Cyber Essentials Checklist

Preparing for Cyber Essentials: A Cyber Essentials Checklist

The Cyber Essentials Certification

Cyber Essentials Checklist

A Cyber Essentials Checklist can help your business prepare its SAQ submission, and give you the best chance to remove any potential issues with your submission and achieve certification the first time.

Cyber Essentials is a UK government backed scheme to assess your business against a minimum set of security standards covering five main categories and protecting you from the most common cyber attacks carried out by cyber criminals.

Table of Contents

    The five categories which are reviewed as part of the certification process are the following:

    • Firewalls
    • Secure Configuration
    • Security Update Management
    • User Access Control
    • Malware Protection

    The assessment process will involve your submission of a Cyber Essentials Self-Assessment Questionnaire (SAQ), which will then be independently reviewed.

    The SAQ may then be sent back to you, to further clarify areas that were not described in enough detail, or to change areas of your organisation that don’t meet the certification requirements.

    Provided you have met all of the requirements and answered every question with enough detail, you will be awarded the certification. You can then renew this certificate each year, or proceed to the Cyber Essentials Plus Certification.

    If looking into Cyber Essentials Plus Certification, there is a further checklist for you to review before this assessment detailed in the post, “Cyber Essentials Plus Checklist

    A Cyber Essentials Introduction

    Cyber Essentials Certification

    The SAQ is a series of questions that request information on how you manage and secure your organisation. If you haven’t already downloaded a copy of the questionnaire you can access it from the IASME Consortium, here.

    Regardless of the size of your company, either a one-person company or a large enterprise, everyone must adhere to the same standards of security to ensure a minimum level of protection is applied against common cyber attacks.

    Whether you have never implemented security standards before, or are looking to modify existing standards, the following recommendations can hopefully provide some insight into the Cyber Essentials requirements.

    Conduct a Cyber Essentials Gap Analysis

    If you haven’t gone through the assessment before, it is recommended to briefly carry out a gap analysis.

    While an experienced consultant can help you cover a gap analysis in more detail, the aim is to review what the requirements are for certification and identify where your organisation already meets these standards, or where you need to implement a new policy, procedure, or change your existing set up to match these requirements.

    After downloading the SAQ, read through each of the questions, and create a list of the policies and processes you are asked to provide information for as well as the configuration settings you are asked to adhere to.

    You may already adhere to many of these standards, but where you don’t currently have anything in place or need to update your current setup, this provides a concise to-do list for you to work on before you invest some time and money into your self-assessment submission.

    If you have never completed a Cyber Essentials assessment before and are unsure where to begin, you can also complete a readiness check, using the IASME developed quiz which can highlight some areas you may need to improve upon before you start completing the SAQ.

    Read the Requirements for IT Infrastructure

    Cyber Essentials Requirements for IT Infrastructure

    One of the questions for the SAQ is confirming you have read the Requirements for IT Infrastructure document, also available here.

    This is a crucial document to be familiar with because it outlines exactly how you should be managing your devices and users to ensure your compliance with the requirements.

    If you identify requirements from this document that you currently don’t adhere to, then updating your existing company policies and setup to ensure your compliance with the requirements is recommended before proceeding with the SAQ submission.

    Determine your in-scope devices and services

    The Requirements of IT Infrastructure document provides a detailed section called, Scope.

    The Scope provides a specific list of conditions that determine how devices are considered in scope or out of scope for Cyber Essentials. While there are multiple considerations, the three key criteria which determine if a device is in or out of scope, are if the device:

    • can accept incoming network connections from untrusted internet-connected hosts
    • can establish user-initiated outbound connections to devices via the internet
    • can control the flow of data between any of the above devices and the internet.

    Determining the correct Scope is particularly important as out-of-scope devices do not need to be listed on the SAQ, and do not need a practical assessment if planning on Cyber Essentials Plus. This can save you both time and money if devices are correctly defined as out of scope.

    The management of users, third parties with access to your systems, and cloud services, are all also covered within the Scope.

    It is important to review the details of how each of these should be managed as it can mean the difference between a pass and fail for your assessment.

    Prepare an Asset list for your Business

    Cyber Essentials Asset List

    The SAQ requires that you provide details of each device within your organisation. This includes the model of the device, the operating system of the device, and the license if applicable.

    Maintaining an asset list for your company that documents this information is recommended, as an asset list can gradually grow over time as you purchase new equipment, and avoids you needing to track down and document all of your equipment.

    The asset list can be used to log other useful information that may be relevant for your company, such as who the device has been issued to, when a maintenance check was last conducted, what software has been installed, and if the device has been decommissioned.

    An accurate asset list can also help you to track your installed operating systems, and to ensure updates are applied consistently across your devices.

    The Cyber Essentials submission process also allows you to upload a document when submitting details about your devices, so a well-maintained asset list can help to speed up this process.

    Prepare a User Account list for your Business

    In a similar fashion to your documented asset list, it is also recommended to keep track of each of your user accounts that have been issued.

    Part of the Cyber Essentials SAQ is focused on User Access Control, requesting you define how users are tracked, how admin accounts are issued, and how account permissions are managed.

