Download - Cyber Essentials Self-Assessment - IT Wiser · All answers are assessed. Your answers must be approved by a Board level representative, business owner or the equivalent, otherwise

CONFIDENTIALWHENCOMPLETED

© The IASME Consortium Ltd 2017 All rights reserved

©TheIASMEConsortiumltd2017

Allrightsreserved.

ThecopyrightinthisdocumentisvestedinTheIASMEConsortiumltd.Thedocumentmustnotbereproduced,byanymeans,inwholeorinpartorusedformanufacturingpurposes,exceptwiththepriorwrittenpermissionofTheIASMEConsortiumltdandthenonlyon

conditionthatthisnoticeisincludedinanysuchreproduction.

InformationcontainedinthisdocumentisbelievedtobeaccurateatthetimeofpublicationbutnoliabilitywhatsoevercanbeacceptedbyanymemberofTheIASMEConsortiumltd

arisingoutofanyusemadeofthisinformation.

Compliancewiththisstandarddoesnotinferimmunityfromlegalproceedingnordoesitguaranteecompleteinformationsecurity.

CyberEssentialsSelf-Assessment

PreparationBooklet

For Inf

ormati

on O

nly



1

CyberEssentialsSelf-AssessmentVersion10.4

February2017

IntroductionThisquestionnaireasksaboutthetechnicalissuesoftheCyberEssentials.Thesearethequestionsyouwillbeaskedtocompletethroughtheonlineassessmentplatform.Allanswersareassessed.YouranswersmustbeapprovedbyaBoardlevelrepresentative,businessownerortheequivalent,otherwisecertificationcannotbeawarded.Pleaseanswerallthequestionstothebestofyourknowledgeandaddbriefnoteswithmostanswers.AchievingcompliancewiththeCyberEssentialsprofileortheIASMEgovernancestandardindicatesthatyourorganisationhastakenthestepssetoutintheHMGCyberEssentialsSchemedocumentsorthebroaderIASMEgovernancestandard.ItdoesnotamounttoanassurancethattheorganisationisfreefromcybervulnerabilitiesandneitherIASMEConsortiumLimited(asAccreditationBody)northeCertificationBodyacceptsanyliabilitytocertifiedorganisationsoranyotherpersonorbodyinrelationtoanyreliancetheymightplaceonthecertificate.Specificadviceshouldbesoughtonthecybersecuritycharacteristicsofanyorganisationortransaction.

Ifyouareawardedacertificateyouwillalsobesentabadgetouseincorrespondenceandpublicityandmustaccepttheconditionsofuse.

FurtherguidanceontheCyberEssentialsschemecanbefoundathttps://www.ncsc.gov.uk/information/requirements-it-infrastructure-cyber-essentials-scheme

YourCompany

Pleasetellusalittleabouthowyourcompanyissetupsowecanaskyouthemostappropriatequestions.

1. Whatisyourorganisation'sname(forcompanies:asregisteredwithCompaniesHouse)?

2. Whatisyourorganisation'sregistrationnumber(ifyouhaveone)?

[Notes]

[Notes]

For Inf

ormati

on O

nly



2

3. Whatisyourorganisation'saddress(forcompanies:asregisteredwithCompaniesHouse)?

4. Whatisyourmainbusiness?Agriculture,ForestryandFishingMiningandQuarryingManufacturingElectricity,Gas,SteamandAir-conditioningSupplyWatersupply,Sewerage,WastemanagementandRemediationConstructionWholesaleandRetailtradeRepairofmotorcarsandmotorcyclesTransportandstorageAccommodationandfoodservicesInformationandcommunicationFinancialandinsurance

RealestateProfessional,scientificandtechnicalAdministrationandsupportservicesPublicadministrationanddefenceCompulsorysocialsecurityEducationHumanHealthandSocialWorkArtsEntertainmentandRecreationOtherserviceactivitiesActivitiesofhouseholdsasemployers;undifferentiatedgoodsandservicesproducingforhouseholdsforownuseActivitiesofextraterritorialorganisationsandbodies

[Notes]

[Notes]

For Inf

ormati

on O

nly



3

5. Whatisyourwebsiteaddress?

6. Whatisthesizeofyourorganisation?BasedontheEUdefinitionsofMicro(<10employees,<€2mturnover),Small(<50employees,<€10mturnover),Medium(<250employees,<€50mturnover)orLarge.

