What is the UK Cyber Essentials scheme?

What is the Cyber Essentials scheme, and, how do we comply?

21st August 2014

Alastair StewartIT Governance Ltd

www.itgovernance.co.uk

© IT Governance Ltd 2014

• Alastair Stewart• PCI DSS Consultant at IT Governance Ltd• Cyber Essentials Consultant & Trainer• Associate of (ISC)2 for CISSP

Introduction

2


• Cyber breaches: key facts• What sorts of breaches?• An overview of Cyber Essentials • The requirements of CES • IT Governance; a CREST-accredited certification body• Meeting the CES requirements at your own pace and

within budget • How documentation aids compliance • Going beyond CES• Using CES as part of your wider cyber resilience

Agenda

3


Cyber breaches: key facts

4

• In 2013 81% of large organisations & 61% of small organisation suffered data breaches.

• The median number of breaches per company were:Large organisations: 16

Small organisations: 6

• Average cost of the worst single breach:Large organisations: £600k - £1.15m

Small organisations: £65k - £115k

• 59% of respondents expect more breaches this than last

PwC and BIS: 2014 ISBS Survey

60% of breached small organisations close down within 6

months – National Cyber

Security Alliance


What sorts of breaches?

5

Of Large Organisations:• External attack – 55% • Malware or viruses – 73%• Denial of Service – 38%• Network penetration (detected) – 24%

– (if you don’t think you’ve been breached, you’re not looking hard enough)

• Know they’ve suffered IP theft – 16%• Staff-related security breaches – 58%• Breaches caused by inadvertent human error – 31%

PwC and BIS: 2014 ISBS Survey


Governance of Cyber Security

Board

Cyber Risk: How Should Boards Respond?

6

Security ManagementBusiness and IT, Activities and Processes

Monitor

Per

form

ance

Con

form

ance

Direct

Pla

ns &

Pol

icie

s

Evaluate

Pro

posa

ls

Business Objectives

Cyber Risk environment

“Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct, administer or control a corporation.” (Wikipedia)

Management “is the act of getting people together to accomplish desired goals and objectives using available resources efficiently and effectively.” (Wikipedia)

Governance ≠ Management


Cyber Security Framework

7

Effective cyber security depends on resilience: co-ordinated, integrated preparations for rebuffing, responding to and recovering from a wide range of possible attacks.

• A strategy is essential.• A management system is fundamental.• Defence, continuity, and recovery must each be provided for.• No single stand-alone solution is sufficient.

• Money will be required

• 80% of breaches could be prevented through basic security ‘hygiene’


Why assess Cyber Security risk?

8

Demands for assurance

74% of respondents say their customers prefer dealing with suppliers with proven cyber security credentials, while 50% say their company has been asked about its information security measures by customers in the past 12 months.

The need for increased compliance

Given our findings, and the fact the existence of best practice information security standard ISO/IEC 27001 is known to 87% of respondents, it is striking that only 35% of responding organisations are compliant with the standard.


• A government scheme designed to make the UK a safer place for online business

• Part of the governments National Cyber Security Strategy

• Outlines requirements for mitigating the most common internet based threats

• Designed not to exclude SME’s

The Cyber Essentials Scheme

9


• Has evolved from other schemes and HMG guidance such as– 10 Steps to Cyber Security– Small Businesses: What you need to know about cyber security

• Forms the next stage from these schemes• Gives practical controls to implement• Involves a level of independent testing to give assurance

to other parties• Designed as a security profile for all businesses to follow• Addresses SME specific challenges in implementing

cyber security

Background to CES

10


• Cyber Essentials– Self-Assessed by completing a questionnaire– Certification Bodies will verify compliance– Different CB’s will use different methods to verify

compliance

• Cyber Essentials Plus– All of the previous option– Also includes independent vulnerability testing

• The different options don’t indicate the security stance, but the robustness of the check on the security stance

Certification Options

11


• The scope should be clearly defined at the start of a CES project

• It should include internal and external systems• You should consider service providers such as

cloud service or hosting providers• Should exclude bespoke or highly complex IT

systems (SCADA, POS etc.)• A meaningless scope creates a useless

implementation

Scoping Controls of CES

12


1. Boundary firewalls and internet gateways

2. Secure Configuration

3. User Access Control

The CES Controls

13

Objective: Information, applications and computers within the organisation’s internal networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.

