CYBER ESSENTIALS CLIENT WORKBOOK · unauthorised access to an organisation’s sensitive information, often with ease. ... Cyber Essentials Client Workbook 10 USER ACCESS CONTROL

Confidence, Assurance and Certainty

CYBER ESSENTIALS CLIENT WORKBOOK July 2016

Cyber Essentials Client Workbook 1

INTRODUCTION

This document has been produced as a printable and take-away guide to help write a concise response to each of the questions and therefore provide a good commentary for the controls in use prior to entering into the Cyber Essentials application process and completing the formal questionnaire.

Please note that it is a guide to help you understand what goes through a questionnaire assessors mind and their expectations when reading through the responses.

It is possible to achieve certification without following the suggestions and guidance prompts however this may result in more follow up calls from the Certification Body and may lead to unecessary delays or additional costs.

This document should also be used to assist with answering specific questions. Once you are satisfied that all questions have been answered and there is sufficient evidence collated you should login to the web portal, process payment and then submit your answers in the required format for assessment.

Please note that evidence needs to be collated and provided for each control where stated. Evidence should be up to date and ready to be submitted when you are ready to proceed to the formal questionnaire. The completed formal questionnaire must also be countersigned by a Director or Board level equivalent.


CYBER SECURITY ESSENTIALS OVERVIEW

A primary objective of the Cyber Essentials scheme is to make it a safer place to conduct business online. However, determining the benefits of cyber security and knowing where to start are a significant challenge for many organisations of all sizes.

This document presents requirements for mitigating the most common Internet based threats to cyber security. Deploying these controls will assist an organisation in defending against the most common forms of cyber attack emanating from the internet using widely accessible tools which require little skill from the attackers. Organisations implementing these controls can benefit by gaining confidence that basic technical security measures are in place and that important steps are being taken to protect its information and the information of its customers.

The Cyber Essentials scheme lists the requirements for basic technical protection from cyber attacks across 5 key areas including;

1. Boundary firewalls and internet gateways 2. Secure configuration 3. Access control 4. Malware protection 5. Patch management

To implement these requirements, organisations will need to determine the technology in scope, review each of the five categories and apply each control specified. Where a particular control cannot be implemented for a sound business reason (e.g. is not practical or possible) alternative controls should be identified and implemented.


Figure 1: Scope of the requirements for basic technical protection


BUSINESS SCOPE

Whilst considering Figure 1. Scope, please identify the scope of the system(s) to be assessed under this questionnaire, including; locations, network boundaries, management and ownership. Where possible, include IP addresses and/or ranges.

A system name should be provided that uniquely identifies the systems to be assessed, and which will be used on any certificate awarded. (Note: it is not permissible to provide the company name,unless all systems within the organisation are to be assessed):

Details that should be included within the scope are;

How many sites are in scope and their location.

How many computers or servers are there and how are they connected?

Are any out-of-scope areas been sufficiently segregated (NAT / Firewall)?

Describe what Cloud Services are used (Dropbox, Office 365, Google Drive etc.)

Sample scope

The scope will be our whole office located in 1. Main Street, Smalltown. There are 6 computers running both Windows 8 and 10 connected directly to the internet through the firewall. Internet connectivity is provided through a well known broadband provider. There is one firewall supported by a contractor. Office 365 is used as the main backoffice application and also for e-mail using Outlook. Dropbox is used for sharing non sensitive documents. There is another user on site 2 days a week who is not in scope and they do not have access to our IT systems but do use our guest wireless which is on a separate connection.


BOUNDARY FIREWALLS AND INTERNET GATEWAYS

Boundary firewalls, internet gateways or equivalent network devices are used to protect against unauthorised access and disclosure from the internet. If these devices are not configured correctly cyber attackers can often gain access to computers with ease and access the information they contain.

A boundary firewall can protect against commodity cyber threats – that is, attacks based on capabilities and techniques that are freely available on the internet – by restricting inbound and outbound network traffic to authorised connections. Such restrictions are achieved by applying configuration settings known as firewall rules.

The policies must be in place to administer and manage these rules. Evidence in the form of pictures, log files or screenshots must be supplied where practicable.

# Questions Answer Suggestions and Guidance

1.1 Give the details of any firewall or equivalent network devices

Reference or supply vendor and model details or specification of alternative or equivalent device or configuration settings.

1.2 Who is responsible for the administration of the devices?

Please supply details of individual or provider who manages the firewall or perimeter security devices for example; administered by technically proficient staff, contractor or an outsourced IT provider.

1.3 Who is responsible for setting usernames and passwords the devices?

As above



1.4 Have the default passwords of the network firewall or alternative device been changed to use alternative and strong passwords or passphrases?

