A guide to the Cyber Essentials Self-Assessment Questionnaire
|
|
- Phyllis Elliott
- 5 years ago
- Views:
Transcription
1 A guide to the Cyber Essentials Self-Assessment Questionnaire Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you by APMG International 1 P a g e Cyber Essentials was always intended to be a set of basic but fundamental security requirements which, if implemented effectively, would reduce the risk of a successful cyber-attack by about 80%. It was targeted principally at small and medium enterprises whilst accepting that larger organisations should be doing these measures as well. The five basic Cyber Essentials controls are taken from the advice issued by Government Communications Headquarters (GCHQ), and also the 10 Steps to Cyber Security. Those 10 steps are a rather more complex set of controls that larger organisations (usually with their own IT departments and good security advisors) should be taking. The five areas for the basic Cyber Essentials controls are qualified by a set of questions that should be possible for most business owners and managers to answer - perhaps with some limited additional technical advice. This video series aims to help you to answer those questions and directs you to other sources of information should the need arise.
2 General information It s essential that the appropriate information is provided as part of the general application for certification. This will include; the business name (together with any parent organisation), business size, a point of contact (usually the person completing the application form) and, most importantly, the scope of the system to be assessed and certified. It s critical that the scope is properly defined and usually the easiest and best way to do this is a simple block diagram. This diagram shows you a simple system and the red line highlights the extent of the assessment. It is important to note that the certificate will show a brief description of the system certified. The organisation s name can only be used on the certificate if all the IT systems in use in the organisation are within the scope of the assessment. The Five Controls 1. Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective. 2. Secure configuration ensuring that systems are configured in the most secure way for the needs of the organisation 3. Access control Ensuring only those who should have access to systems to have access and at the appropriate level. 4. Malware protection ensuring that virus and malware protection is installed and is it up to date 5. Patch management ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied. 2 P a g e
3 3 P a g e
4 Question number 1 Questions to be answered for the APMG certification process Are there firewalls in place which protect all your devices? How to answer FIREWALLS What is a firewall? Where the firewall is located must be shown on the scope diagram mentioned here and be described in the accompanying scope statement. For very small organisations the access to the internet will be through a simple device often provided by your internet service provider (ISP) such as BT, TalkTalk, Plusnet, Virgin Media or similar. There will be a firewall and a router incorporated into that device and this will act as a filter to prevent attacks getting onto your system. This stops inappropriate traffic leaving your system. Usually the firewall will be configured by the service provider and often you will have little or no ability (or need) to change anything on it - away from the default settings. We will refer to this device as a firewall despite it being a combination of router and firewall. It is possible that in addition to the firewall at the point of access to the internet (or occasionally instead of), you may have installed firewalls as software on any device connected to your network. This is often done as part of the installation of antivirus and similar types of software. Including this in your description will be useful and help the assessor. If you have a more complex system, then you may have a separate firewall which you can set up, and this will need explaining in your application. In particular it is critical that the firewall is configured to prevent certain types of traffic coming into and leaving your network. Details of which protocols (or types of internet traffic) and services should be stopped, together with other configuration requirements, are in the detailed technical specifications for Cyber Essentials. 4 P a g e
5 2 3a Has the default administrative password on all firewalls (or equivalent devices) been changed to a password that is difficult to guess? Is it possible for a user to access the administrative interface of the firewall (or equivalent device) remotely? As mentioned previously, if your firewall has been provided by a commercial ISP then it is quite possible you will have no ability to change the administrator password set by the supplier, which will usually be quite a strong complex password anyway. If you can change the administrator password you should always do so and this can be checked through the control panel of the router. The control panel is usually accessed by opening a web browser and typing in the IP address of the firewall. This will often be or Note that this administrator password is not the same as the one you will have used to connect a device to the network perhaps through Wi-Fi. Once again if your firewall has been provided by an ISP then it is quite likely that they will have set this aspect up so they can administer your firewall remotely across the internet, without having to visit your premises, should you have problems with it. It is quite possible that you cannot alter this. However if you can change the setting on the control panel, it is required that it is set not to allow remote access to your firewall. This is usually achieved through the control panel. 3b If the answer to the previous question (3a) is yes - have you implemented protection for the administrative interface in the form of a second authentication factor, such as a one-time token? This will usually be the way a commercial firewall is set up. When the ISP wants to connect to your firewall they will send you a connection request and will then often ask you to type in a code to allow the connection to be made. This is a type of two-factor authentication. 5 P a g e