    Maintaining a central list of users, including such information as when an account has been created, who it has been issued to, and what permissions have been assigned to the user, allows you to secure your company accounts, as you can more closely manage your users and their permissions

    A documented list of users also allows you to keep a record of each account assigned to your staff members, so in the event they leave the company removing their issued accounts, becomes a simplified process.

    This allows you to adhere to multiple questions within the SAQ which request information on how you manage your users.

    A crucial part of this process should include having approval and authorization granted and documented whenever you set up an admin account to ensure you adhere to good practice security standards and the Cyber Essentials certification requirements.

    Implement IT Security Policies

    Cyber Essentials Security Policies

    As you work through your SAQ, you will encounter multiple questions that ask if you have implemented a process or policy to manage certain aspects of your organization.

    These processes can include the setup of new devices, issuing a new user account, or ensuring secure passwords are in use.

    Many different approaches and solutions could be used to manage the implementation of a process, but it is recommended to first define a documented policy that outlines what should be done to manage your accounts or devices.

    The policy can outline the standards you want to see in place to keep your devices up to date or to add or remove users.

    To align with the Cyber Essentials requirements defined in the self-assessment questionnaire, you may already have existing policies that only require a small update, or you may need to create and implement new policies.

    Once you have your policies in place, you can review different solutions to ensure there is a process in place that implements your policies.

    This can be as simple as a spreadsheet that lists all your devices and requires an authorized person to sign off on the spreadsheet when they make changes or updates to devices.

    Alternatively, you could invest time and resources into a software solution to track and manage your processes where you can automate your maintenance and tracking of devices and accounts.

    Implement a Device Management Policy

    Cyber Essentials requires you to manage and maintain all of the devices that are used to access your company accounts and data, this can even include personal devices if they are being used to access your business.

    Your devices need to be configured to a secure standard, have necessary software installed, user accounts issued, password policies set up, firewalls configured and you need to ensure the device is maintained and kept up to date throughout the year.

    It is recommended to have a standardized setup process, which can be applied to all your devices, and ensures all of the settings you need to have, and want to have, are all in place before the device is provided to a user or installed into your organisation.

    Each of your devices can then be logged on an Asset List, and you can require monthly or quarterly checks of the device to be completed to ensure no issues have been introduced, the device is still running as intended, and everything has the latest available updates applied.

    Some of the requirements from the Cyber Essentials SAQ that can be included in your device management process include:

    • Software and Operating systems licensed and supported
    • Automatic updates applied or updates checked manually within 14 days
    • Unnecessary software removed from devices
    • Unsupported software removed from devices
    • Anti-malware software installed with automatic updates
    • Disable Auto-run or Auto-play on devices where applicable

    Implement a Firewall Management Policy

    Cyber Essentials Firewall Management

    The SAQ has a dedicated section for the management of firewalls within your company, which includes making sure it is configured correctly, accounts are set up securely, any changes that are made receive approval, and that you regularly review the set of access controls that are set up on the device.

    You may manage a dedicated firewall device, or may only use the software firewalls installed on laptops and desktops. For either situation, the cyber essentials firewall management requirements will need to be implemented.

    It is recommended to have a dedicated firewall management policy, which will detail the exact set of requirements for how you manage your firewall, how you ensure it is set up correctly, and how you ensure it is maintained over time.

    Refer back to the SAQ questions for firewall management and ensure your policies are meeting the requirements for certification, including the following:

    • Software Firewalls Enabled on devices
    • Only necessary services made Internet accessible
    • Every service accessible through your internet gateways is documented with a business case.
    • Regular check and review of internet-accessible services, removing any considered unnecessary

    Implement a Password Management Policy

    How you implement and manage secure passwords is a requirement for your firewalls, servers, user devices, mobiles, cloud services, and other systems your organisation makes use of.

    Maintaining a dedicated password policy document, which outlines the security standards that need to be implemented for each of your accounts is recommended to ensure your company maintains a high level of security, minimizes the potential of account compromise, and ensures that you align with the requirements for certification.

    With your defined policy in place, review the configuration settings for each of your systems and update them to ensure compliance with your new policy. It can unfortunately be the case where some solutions will not have the option to change the password requirements.

    In this scenario it is important to conduct staff training, highlighting what your company policies are for passwords and security, and informing your staff on their importance and role in the company to ensure security is maintained.

    To comply with the certification requirements you can ensure your policies for secure passwords and accounts include the following configuration standards:

    • Default User Accounts and Passwords changed
    • Unnecessary user accounts removed from devices
    • Unique Usernames and Passwords created for each user
    • Admin accounts not used for day-to-day activities
    • Staff Training and Education in place for Security Policies and Password Policy
    • Process in place to change passwords if accounts are believed to be compromised.
    • Cloud Services setup with Multi-Factor Authentication
    • Password Policy configured applied to meet one of the following standards.
      • Multi-factor authentication, with a minimum password length of 8 characters
      • Automatic Blocking of Common Password, with a minimum password length of 8 characters
      • A minimum password length of 12 characters
    • Login restrictions in place when not using Multi-Factor Authentication
      • Restrict the number of login attempts that can be made to no more than 10 in 5 minutes
      • Lockout accounts after 10 unsuccessful login attempts

    Before your Cyber Essentials SAQ Submission

    Cyber Essentials Self Assessment

    Review each Question, Guidance, and Answer Type

    Every question requires an answer, and every answer should provide as much detail as necessary. Some questions will only require a Yes or No, whereas others will require a description of how you manage a certain aspect of your company.