A strong password is typically one that: comprises a minimum number of characters in length; differs from the associated username; contains no more than two identical characters in a row; is not a dictionary word; includes a mixture of numeric and alpha characters; has not been reused within a predetermined period of time (e.g. six months); and has not been used for another account.

1.5 What approval process is in place for authorising network traffic to pass through the boundary devices?

Each service on a computer that is accessible through the boundary firewall or device should be subject to approval by an authorised individual and documented (including an explanation of business need).

1.6 Have unapproved services, or services that are typically vulnerable to attack (such as Server Message Block (SMB), NetBIOS, tftp, RPC, rlogin, rsh or rexec), been disabled (blocked) at the boundary firewall or devices by default?

Services that are typically vulnerable to attack such as Server Message Block (SMB), NetBIOS, tftp, RPC, rlogin, rsh or rexec should be disabled by default at the boundary. Please confirm that they are disabled by default.

1.7 Do you have a corporate policy covering all firewall rules? If some rules are no longer required are they removed or disabled in a timely manner? Is this policy adhered to (meaning that there are

State name of policy, if one exists or supply details of or describe an alternative process.


# Questions Answer Suggestions and Guidance currently no open ports or services that are not essential for the business)?

1.8 In what circumstances is the administrative interface used to manage boundary firewall configuration accessible from the internet?

For example, are the firewall or equivalent devices ever configured remotely and if so in what circumstance and by whom?

1.9 Confirm that where there is no requirement for a system to have internet access, a default deny policy is in effect and that it has been applied correctly, preventing the system from making connections to the internet

State current device settings or policy requirements for any device that does not require internet access and reason(s) why.


SECURE CONFIGURATION

Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.

Computers and network devices (including wireless access points) cannot be considered secure upon default installation. A standard, ‘out-of-the-box’ configuration can often include an administrative account with a predetermined, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications (or services).

Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorised access to an organisation’s sensitive information, often with ease. By applying some simple security controls when installing computers and network devices (a technique typically referred to as system hardening), inherent weaknesses can be minimised, providing increased protection against commodity cyber attacks.


2.1 Have all unnecessary or default user accounts been deleted or disabled in all computers and network devices?

How do you know this? Whose role is it to check this? Describe the process to ensure this is done.

2.2 Do all accounts have passwords? Please confirm that any default passwords have been changed to strong passwords.

Please describe how you know this was this achieved and describe any technical controls in place to enforce complex passwords or if not state any alternative such as a paper based policy or business requirement.

2.3 Have you ensured that any unnecessary software (including application, operating system utilities and network services) is removed or disabled?

Describe whose role it is to commission a computer or network device and how they ensure that only approved software and applications have been installed.



2.4 Has the auto-run feature been disabled?

The auto-run feature should be disabled to

prevent software programs running automatically for example when removable storage media is connected to a computer or when network folders are accessed. A screen shot of how the auto-run feature is disabled is required as evidence.

2.5 Has a personal/host based firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default?

Provide evidence of how a personal firewall or an equivalent is installed on a computer and how it is configured to restrict inbound and outbound network connections to and from authorised applications, such as a web browser or email.

2.6 Is a standard build image used to configure new workstations? Does this image include the policies and controls and software required to protect the workstation? Is the image kept up to date with corporate policies?

Who created the image (provide internal role or outsourced provider details) and whose responsibility is it to keep it up to date? If a build image is not used – are build instructions or build best practice guidelines followed? If so, what are they?

2.7 Do you have a backup policy in place, and are backups conducted regularly?

A robust backup process is vital to the process of ensuring data retrieval (and continuity of business) in the event of a ransomware or similar malware event. Describe the backup process (Online / Disk / Tape etc. with scheduled or anticipated times and dates)


USER ACCESS CONTROL

User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.

User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When privileged accounts are compromised their level of access can be exploited resulting in large scale corruption of information, affect business processes and give unauthorised access to other computers across an organisation.

To protect against misuse of special access privileges, the principle of least privilege should be applied to user accounts by limiting the privileges granted and restricting access.


3.1 Are user account requests subject to proper justification, provisioning and an approvals process, and assigned to named individuals?

Describe the process for activating new user accounts or mention any new starters, movers or leavers’ procedure, if you have one. When describing the process ensure that it includes references to how a new account is requested, approved, user is added and by whom.

3.2 Are users required to authenticate with a unique username and strong password before being granted access to computers and applications?

Best practice dictates that all users must have their own account and have a strong password assigned which should not be shared.



Describe the process to ensure that no users share login accounts and how strong passwords are applied.

3.3 Are accounts removed or disabled when they are no longer required?

User accounts and special access privileges should be removed or disabled when no longer required (e.g. when an individual changes role or leaves the organisation) or after a pre-defined period of inactivity (e.g. 3 months). Describe the process to remove or disable an account when someone leaves or refer to any leavers’ process or policy.