Objective: Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.

Objective: User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.


4. Malware Protection

5. Patch Management

The CES Controls

14

Objective: Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software.

Objective: Software running on computers and network devices should be kept up-to-date and have the latest security patches installed.


• Accreditation bodies– Accredits or licences organisations to be

certification bodies– Ensures certification bodies are competent

and able to implement the certification process

• Certification bodies– Must meet the requirements set out by the

accreditation bodies– Must follow the accreditation bodies

certification scheme

• Currently only two AB’s: IASME & CREST• IASME CB’s can only certify to CE• CREST CB’s can certify to CE and CE+

Certification Bodies

15


• We follow CREST’s certification scheme• Allows certification at both levels• CE is verified by external vulnerability

scanning– Provides a more robust check than just the

questionnaire

• CE + uses internal vulnerability assessments– Assessments performed by CREST approved

penetration testers

IT Governance Ltd; a CREST approved CB

16


17

How to comply?

IT Governance can help.


18

We are a CREST member and a CREST-accredited certification

body for CES.


Certification

19

We offer three solutions for certification.

You implement the requirements yourself

and we provide certification subject to

compliance.

DO-IT-YOURSELF

GET A LITTLE HELP

GET A LOT OF HELP

Training Toolkit Online help Certification

On-site consultancy

Toolkit Certification

We give you the implementation tools

and provide certification subject to

compliance.

We show you how to implement the

requirements and provide certification

subject to compliance.


• CREST approved• Able to offer both CE and CE+ certification• Perform both the external and internal scanning

in house• Expertise surrounding Cyber Resilience• Able to integrate CES into other information

security standards

Why us?

20


• Designed to aid in meeting the controls

• Includes policy and procedure templates

• Utilises record templates

• Includes a Gap Analysis tool

The Toolkit

21


• Easy and simple interface

• Lists all the controls and requirements

• Offers locations to find further guidance

• Clear and simple summary layout to show progress

The Gap Analysis Tool

22


• Most effective way of implementing the controls and maintaining compliance– Allows you to set the accepted standard for the five

control areas– Responsibility for the controls can be assigned

through policies– Effectiveness of the controls can be monitored– Procedures for implementing the controls can be

developed and standardised

• Writing policies requires a level of understanding on management systems

Why Policies and Procedures?

23


• CES is derived from ‘10 Steps to Cyber Security’– Only covers 5 of the 10

• Mapped to ISO/IEC 27001 & 27002

• Mapped to PCI DSS• Compliance with another

standard doesn’t automatically mean compliance with CES

Beyond CES

24


Next steps to consider

25

• Evolve your CES into an ISMS and create a robust and cyber resilient system for your business processes.

• Consider the Cloud Controls Matrix (CCM) as well as protecting devices with BYOD policies and procedures.

• Make the right choice for a permanent solution.


ISO/IEC 27001, together with the international code of practice, ISO/IEC 27002, provide a globally recognised standard and best-practice framework for addressing the entire range of cyber risks

ISO27001 The Cyber Security Standard

26

- Could be a first step to ISO27001- Could add strength to an existing ISMS


Benefits

27

Being Cyber Resilient

Reduce insurance costs

Major cost saving

Impress customers

Protect reputation

Avoid significant disruption

SurvivalProtect jobs

Win new business:- Existing markets- Supply Chain Assurance- Contracting with HMG

Impress stakeholders


For more information on our products and services you can simply email us here:

[email protected]

Or call us on:

+44 (0)1353 771107

Any Questions?

28

Cyber Essentials: A Pocket Guide £3.49

Cyber Essentials Gap Analysis Tool £19.95

Cyber Essentials Documentation Toolkit £99.95

DIY Package CE: £400CE Plus: £1,150

‘Get a little help’ Package CE: £885CE Plus: £1,635

‘Get a lot of help’ Package CE: £1,245CE Plus: £1,995

mailto:[email protected]