7. Howmanystaffarehomeworkers?Homeworkersarestaffwhosemainworklocationistheirhomeaddressandwhoworkthereforthemajorityoftheirtime.Thisdoesnotincludeofficeworkerswhooccasionallyworkathomeorwhentravelling.

ScopeofAssessment

Pleasebrieflydescribetheelementsofyourorganisationwhichyouwanttocertifytothisaccreditation.Thescopeshouldbeeitherthewholeorganisationoranorganisationalsub-unit(forexample,theUKoperationofamultinationalcompany).Allcomputers,laptops,servers,mobilephones,tabletsandfirewalls/routersthatcanaccesstheinternetandareusedbythisorganisationorsub-unittoaccessbusinessinformationshouldbeconsidered"in-scope".Alllocationsthatareownedoroperatedbythisorganisationorsub-unit,whetherintheUKorinternationallyshouldbeconsidered"in-scope"8. Doesthescopeofthisassessmentcoveryourwholeorganisation?Pleasenote:YourorganisationisonlyeligibleforfreeCyberInsuranceifyourassessmentcoversyourwholecompany,ifyouanswer"No"tothisquestionyouwillnotbeinvitedtoapplyforinsurance.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



4

9. Ifitisnotthewholeorganisation,thenwhatisthescopedescriptionyouwouldliketoappearonyourcertificateandwebsite?

10. Pleasedescribethegeographicallocationsofyourbusinesswhichareinthescopeofthisassessment.

11. Pleasedescribeallequipmentwhichisincludedinthescopeofthisassessment(pleaseincludedetailsoflaptops,computers,servers,mobilephonesandtablets).Alllaptops,computers,serversandmobiledevicesthatcanaccessbusinessdataandhaveaccesstotheinternetmustbeincludedinthescopeoftheassessment.

12. Pleasedescribethenetworksthatwillbeinthescopeforthisassessment(suchasofficenetwork,homeofficesandfirewalls).

13. Whoisresponsibleformanagingtheinformationsystemsinthescopeofthisassessment?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



5

OfficeFirewallsandInternetGateways

Firewallisthegenericnameforsoftwareorhardwarewhichprovidestechnicalprotectionbetweenyoursystemsandtheoutsideworld.Therewillbeafirewallwithinyourinternetrouter.CommoninternetroutersareBTHomeHub,VirginMediaHuborSkyHub.Yourorganisationmayalsohavesetupaseparatehardwarefirewalldevicebetweenyournetworkandtheinternet.Firewallsarepowerfuldevicesandneedtobeconfiguredcorrectlytoprovideeffectivesecurity.Questionsinthissectionapplyto:HardwareFirewalldevices,Routers,ComputersandLaptopsonly.14. Doyouhavefirewallsattheboundarybetweenyourorganisationsinternalnetworksandtheinternet?Youshouldhavefirewallsinplacebetweenyourofficenetworkandtheinternet.Youshouldalsohavefirewallsinplaceforhome-basedworkers,ifthoseusersarenotusingaVirtualPrivateNetwork(VPN)connectedtoyourofficenetwork.Remembermostinternet-routerscontainafirewall.

15. Whenyoufirstreceiveaninternetrouterorhardwarefirewalldeviceitwillhavehadadefaultpasswordonit.Hasthisinitialpasswordbeenchangedonallsuchdevices?

16. Isthenewpasswordonallyourinternetroutersorhardwarefirewalldevicesatleast8charactersinlengthanddifficulttoguess?Apasswordthatisdifficulttoguesswillnotbemadeupofcommonorpredictablewordssuchas"password"or"admin",orincludepredictablenumbersequencessuchas"12345".

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



6

17. Doyouchangethepasswordwhenyoubelieveitmayhavebeencompromised?

18. Doyouhaveanyservicesenabledthatareaccessibleexternallyfromyourinternetroutersorhardwarefirewalldevicesforwhichyoudonothaveadocumentedbusinesscase?Attimesyourfirewallmaybeconfiguredtoallowasystemontheinsidetobecomeaccessiblefromtheinternet(suchasaserveroravideoconferencingunit).Thisissometimesreferredtoas"openingaport".Youneedtoshowabusinesscasefordoingthisbecauseitcanpresentsecurityrisks.Ifyouhavenotenabledanyservices,answer"No".

19. Ifyestoabove,doyouhaveaprocesstoensuretheyaredisabledinatimelymannerwhentheyarenolongerrequired?

20. Haveyouconfiguredyourinternetroutersorhardwarefirewalldevicessothattheyblockallotherservicesfrombeingadvertisedtotheinternet?

