both, especially if they want to be eligible to bid for large tenders, such as those with the Government.
8.9 What is Cyber Essentials Plus? As well as all the benefits of the basic scheme, Cyber Essentials Plus includes authenticated vulnerability scans of an organisation's workstations and mobile devices. This increases the validity of the certification considerably by providing evidence of compliance against the following scenarios: • • •
Can malicious files get through via internet traffic or email messages? Should such content infect a system, how effective is the antivirus and anti-malware software? Should the mechanisms fail, how likely is it that the organisation will be compromised due to a failure to patch workstations?
www.certikit.com
Page 20 of 22
Cyber Essentials Toolkit v3 Implementation Guide
9 Glossary of terms used Here is a list of some of the terms used in the CertiKit Cyber Essentials Toolkit. • • •
•
•
•
• • • • • •
Applicant: the organisation seeking certification, or sometimes the individual acting as the main point of contact, depending on context. Boundary of scope: the whole of an applicant’s IT infrastructure, or a sub-set of it. Either way, the boundary must be clearly defined in terms of the business unit managing it, the network boundary and the physical location. Devices: includes all types of hosts, networking equipment, servers, networks and end-user equipment such as desktop computers, laptop computers, tablets and mobile phones (smartphones), whether physical or virtual. Firewall: a device which restricts access to devices’ network services to reduce exposure to a cyber-attack. o A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. This is usually, though not always, a piece of software on the router. o Alternatively, a personal, or host-based, firewall may be configured on a computer, tablet or smartphone. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that they apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules. Malware: such as computer viruses, worms and spyware. This is software that has been written and distributed deliberately to perform malicious actions. Potential sources include email attachments, downloads and direct installation of unauthorised software. Multi-factor authentication: an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has) and inherence (something the user and only the user is). Two-factor authentication (aka 2FA) is a type, or subset, of multi-factor authentication. Patching: a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs. Ransomware: a form of malware which makes data or systems it has infected unusable until the victim makes a payment. Sandboxing: a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. Software: includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firmware. Virus: a type of malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code. Whitelisting: the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of
www.certikit.com
Page 21 of 22
Cyber Essentials Toolkit v3 Implementation Guide
whitelisting is to protect computers and networks from potentially harmful applications.
www.certikit.com
Page 22 of 22