6 3c If the answer to the previous question (3b) is no - have you implemented protection for the administrative interface in the form of an IP whitelist, which limits access to a small range of trusted IP addresses? This would need to be undertaken via the control panel (or equivalent) and is likely to need a security expert to ensure this is done correctly. 4 Are unauthenticated inbound connections blocked by default? This should be the way a commercial firewall is set up. You may be able to confirm this from the control panel. If you need to configure your firewall you will need to ensure that the configuration does not limit or prevent legitimate business activities. 5 6 For any configured inbound firewall rules, are they approved and documented by an authorised individual, including a description of why each rule is needed? Are configured firewall rules removed or disabled when they are no longer This is a documentation requirement. The decisions you have made for the setup of the firewall and other similar devices must be appropriately defined, based on a solid risk assessment and approved by an appropriately senior person in the organisation. This documentation, along with any other similar documentation, must be kept up to date and routinely reviewed to ensure the decisions made continue to be appropriate. If your firewall is configured by default then you may not have control over this aspect of it. It s best to leave it to the ISP to ensure the device is maintained appropriately. 6 P a g e
7 7 needed? Do you have host-based (individual) firewalls on devices which are used on untrusted networks, such as public Wi-Fi hotspots? If you have made any special settings on the firewall, (to allow inbound access for example), then they should be deleted when they are no longer required to meet a business need. If your organisation allows staff to use mobile phones, tablets, laptops and the like then it is important that all those devices are as secure as the main devices in the office. Each will usually come with a firewall installed by default and it is important the setup of each device meets the security requirements of your main network (since it s likely you will be allowing them to connect to it). In particular, it s essential that any connection to a public Wi-Fi hotspot (for example in a railway station, hotel or coffee shop) is secure and this can be achieved by using a software firewall on a phone or tablet properly setup. Some makes of smart phone do this by default and most modern phones can be set up to do this through the settings on the device. SECURE CONFIGURATION 8 9 Have all unnecessary or default user accounts been deleted or disabled? Have all passwords been changed from default or guessable to something nonobvious? The accounts set up on a computer or other devices connected to your network should only be those necessary for business use. There should not be a guest account (often set up by default on a computer) and there should be no unused accounts. A system administrator account can do this through the control panel on the computer or other device. Passwords are one of most common weaknesses in the cyber world. It is critical that they are changed from the default setting (the password setup on the device when it was bought new) and that strong passwords are set. Strong passwords should contain a mixture of upper case, lower case, numbers and special characters. It is also important that it is not a dictionary word or any other recognisable sequence of letters and/or number such as ABC123. Passwords should not be some information about yourself which is not too difficult to find or work out 7 P a g e
8 such as a birthday, car registration or post code. The way passwords are selected and stored is important and it is acceptable to use a respected password manager application. Most browsers can now be used to store passwords securely. There are web sites and applications that will assess a password to determine how strong it is and using this to help staff select strong passwords is advisable. For more advice on passwords see the NCSC advice here: Has all software which is unnecessary for your organisation been removed or disabled? Have all auto-run features which allow file execution without user authorisation (for example, when they are downloaded from the Internet) been disabled for all media types and network file shares? Any software that is not required and used by the organisation should be removed by uninstalling it. This includes software that might have been used once but is no longer used or, where a new version has replaced an older version, the older version should be removed. Where it can t be removed for some reason, (perhaps due to licencing agreements), then it should be disabled such that only administrators could run it if necessary and appropriate. If you are unsure how to uninstall software or to disable its use you may need further technical advice from an expert. Programs should not be able to run without someone approving them. This might, on occasion be a user but more correctly it should be an administrator. The facility to autorun programmes is normally set within the control panel or the equivalent. 8 P a g e