3.4 Are elevated or special access privileges, such as system administrator accounts, restricted to a limited number of authorised individuals?

What is the role of the authorised individuals? And why do they require privileged or administrator access?

3.5 Are special access privileges documented and reviewed regularly (e.g. quarterly)?

How are they documented (spreadsheet, word, database etc.) and when did you last review the special access privileges?

3.6 Are all administrative accounts only permitted to perform administrator

What controls are in place to prevent internet and email access for administrator



tasks, with no internet or external email permissions?

accounts? Describe any account configuration settings, if applicable.

3.7 Do you have a password policy or process which requires or enforces changing administrator passwords (e.g. at least every 60 days) to a complex password?

How do you ensure that administrative accounts are configured to require a password change on a regular basis?


MALWARE PROTECTION

Computers connected or exposed to the internet should be protected against malware infection through the use of malware protection software.

Computers are often vulnerable to malicious software, particularly those that are exposed to the internet (e.g. desktop PCs, laptops and mobile devices, where available). When available, dedicated software is required that will monitor for, detect and disable malware. Computers can be infected with malware through various means often involving a user who opens an affected email, browses a compromised website or opens an unknown file on a removable storage media. The scope of malware protection in this document covers desktop PCs, laptops and servers that have access to or are accessible from the internet. Other computers used in the organisation, while out of scope are likely to need protection against malware as will some forms of tablets and smartphones.


4.1 Has malware protection software been installed on all computers within scope?

Name the vendor and version of the malware (e.g. Anti-Virus or End Point Protection) protection software that is used.

4.2 How often does malware protection software have all of its updates applied, and is this applied rigorously?

Malware software should be configured to update itself within a short period of the update becoming available. Describe how this is configured.

4.3 Have all anti malware signature files been kept up to date (through automatic updates or through centrally managed deployment)?

How is this done and how can you be sure that all files are up to date for all computers?



4.4 Has malware protection software been configured for on-access scanning, and does this include downloading or opening files, opening folders on removable or remote storage, and web page scanning?

How do you ensure that malware protection software is configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when being accessed (via a web browser)?

4.5 Has the malware protection software been configured to run regular (at least daily) scans?

Describe the malware scanning regime, for example is it a full scan, quick scan, deep system scan etc.

4.6 Apart from Anti-Virus Software, how are commonly accessed executables protected from being attacked by malicious files?

What mechanisms are in place to ensure that if a user clicks on a malicious link (within an e-mail for example), the executable file does not execute? For example, does the software notify you via a pop up?

4.7 Are users prevented from accessing known malicious web sites by your malware protection software through a blacklisting function?

Does your malware protection software do this or have you an alternative solution that prevents access to known or potentially malicious or disreputable web sites (e.g. a personal firewall setting or web filtering software)?


PATCH MANAGEMENT

Any computer and network device that runs software can contain weaknesses or flaws, typically referred to as technical vulnerabilities. Vulnerabilities are common in many types of popular software, are frequently being discovered (e.g. daily), and once known can quickly be deliberately misused (exploited) by malicious individuals or groups to attack an organisation’s computers and networks.

Vendors of software will typically try to provide fixes for identified vulnerabilities as soon as possible, in the form of software updates known as patches, and release them to their customers (sometimes using a formal release schedule such as weekly). To help avoid becoming a victim of cyber-attacks that exploit software vulnerabilities, an organisation needs to manage patches and the update of software effectively.


5.1 Is all software installed on computers and network devices in the scope licensed and supported?

How do you ensure that software running on computers and network devices, that are connected to or capable of connecting to the internet, are licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available?

5.2 Are all operating system security patches applied within at least 14 days of release?

Describe the process to ensure that operating system (e.g. Microsoft Windows) patches are applied within the agreed timeframe.

5.3 Are all application security patches applied within at least 14 days of release?

Describe the process to ensure that application (e.g. Microsoft Office or Adobe etc.) patches are applied within the agreed timeframe.


# Questions Answer Suggestions and Guidance 5.4 Is out-of-date software (i.e. software

that is no longer supported) removed from a computer or network device?

Describe the process to identify and remove out of date software.

5.5 Is there a mobile working policy in force that requires mobile devices ((including BYOD (Bring Your Own Device)) to be kept up to date with vendor updates and application patches?

Describe the use of non-company supplied devices, if applicable, and if they connect to the business network. Is there a “Guest” network where they can connect to? Please refer to what sort of work is done via mobile devices? If there is no BYOD policy how do you ensure that malicious software cannot get into the network through unprotected devices.


CLIENT NOTES


CLIENT NOTES

Documents

CYBER ESSENTIALS CLIENT WORKBOOK · unauthorised access to an organisation’s sensitive information, often with ease. ... Cyber Essentials Client Workbook 10 USER ACCESS CONTROL