Bydefault,mostfirewallsblockallservicesfrominsidethenetworkfrombeingaccessedfromtheinternet,butyouneedtocheckyourfirewallsettings.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



7

21. Areyourinternetroutersorhardwarefirewallsconfiguredtoallowaccesstotheirconfigurationsettingsovertheinternet?

Sometimesorganisationsconfiguretheirfirewalltoallowotherpeople(suchasanITsupportcompany)tochangethesettingsviatheinternet.IfyouhavenotsetupyourfirewallstobeaccessibletopeopleoutsideyourorganisationsoryourdeviceconfigurationsettingsareonlyaccessibleviaaVPNconnection,thenanswer"no"tothisquestion.

22. Ifyes,isthereadocumentedbusinessrequirementforthisaccess?

23. Ifyes,istheaccesstothesettingsprotectedbyeithertwo-factorauthenticationorbyonlyallowingtrustedIPaddressestoaccessthesettings?

24. Doyouhavesoftwarefirewallsenabledonallofyourcomputersandlaptops?YoucancheckthissettingonMaclaptopsintheSecurity&PrivacysectionofSystemPreferences.OnWindowslaptopsyoucancheckthisbygoingtoSettingsorControlPanelandsearchingfor"windowsfirewall".

25. Ifno,isthisbecausesoftwarefirewallsarenotcommonlyavailablefortheoperatingsystemyouareusing?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



8

SecureConfiguration

Computersareoftennotsecureupondefaultinstallation.An‘out-of-the-box’set-upcanoftenincludeanadministrativeaccountwithastandard,publiclyknowndefaultpassword,one orormoreunnecessaryuseraccountsenabled(sometimeswithspecialaccessprivileges)andpre-installedbutunnecessaryapplicationsorservices.Allofthesepresentsecurityrisks.

Questionsinthissectionapplyoperatingsystemsandapplicationsrunningon:Servers,Computers,Laptops,TabletsandMobilePhones.

26. Whereyouareabletodoso,haveyouremovedordisabledallthesoftwarethatyoudonotuseonyourlaptops,computers,servers,tabletsandmobilephones?Thisincludesapplications,systemutilitiesandnetworkservices.

27. Haveyouensuredthatallyourlaptops,computers,servers,tabletsandmobiledevicesonlycontainnecessaryuseraccountsthatareregularlyusedinthecourseofyourbusiness?

28. Haveyouchangedthedefaultpasswordforalluserandadministratoraccountsonallyourlaptops,computers,servers,tabletsandsmartphonestoanon-guessablepasswordof8charactersormore?

29. Doallyourusersandadministratorsusepasswordsofatleast8characters?Astrongpasswordtypicallyisamixtureofatleast8characters,numbersandsymbols,thelongerthebetter.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



9

30. Doyourunsoftwarethatprovidessensitiveorcriticalinformation(thatshouldn'tbemadepublic)tointernet-basedusers?

31. Ifyes,doyouensureallusersoftheseservicesuseapasswordofatleast8charactersandthatyoursystemsdonotrestrictthelengthofthepassword?

32. Ifyes,doyouensurethatyouchangepasswordsifyoubelievethattheyhavebeencompromised?

33. Ifyes,areyoursystemssettolockoutaftertenorfewerunsuccessfulloginattempts,orlimitthenumberofloginattemptstonomorethantenwithinfiveminutes?

34. Ifyes,doyouhaveapasswordpolicythatguidesallyourusers?Thepasswordpolicymustinclude:guidanceonhowtochoosenon-guessablepasswords,nottousethesamepasswordformultipleaccounts,whichpasswordsmaybewrittendownandwheretheycanbestored,andiftheymayuseapasswordmanager.

35. Is"auto-run"or"auto-play"disabledonallofyoursystems?ThisisasettingwhichautomaticallyrunssoftwareonaDVDormemorystick.Youcandisable"auto-run"or"auto-play"throughcontrolpanel/systempreferences.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



10

SoftwarePatchingToprotectyourorganisation,youshouldensurethatyoursoftwareisalwaysup-to-datewiththelatestupdatesor“patches”.If,onanyofyourin-scopedevices,youareusinganoperatingsystemwhichisnolongersupported,e.g.MicrosoftWindowsXPormacOSMountainLion,andyouarenotbeingprovidedwithupdatesfromanotherreliablesource,thenyouwillnotbeawardedcertification.Mobilephonesandtabletsarein-scopeandmustalsouseanoperatingsystemthatisstillsupportedbythemanufacturer.Questionsinthissectionapplyto:Servers,Computers,Laptops,Tablets,MobilePhones,RoutersandFirewalls.36. Arealloperatingsystemsandfirmwareonyourdevicessupportedbyasupplierthatproducesregularfixesforanysecurityproblems?