9 12 Are external users authenticated before they are given Internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation? Anybody who can be given access to the network when not in the same physical location should have to provide some confirmation of who they are. This is done through methods such as two factor authentication. This might mean that they have to carry a token or other device which they use to obtain an individual code or PIN to enter the system., It can sometimes mean sending a text message to their mobile phone (or some other similar method). The system must not allow anyone to log in without some form of separate identification and authentication. Setting this type of system up will often require some expert assistance in order to avoid over-complicated or inappropriate systems. 13 Are systems accessible from the Internet protected against bruteforce password guessing by either: 1. locking accounts after no more than 10 unsuccessful attempts 2. limiting the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes When a system is set up to allow people to log in when away, there must be a system in place to stop multiple attempts to gain access. This can be done in a number of ways but it s commonly done by limiting the number of attempts at getting a password correct, before the system locks the person out. Once accounts are locked, there needs to be an adequate way of re-enabling those accounts such that the user is not overly inconvenienced, but that security is not compromised. This system is best set up by an expert with appropriate technical knowledge in order to reach an appropriate compromise between usability, convenience and security. 9 P a g e
10 14 Do you enforce a minimum password length of 8 characters? This will normally be set up in the security settings for the system. The administrator will set this up and a satisfactory compromise must be achieved between usability, convenience and security. Advice on good passwords issued by the National Cyber Security Centre should be followed. 15 Do you enforce a maximum password length? Once again this will normally be setup in the security settings for the system. The administrator will set this up and a satisfactory compromise must be achieved between usability, convenience and security. There should not be a maximum length limitation on passwords, although sometimes there are technical reasons for this being the case. If there is a limit set this must be fully explained to the assessor. In general, longer is better. Advice on good passwords issued by the National Cyber Security Centre should be followed Are passwords changed when it is suspected they are compromised? Users of the system must be told to change passwords when they believe, or think, that the account or passwords have been compromised. Advice on changing passwords has been issued by the National Cyber Security Centre in a number of different documents. They are available here: 17 Do you have a password policy that meets the requirements as set out in Cyber Essentials Requirements: Password Authentication? You must have a password policy authorised by a senior member of staff that has been implemented effectively across the organisation. The password policy is a properly authorised document that must tell users: How to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet) 10 P a g e
11 18 Are user accounts controlled through a creation and approval process? Not to choose common passwords this could be implemented by technical means, using a password blacklist Not to use the same password in multiple places, at work or at home Where and how they may record passwords to store and retrieve them securely for example, in a sealed envelope in a secure cupboard If they may use password management software if so, which software and how Which passwords they really must memorise and not record anywhere ACCESS CONTROL I.e. HR Manager approval, Line Manager Approval, IT Department Approval prior to a new starter being set up P a g e Are users required to authenticate before being granted access to devices and applications, using unique credentials? Are accounts removed or disabled when no longer required? Authentication is a second process to ensure that only authorised users gain access to the system. This can be done in a number of different ways. It could be through a combination of passwords and physical access controls such as staff passes. Without a staff pass allowing staff members into a building, people are not able to gain physical access to a system. Alternatively, a token is used to access the system in addition to a password. There are other ways this can be achieved and in each case, it is critical that the authentication details are unique to individual users. There must not, for example, be a general Temporary Staff access facility or anything similar used by a number of different individuals. Further technical advice may be needed, to set this up effectively. When staff members leave, their account should be locked to prevent continued access. After any critical information required form record keeping, auditing or other use has been taken from the account it should either be deleted or disabled. This should be done by a system
12 administrator though the control panel. 21 Has two-factor authentication been implemented, where available? Two factor authentication has been discussed previously. It involves the use of two different means of identifying individuals to provide them with access to the system - or to different parts of it. It s not always appropriate or possible to use this method, but senior management should have made a deliberate decision as to where it should be implemented, and where there is no need. 22 Are administrative accounts only used to perform administrative activities? In practice, this means no ing, web browsing or other standard user activities (that may expose administrative privileges to avoidable risks) should be undertaken on an administrator account. An administrator should have a separate, normal user account for everyday activity - such as ing and web browsing. 23 Are special access privileges removed or disabled when no longer required? Administrative accounts should be limited to named individuals who have a need to use such a highly privileged accounts, to undertake special administrator functions such as creating/deleting users, resetting passwords, changing firewall settings, adding new devices, etc. There may be certain circumstances when people need special, additional administrative permissions in order to carry out specific tasks or activities. Those should also be regularly and frequently reviewed (and cancelled or removed as soon as they are no longer needed). This can all be done through the user account section of the control panel. MALWARE PROTECTION 12 P a g e