    If the question text asks you to describe a process, you should write a few sentences that describe what your process is, how it has been implemented, how it is reviewed, and how you ensure the process is being carried out.

    Your aim is for a Cyber Essentials assessor, with no prior knowledge of your company, to be clear on your business’s approach, and have no details that remain vague or unclear, as these answers can often be rejected and the assessor may ask for further information.

    Check your devices and software are up to date

    Your operating systems and software are all required to be kept licensed, supported, and updated within 14 days of a critical security update being released, as detailed under the Security Update Management requirements.

    It can be common that the process of gathering all of your required information preparing policies and completing the SAQ may take a few weeks or longer.

    It may be the case that updated versions of software have been released during this time, so a final check for updates before completing your submission is recommended to ensure no outdated software is highlighted as being in use.

    If you are unsure whether your device is outdated or unsupported, you can review the information at EndOfLife.date which provides a great resource for quickly looking up current supported versions.

    Review your Malware Protection Solution

    Cyber Essentials Malware Protection

    Your in-scope devices are required to have a Malware Protection solution in place. For many of your devices, you may have software installed to maintain protection, in which case ensure the latest updates are in place before the submission of your SAQ.

    However, it is common that where you have mobile phones in scope these will not have anti malware software installed.

    As your mobile devices will still need to maintain protection from Malware, ensure you have a solution in place that keeps them protected and is still compliant with the certification requirements.

    This may be to limit the applications that users can set up and install on their mobiles to a pre-approved and documented list, or you may have a Mobile Device Management System (MDM) already set up which can achieve a similar restriction.

    This can often be a difficult part of any assessment, especially if your staff use personal mobiles to sign in to work email and other accounts, as these personal devices are seen as in scope for Cyber Essentials.

    In this scenario, you may need to make some decisions about how people are using personal devices to access work accounts.

    The personal devices will either need to be incorporated into your company management practices as they are in scope for Cyber Essentials or they will need to be stopped from accessing your company accounts, to take them out of scope.

    Conclusion

    If new to implementing security standards, Cyber Essentials can be a great introduction for your company, ensuring your organisation as a whole conforms to a set of requirements that protect you from the most common cyber attacks.

    The Cyber Essentials standard is also filled with small details that can be easily overlooked if not familiar with the requirements.

    The Cyber Essentials Checklist can hopefully provide you with some useful information when navigating the compliance standards, preparing your business for assessment, and improving your overall cyber security.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    When submitting your SAQ, it will be independently reviewed by a qualified assessor.

    For each question in the SAQ they will either award a Pass for the answer, request further information for answers they feel need additional clarification, or grade the answer as Non-Compliant.

    Where answers have been graded as Non-Compliant or requiring further information, you will have the opportunity to change your company policies and processes to meet the compliance requirements, update the questionnaire, and resubmit for further assessment.

    Where you have devices that access your company accounts and data, they are considered a point of risk and compromise for your organisation.

    If you apply no management and security controls over these devices, they may be compromised by common cyber attacks, resulting in access to your company accounts, data, and credentials.

    Personal devices that are used to access your company will need to meet the same security requirements as all other devices that are accessing your company, or their access removed.

    Some of the most common types of cyber attack which are aimed to be protected against by adhering to the certification standards, include:

    • Account Compromise. Default Credentials, Weak Passwords, Leaked Credentials and Brute Force Password attacks are some of the most common methods used to access user accounts. This is often targeting internet-accessible login services, which is why password security, account security, multi-factor authentication, and protected firewall services form a large part of the certification requirements.
    • Malware and Ransomware. The delivery of malicious software can be through several vectors such as a web download link, an email attachment, or sometimes a USB device. Where this occurs you need to ensure your devices have multiple levels of protection in place as safeguards and restrictions against the malicious software.
      • Up-to-date Malware Protection software can ideally identify the malicious files, and prevent their execution.
      • Up-to-date Software and Operating systems can ensure there are no known vulnerabilities that the malicious software can instantly exploit due to missing updates.
      • Your day-to-day account running with reduced permissions prevents the software from instantly gaining admin access to your device.

    Cyber Essentials provides a security review of your existing organisation including policies, processes, devices, software, and accounts. The assessment is an independently reviewed questionnaire and is more aligned with a security audit focusing on documentation and policies.

    Cyber Essentials Plus introduces a practical testing requirement for the certification. However, the Plus standard is more aligned with a vulnerability scan than a Penetration Test, although the checks included in a Plus assessment go beyond just a vulnerability scan.

    A Penetration test includes a combination of automated scans and manual vulnerability tests. This can be against your devices, web applications, and other services. Cyber Essentials doesn’t currently include vulnerability testing of web applications or extensive manual vulnerability tests.

    Similar Posts