37. Areallapplicationsonyourdevicessupportedbyasupplierthatproducesregularfixesforanysecurityproblems?

38. Isallsoftwarelicensedinaccordancewiththepublisher’srecommendations?

39. Areallhigh-riskorcriticalsecurityupdatesforoperatingsystemsandfirmwareinstalledwithin14daysofrelease?

40. Areallhigh-riskorcriticalsecurityupdatesforapplications(includinganyassociatedfilesandanypluginssuchasAdobeFlash)installedwithin14daysofrelease?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



11

41. Haveyouremovedanyapplicationsonyourdevicesthatarenolongersupportedandnolongerreceivedregularfixesforsecurityproblems?

UserAccountsItisimportanttoonlygiveusersaccesstotheresourcesanddatanecessaryfortheirroles,andnomore.Allusersneedtohaveuniqueaccountsandshouldnotbecarryingoutday-to-daytaskssuchasinvoicingordealingwithe-mailwhilstloggedonasauserwithadministratorprivilegeswhichallowsignificantchangestothewayyourcomputersystemswork.Questionsinthissectionapplyto:Servers,Computers,Laptops,TabletsandMobilePhones.42. Areusersonlyprovidedwithuseraccountsafteraprocesshasbeenfollowedtoapprovetheircreation?

43. Canyouonlyaccesslaptops,computersandserversinyourorganisation(andtheapplicationstheycontain)byenteringauniqueusernameandpassword?

44. Haveyoudeleted,ordisabled,anyaccountsforstaffwhoarenolongerwithyourorganisation?Whenanindividualleavesyourorganisation,youneedtostopthemaccessinganyofyoursystems.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



12

45. Doyouensurethatstaffonlyhavetheprivilegesthattheyneedtodotheircurrentjob?Whenastaffmemberchangesjobroleyoumayalsoneedtochangetheiraccessprivileges.

AdministrativeAccounts

Useraccountswithspecialaccessprivileges(e.g.administrativeaccounts)typicallyhavethegreatestlevelofaccesstoinformation,applicationsandcomputers.Whentheseprivilegedaccountsareaccessedbyattackerstheycancausethemostamountofdamagebecausetheycanusuallyperformactionssuchasinstallmalicioussoftwareandmakechanges.Specialaccessincludesprivilegesoverandabovethoseofnormalusers.Itisnotacceptabletoworkonday-to-daybasisinaprivileged“administrator”mode.Questionsinthissectionapplyto:Servers,Computers,Laptops,TabletsandMobilePhones.46. Doyouhaveaformalprocessforgivingsomeoneaccesstosystemsatan“administrator”level?

47. Doyouensurethatstaffonlyuseadministratoraccountstocarryoutadministrativeactivities(suchasinstallingsoftwareormakingconfigurationchanges)?

48. Doyouensurethatadministratoraccountsarenotusedforaccessingemailorwebbrowsing?’

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



13

49. Doyouformallytrackwhichusershaveadministratoraccountsinyourorganisation?

50. Doyoureviewwhoshouldhaveadministrativeaccessonaregularbasis?

51. Haveyouenabledtwo-factorauthenticationforaccesstoalladministrativeaccounts?

52. Ifno,isthisbecausetwo-factorauthenticationisnotavailableforsomeorallofyourdevicesorsystems?

MalwareprotectionMalware(suchascomputerviruses)isgenerallyusedtostealordamageinformation.Malwareareoftenusedinconjunctionwithotherkindsofattacksuchas‘phishing’(obtaininginformationbyconfidencetrickery)andsocialnetworksites(whichcanbeminedforinformationusefultoahacker)toprovideafocussedattackonanorganisation.Anti-malwaresolutions(includinganti-virus)areavailablefromcommercialsuppliers,somefree,butusuallyascompletesoftwareandsupportpackages.Malwarearecontinuallyevolving,soitisimportantthatthesupplierincludesbothmalwaresignaturesandheuristicdetectionfacilitieswhichareupdatedasfrequentlyaspossible.Anti-malwareproductscanalsohelpconfirmwhetherwebsitesyouvisitaremalicious.Questionsinthissectionapplyto:Computers,Laptops,TabletsandMobilePhones.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



14

53. Areallofyourcomputers,laptops,tabletsandmobilephonesprotectedfrommalwarebyeither

A-havinganti-malwaresoftwareinstalled,B-limitinginstallationofapplicationstoanapprovedset(ieusinganAppStoreorapplicationwhitelisting)orC-applicationsandboxing(iebyusingavirtualmachine)?