13 24 Do you have either antimalware software, application whitelisting or application sandboxing on each of your devices? Anti-malicious software (also known as anti-malware, anti-virus or AV software) should be installed on all devices and endpoint including mobile devices where they connect to the internet and to the system in scope. This software will usually include the facility to whitelist software applications. This is a process whereby any software that s approved to be used on the system in question, is listed, and only that software can be run on the system. An alternative approach, used by some AV software and manufacturers such as Apple, is that when an application is run - it s in a separate area - quarantined from the rest of the system a process called sand-boxing. In either case the idea is to stop unauthorised software packages running on the system. 25 Please provide details of the software used. This is simply a note of what AV (anti virus) or other related software (scans, whitelisting, etc.) is installed on the system. 26a Is the software kept up to date, with signature files updated at least daily? The AV or other similar software should be set to update automatically and this should normally be done on at least a daily basis. 26b Does the software scan files automatically upon access? When an external storage device such as a USB thumb drive is inserted into a computer or other device it should automatically be scanned for virus and other malware. This is a setting in the AV or similar software. An alternative would be to lock all USB ports so that nothing will work if plugged into it. 26c Are webpages automatically scanned on access through a web browser? When a user goes to a web page on the internet or elsewhere, the page should be scanned for malware. This might be done as part of the AV software or may require an additional piece of anti-malware software such as a scanner. 13 P a g e
14 26d Are connections prevented to malicious websites on the Internet, unless there is a clear, documented business need and you understand and accept the associated risk? Some web sites are deemed unsafe for a number of reasons. Anti-malware and similar software should stop a user going to those sites. This can also be achieved by the settings in the browser. Where there is a good, documented business need to access an insecure web site this can be added to the software or browser as an exception. The process of defining those web sites which can be accessed by users whilst preventing access to all others, is called Whitelisting. This process can also be used to define which applications can be run and which cannot. 27a Are only approved applications allowed to run on devices? This is a further statement that only those applications approved to run on the system, are allowed to do so. It should not be possible to install unauthorised software on the system, nor for any software that installs itself to be allowed to run. The measures above address this through anti-malware and scanning software and the security settings in the browser. Setting the browser security level can be part of the solution but there are other methods too, including whitelisting as described above. This may require the assistance and advice of an appropriately experienced technical expert. 27b Does the whitelisting process use code-signing This is a way of setting up whitelisting (as described previously). Code signing requires the software to be approved though the recognition of an approved code signature. This may require expert help to set up and maintain. 27c Do you actively approve applications before deploying them to devices? There should be a governance process in place that explains how new software is obtained, tested, approved for use, installed and maintained. This process should be explained for the assessor. 14 P a g e
15 27d Do you maintain a current list of approved applications? As a result of the process just described, there should be an approved list of applications that are permitted to be installed and run on the system. That does not necessarily mean that all the applications should be available and used by all users. If you are using whitelisting then there will be a common list. 28 Is all code of unknown origin run within a 'sandbox' that prevents access to other resources unless permission is explicitly granted by the user? Sandboxing is used to put a new piece of software or application inside a secure, logical enclosure that prevents it from accessing or harming other parts of the system. If there is a need to run new, unauthorised or untested software it should be sandboxed. If this is not practical for some reason, there must be a clear business need documented and all steps taken to ensure the software is prevented from damaging the system, as far as possible. 29 Is all software installed on computers and network devices in the scope licensed and supported? PATCH MANAGEMENT There must not be any pirated or other unauthorised software on the system. All software should have a licence and be supported in some way by the supplier even if there is a charge associated with that support. Freeware or open source software is quite acceptable but it is still under a support contract albeit at no charge and usually with much reduced service level agreement requirements P a g e Are all "critical" or "high risk" software patches applied within 14 days of release? Patching or updating software is one of the most critical controls. It is essential that all software patches are installed as soon as practical. The advice of the National Cyber Security Centre should be followed and this will usually mean patching immediately it is received. Many software packages will automatically patch and this should be enabled where possible for all software in use. Users should not be given the choice of patching but should be required to patch as soon as possible. The NCSC advice can be found here:
16 Guidance on updating your operating system can be found here: 31 If a vendor releases a patch for multiple issues as a single update which includes any "critical" or "high risk" issues, is it installed within 14 days? As for the previous question the general policy for patching should be to implement all and every patch as soon as possible after receipt or notification. The definition of critical and high risk can be found at the end of the document found here: More information on the Cyber Essentials scheme and the measures it requires organisations to take can be found online in a number of places including: Useful links CyberEssentials@apmgroup.co.uk Glossary: NCSC Password advice: The NCSC advice on patching or updating software can be found here: Guidance on updating your operating system can be found here: The definition of critical and high risk can be found at the end of the document found here: P a g e
17 17 P a g e
A guide to the Cyber Essentials Self-Assessment Questionnaire
A guide to the Cyber Essentials Self-Assessment Questionnaire Apply for certification at https://ces.apmg-certified.com/ Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you
More informationRequirements for IT Infrastructure
Requirements for IT Infrastructure This information contained in this document is taken from the NCSC Website directly via: https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html
More informationCyber Essentials. Requirements for IT Infrastructure. QG Adaption Publication 25 th July 17
Cyber Essentials Requirements for IT Infrastructure NCSC Publication 6 th February 17 QG Adaption Publication 25 th July 17 Document No. BIS 14/696/1.2 Requirements for IT Infrastructure Specifying the
More informationCyber Essentials - Requirements for IT Infrastructure Questionnaire
Cyber Essentials - Requirements for IT Infrastructure Questionnaire Introduction The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber security test where IT is a
More informationCyber Essentials Questionnaire Guidance
Cyber Essentials Questionnaire Guidance Introduction This document has been produced to help companies write a response to each of the questions and therefore provide a good commentary for the controls
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationOctopus Online Service Safety Guide
Octopus Online Service Safety Guide This Octopus Online Service Safety Guide is to provide you with security tips and reminders that you should be aware of when using online and mobile services provided
More informationGUIDE. MetaDefender Kiosk Deployment Guide
GUIDE MetaDefender Kiosk Deployment Guide 1 SECTION 1.0 Recommended Deployment of MetaDefender Kiosk(s) OPSWAT s MetaDefender Kiosk product is deployed by organizations to scan portable media and detect
More informationG/On OS Security Model
Whitepaper G/On OS Security Model Technical Whitepaper with Excitor comments on CESG Guidance 1 About this document This document describes the security properties of G/On OS, which is a Linux based, client
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationGLOBAL PAYMENTS AND CASH MANAGEMENT. Security
GLOBAL PAYMENTS AND CASH MANAGEMENT Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of
More information<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy
Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Allowed Personally Owned Device Policy Every 2 years or as needed Purpose: A personally owned information system or device
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationData protection policy
Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationPCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Endpoint Security v3.2 Mapping 3.2 regulates many technical security requirements and settings for systems operating with credit card data. Sub-points 1.4,
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationDate Approved: Board of Directors on 7 July 2016
Policy: Bring Your Own Device Person(s) responsible for updating the policy: Chief Executive Officer Date Approved: Board of Directors on 7 July 2016 Date of Review: Status: Every 3 years Non statutory
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationSAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2
APPENDIX 2 SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION This document contains product information for the Safecom SecureWeb Custom service. If you require more detailed technical information,
More information7. How do I obtain a Temporary ID? You will need to visit HL Bank or mail us the econnect form to apply for a Temporary ID.
About HL Bank Connect 1. What is HL Bank Connect? HL Bank Connect provides you with the convenience of accessing your bank accounts and performing online banking transactions via the Internet. 2. What
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationEnviro Technology Services Ltd Data Protection Policy
Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:
More informationWye Valley NHS Trust. Data protection audit report. Executive summary June 2017
Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationPCI DSS and VNC Connect
VNC Connect security whitepaper PCI DSS and VNC Connect Version 1.2 VNC Connect security whitepaper Contents What is PCI DSS?... 3 How does VNC Connect enable PCI compliance?... 4 Build and maintain a
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationNETWORK ACCESS CONTROL OVERVIEW. CONVENIENCE. SECURITY.
NETWORK ACCESS CONTROL OVERVIEW. CONVENIENCE. SECURITY. MACMON MODULE & BUNDLES DEVELOPMENT It is macmon s mission to improve and further develop its products. Exciting extensions are currently being worked
More informationPCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide
PCI DSS VERSION 1.1 1 PCI DSS Table of contents 1. Understanding the Payment Card Industry Data Security Standard... 3 1.1. What is PCI DSS?... 3 2. Merchant Levels and Validation Requirements... 3 2.1.
More informationESET Mobile Security for Windows Mobile. Installation Manual and User Guide - Public Beta
ESET Mobile Security for Windows Mobile Installation Manual and User Guide - Public Beta Contents...3 1. Installation of ESET Mobile Security 1.1 Minimum...3 system requirements 1.2 Installation...3 1.2.1
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationCeedo Client Family Products Security
ABOUT THIS DOCUMENT Ceedo Client Family Products Security NOTE: This document DOES NOT apply to Ceedo Desktop family of products. ABOUT THIS DOCUMENT The purpose of this document is to define how a company
More informationClient Computing Security Standard (CCSS)
Client Computing Security Standard (CCSS) 1. Background The purpose of the Client Computing Security Standard (CCSS) is to (a) help protect each user s device from harm, (b) to protect other users devices
More informationIt s still very important that you take some steps to help keep up security when you re online:
PRIVACY & SECURITY The protection and privacy of your personal information is a priority to us. Privacy & Security The protection and privacy of your personal information is a priority to us. This means
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationUniversity of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017
University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017 Related Policies, Procedures, and Resources UAB Acceptable Use Policy, UAB Protection and Security Policy, UAB
More informationBASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide
BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide Last Updated 8 March 2016 Contents Introduction... 2 1 Key point of contact... 2 2 Third Part IT Specialists... 2 3 Acceptable use of Information...
More informationA Measurement Companion to the CIS Critical Security Controls (Version 6) October
A Measurement Companion to the CIS Critical Security Controls (Version 6) October 2015 1 A Measurement Companion to the CIS Critical Security Controls (Version 6) Introduction... 3 Description... 4 CIS
More informationMinimum Standards for Connecting to the UCLA Network
Minimum Standards for Connecting to the UCLA Network Last April, the CSG approved a set of minimum standards for connecting to the UCLA network that were based on a policy that had been developed by Berkeley.
More informationInformation Security BYOD Procedure
Information Security BYOD Procedure A. Procedure 1. Audience 1.1 This document sets out the terms of use for BYOD within the University of Newcastle. The procedure applies to all employees of the University,
More informationPolicy & Procedure. IT Password Policy. Policy Area. Version Number 2. Approving Committee SMT. Date of Approval 26 September 2017
Policy & Procedure Policy Area IT Password Policy IT Version Number 2 Approving Committee SMT Date of Approval 26 September 2017 Date of Equality Impact Assessment 03 August 2016 Date of Review 01 November
More informationGUIDANCE ON ELECTRONIC VOTING SYSTEM PREPARATION AND SECURITY
September, 2016 GUIDANCE ON ELECTRONIC VOTING SYSTEM PREPARATION AND SECURITY As a reminder for counties, and refresher on good cyber hygiene practices, DOS recommends the following procedures in the preparation
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationWeb Cash Fraud Prevention Best Practices
Web Cash Fraud Prevention Best Practices Tips on what you can do to prevent Online fraud. This document provides best practices to avoid or reduce exposure to fraud. You can use it to educate your Web
More informationGDPR Draft: Data Access Control and Password Policy
wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR
More informationRemote Access (Supporting Document)
Remote Access (Supporting Document) April 2007 Version Control Sheet Title: Purpose: Owner: Approved by: Remote Access (Supporting Document The advise staff of the councils policy and procedures regarding
More informationBHIG - Mobile Devices Policy Version 1.0
Version 1.0 Authorised by: CEO Endorsed By: Chief Operations Officer 1 Document Control Version Date Amended by Changes Made 0.1 20/01/2017 Lars Cortsen Initial document 0.2 29/03/2017 Simon Hahnel Incorporate
More informationCyber Security Guidelines for Public Wi-Fi Networks