ItisusuallyeasiesttoprotectcomputersandlaptopsfrommalwarebyusingA.TabletsandmobilephonesareusuallyprotectedusingB.Applicationsandboxing(optionC)isawayofrunninganapplicationinasecuremannerthatblockstheapplicationfromaccessingmanyoftheusualfunctionsofthecomputer,suchasitsdata,itsperipheralsandthenetwork.

54. IfOptionA:Whereyouhaveanti-malwaresoftwareinstalled,isitsettoupdatedailyandscanfilesautomaticallyuponaccess?Thisisusuallythedefaultsettingforanti-malwaresoftware.

55. IfOptionA:Whereyouhaveanti-malwaresoftwareinstalled,isitsettoscanwebpagesyouvisitandwarnyouaboutaccessingmaliciouswebsites?

56. IfOptionB:Whereyouuseanapp-storeorapplicationsigning,areusersrestrictedfrominstallingunsignedapplications?Bydefault,mostmobilephonesandtabletsdonotallowyoutoinstallunsignedapplications.Usuallyyouhaveto"root"or"jailbreak"adevicetoallowunsignedapplications.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



15

57. IfOptionB:Whereyouuseanapp-storeorapplicationsigning,doyouensurethatusersonlyinstallapplicationsthathavebeenapprovedbyyourorganisationanddoyoudocumentthislistofapprovedapplications?

58. IfOptionC:Whereyouuseapplicationsandboxing,doyouensurethatapplicationswithinthesandboxareunabletoaccessdatastores,sensitiveperipheralsandyourlocalnetwork?Ifyouareusingavirtualmachinetosandboxapplications,youcanusuallysetthesesettingswithintheconfigurationoptionsofthevirtualmachinesoftware.

InsuranceAllorganisationswithaheadofficedomiciledintheUKthathavethewholecompanyinscopeandaturnoverof<£20mgetautomaticcyberinsuranceiftheyachieveCyberEssentialscertification.Thecostofthisisincludedintheassessmentpackagebutyoucanoptoutoftheinsuranceelementifyouchoose.Thiswillnotchangethepriceoftheassessmentpackage.Ifyouwanttheinsurancethenwedoneedtoasksomeadditionalquestionsandtheseanswerswillbeforwardedtothebroker.TheanswerstothesequestionswillnotaffecttheresultofyourCyberEssentialsassessment.59. IsyourheadofficedomiciledintheUKandisyourgrossannualturnoverlessthan£20m?Theanswertothisquestionisjustforinformationand,ifyouareeligiblefortheinsuranceandoptin,willbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

[Notes]

[Notes]

[Notes]For

Inform

ation

Only



16

Ifyouhaveanswered"yes"tothelastquestion,thenyourcompanyiseligiblefortheincludedcyberinsuranceifyougaincertification.Thecostoftheinsuranceisincludedinthecostoftheassessment.60. Doyouwanttoacceptthiscyberinsurance?Theanswertothisquestionisjustforinformationand,ifyouareeligiblefortheinsuranceandoptin,willbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

61. Whatisyourtotalgrossrevenue?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

62. Isthecompanyoritssubsidiariesanyofthefollowing:medical,callcentre,telemarketing,dataprocessing(outsourcers),internetserviceprovider,telecommunicationsoranorganisationregulatedbytheFCA?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

63. DoesthecompanyhaveanydomiciledoperationorderivedrevenuefromtheterritoryorjurisdictionofCanadaand/orUSA?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

[Notes]

[Notes]

[Notes]

[Notes]

For Inf

ormati

on O

nly



17

64. Whatistheorganisationemailcontactfortheinsurancedocuments?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertificationandtheywillusethistocontactyouwithyourinsurancedocumentsandrenewalinformation.

[Notes]

For Inf

ormati

on O

nly