Cyber Security Guidelines for Public Wi-Fi Networks Version: 1.0 Author: Cyber Security Policy and Standards Document Classification: PUBLIC Published Date: April 2018 Document History: Version Description
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More informationE-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019
Ormiston Academies Trust E-Security policy Date adopted: Autumn Term 2018 Next review date: Autumn Term 2019 Policy type Author Statutory James Miller OAT DPO Approved by Exec, July 2018 Release date July
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationHIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department
HIPAA Assessment Prepared For: ABC Medical Center Prepared By: Compliance Department Agenda Environment Assessment Overview Risk and Issue Score Next Steps Environment NETWORK ASSESSMENT (changes) Domain
More informationProduct Guide. McAfee Web Gateway Cloud Service
Product Guide McAfee Web Gateway Cloud Service COPYRIGHT Copyright 2017 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee
More informationComodo IT and Security Manager Software Version 5.4
Comodo IT and Security Manager Software Version 5.4 End User Guide Guide Version 5.4.090716 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1. Introduction to Comodo IT
More informationSTUDENT ACCEPTABLE USE OF IT SYSTEMS POLICY
STUDENT ACCEPTABLE USE OF IT SYSTEMS POLICY Introduction The college offer an extensive range of IT systems across campuses and online for course related activities and drop-in purposes. This policy applies
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationSecurity Principles for Stratos. Part no. 667/UE/31701/004
Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED
More informationPUPIL ICT ACCEPTABLE USE POLICY
PUPIL ICT ACCEPTABLE USE POLICY Document control This document has been approved for operation within: All Trust Schools Date of last review August 2018 Date of next review August 2020 Review period Status
More informationTrinity Multi Academy Trust
Trinity Multi Academy Trust Policy: Bring Your Own Device Date of review: October 2018 Date of next review: October 2020 Lead professional: Status: Director of ICT and Data Non-Statutory Page 1 of 5 Scope
More informationSDHS Security Policy v5.3, revised March 2015
SDHS Security Policy v5.3, revised March 2015 The SDHS Security Policy is reviewed annually by the Council of the School - the policy presented here was approved in March 2015. Interim revisions may be
More informationPOLICY 8200 NETWORK SECURITY
POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationClientNet. Portal Admin Guide
ClientNet Portal Admin Guide Document Revision Date: June 5, 2013 ClientNet Portal Admin Guide i Contents Introduction to the Portal... 1 About the Portal... 1 Logging On and Off the Portal... 1 Language
More informationBest Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationECDL / ICDL IT Security. Syllabus Version 2.0
ECDL / ICDL IT Security Syllabus Version 2.0 Module Goals Purpose This document details the syllabus for the IT Security module. The syllabus describes, through learning outcomes, the knowledge and skills
More informationGeneral Data Protection Regulation policy (exams) 2017/18
General Data Protection Regulation policy () 2017/18 This policy is annually reviewed to ensure compliance with current regulations This policy can beviewed on the school website Approved/reviewed by Gail
More informationData Sharing Agreement. Between Integral Occupational Health Ltd and the Customer
Data Sharing Agreement Between Integral Occupational Health Ltd and the Customer 1. Definitions a. Customer means any person, organisation, group or entity accepted as a customer of IOH to access OH services
More informationData protection. 3 April 2018
Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd
More informationSECURE USE OF IT Syllabus Version 2.0
ICDL MODULE SECURE USE OF IT Syllabus Version 2.0 Purpose This document details the syllabus for the Secure Use of IT module. The syllabus describes, through learning outcomes, the knowledge and skills
More informationInformation Security Policy for Associates and Contractors
Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationCyber security. Strategic delivery: Setting standards Increasing and. Details: Output:
Cyber security Strategic delivery: Setting standards Increasing and informing choice Demonstrating efficiency economy and value Details: Meeting Audit and Governance Committee Agenda item 8 Paper number
More informationCorporate Online. Introducing Corporate Online
Corporate Online. Introducing Corporate Online Effective as at April 2015 About this Guide About Corporate Online Westpac Corporate Online is an internet-based electronic platform, providing a single point
More informationBEST PRACTICES FOR PERSONAL Security
BEST PRACTICES FOR PERSONAL Email Security Sometimes it feels that the world of email and internet communication is fraught with dangers: malware, viruses, cyber attacks and so on. There are some simple
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationOutnumbered, but not outsmarted A 2-step solution to protect IoT and mobile devices
Outnumbered, but not outsmarted A 2-step solution to protect IoT and mobile devices How do you really know what s on your network? How do you really know what s on your network? For most organisations,
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationEnd User Device Strategy: Security Framework & Controls
End User Device Strategy: Security Framework & Controls This document presents the security framework for End User Devices working with OFFICIAL information, and defines the control for mobile laptops
More informationLOGmanager and PCI Data Security Standard v3.2 compliance
LOGmanager and PCI Data Security Standard v3.2 compliance Whitepaper how deploying LOGmanager helps to maintain PCI DSS regulation requirements Many organizations struggle to understand what and where
More informationCloud Security Standards Supplier Survey. Version 1
Cloud Security Standards Supplier Survey Version 1 Document History and Reviews Version Date Revision Author Summary of Changes 0.1 May 2018 Ali Mitchell New document 1 May 2018 Ali Mitchell Approved Version
More informationHow to Build a Culture of Security
How to Build a Culture of Security March 2016 Table of Contents You are the target... 3 Social Engineering & Phishing and Spear-Phishing... 4 Browsing the Internet & Social Networking... 5 Bringing Your
More informationRemote Working Policy
[Type text] [Type text] [Type text] Information Management & Policy Services (IMPS) Remote Working Policy 1 Scope and definitions 1.1 This policy applies to all staff who use or access University systems
More informationFAQ: Privacy, Security, and Data Protection at Libraries
FAQ: Privacy, Security, and Data Protection at Libraries This FAQ was developed out of workshops and meetings connected to the Digital Privacy and Data Literacy Project (DPDL) and Brooklyn Public Library
More informationHardware and Software Security
Hardware and Software Security Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre
More informationHow to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis
White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...
More informationHealing School - A Science Academy GDPR Policy (Exams) 2018/19
Healing School - A Science Academy GDPR Policy (Exams) 2018/19 This policy is reviewed annually to ensure compliance with current regulations Author Date adopted by MAT Directors Mrs D Barnard Review Date
More informationThe purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy.
Policy Acceptable Use Guidance 1 Introduction This guidance compliments the University of East London s Acceptable Use Policy. It puts into perspective specific situations that will help you provide a
More informationUKIP needs to gather and use certain information about individuals.
UKIP Data Protection Policy Context and overview Key details Policy Update Prepared by: D. Dennemarck / S. Turner Update approved by Management on: November 6, 2015 Policy update became operational on:
More informationAre You Avoiding These Top 10 File Transfer Risks?
Are You Avoiding These Top 10 File Transfer Risks? 1. 2. 3. 4. Today s Agenda Introduction 10 Common File Transfer Risks Brief GoAnywhere MFT Overview Question & Answer HelpSystems Corporate Overview.
More informationApplication for connection to YJS CUG and Hub (v6.0)
Application for connection to YJS CUG and Hub (v6.0) Name of Local Authority / Applicant organisation Contact Name Position Address Telephone: E-Mail I/We wish to apply for connectivity to the Youth Justice
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationCloud Security Standards
Cloud Security Standards Classification: Standard Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January 2018 Next
More informationICT Systems Administrative Password Procedure
ICT Systems Administrative Password Procedure Related Policy Responsible Officer Approved by Approved and commenced July, 2014 Review by July, 2017 Responsible Organisational Unit ICT Security Policy ICT
More informationIT Remote Working Policy
IT Remote Working Policy 1. Purpose To ensure that all staff processing information remotely (i.e. not at a PC on campus) do so securely and in accordance with the Data Protection Act 1998. This policy
More informationPresenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.
Presenter Jakob Drescher Industry Cyber Security 1 Cyber Security? Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks. Malware or network traffic
More information