Cyber Essentials Questionnaire Guidance

Similar documents
Cyber Essentials - Requirements for IT Infrastructure Questionnaire

Information Security Controls Policy

CS 356 Operating System Security. Fall 2013

A guide to the Cyber Essentials Self-Assessment Questionnaire

A guide to the Cyber Essentials Self-Assessment Questionnaire

Requirements for IT Infrastructure

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cyber Essentials. Requirements for IT Infrastructure. QG Adaption Publication 25 th July 17

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

AUTHORITY FOR ELECTRICITY REGULATION

Computer Security: Cyber Essentials KAMI VANIEA 1

University of Sunderland Business Assurance PCI Security Policy

SECURITY PRACTICES OVERVIEW

PCI Compliance Assessment Module with Inspector

Data Security Standard

CIS Controls Measures and Metrics for Version 7

Merchant Certificate of Compliance

CIS Controls Measures and Metrics for Version 7

Cyber security tips and self-assessment for business

Payment Card Industry (PCI) Data Security Standard

Rich Powell Director, CIP Compliance JEA

PCI DSS Compliance. White Paper Parallels Remote Application Server

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

NEN The Education Network

Client Computing Security Standard (CCSS)

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Security Architecture

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Cloud Security Whitepaper

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

ASD CERTIFICATION REPORT

HIPAA Compliance Assessment Module

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Juniper Vendor Security Requirements

Payment Card Industry (PCI) Data Security Standard

PCI Compliance Updates

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

LOGmanager and PCI Data Security Standard v3.2 compliance

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

ClientNet. Portal Admin Guide

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

ECDL / ICDL IT Security. Syllabus Version 2.0

Payment Card Industry (PCI) Data Security Standard

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

PCI COMPLIANCE IS NO LONGER OPTIONAL

Locking down a Hitachi ID Suite server

Carbon Black PCI Compliance Mapping Checklist

Comodo IT and Security Manager Software Version 5.4

IoT & SCADA Cyber Security Services

Simple and Powerful Security for PCI DSS

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Information Security Policy

Payment Card Industry (PCI) Data Security Standard

Comodo IT and Security Manager Software Version 6.4

Trinity Multi Academy Trust

State of Colorado Cyber Security Policies

Cloud Security Standards and Guidelines

Daxko s PCI DSS Responsibilities

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Addressing PCI DSS 3.2

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Security. ITM Platform

Security Standards for Electric Market Participants

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

SELF SERVICE INTERFACE CODE OF CONNECTION

SECURE USE OF IT Syllabus Version 2.0

ISSP Network Security Plan

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Server Hardening Title Author Contributors Date Reviewed By Document Version

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Launching a Highly-regulated Startup in the Cloud

Medical Sciences Division IT Services (MSD IT)

Cyber Security Requirements for Electronic Safety and Security

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

Security Principles for Stratos. Part no. 667/UE/31701/004

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

InterCall Virtual Environments and Webcasting

HikCentral V1.3 for Windows Hardening Guide

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Transcription:

Cyber Essentials Questionnaire Guidance Introduction This document has been produced to help companies write a response to each of the questions and therefore provide a good commentary for the controls in use. Please note that it is just a guide to help you understand what goes through an assessors mind when reading through responses. It is possible to achieve certification without following the guidance prompts however, this may result in more follow up calls from the Certification Body. You must answer each of the 34 questions in the questionnaire which can be downloaded from http://www.indelibledata.co.uk/cyberessentials/

Organisation Identification Please provide details as follows: Organisation Name (legal entity): Sector: Parent Organisation name (if any): Size of organisation (Micro/SME/Large etc) of employees Point of Contact name: Job Title: Email address: Telephone Number: Certifying Body (CB): CB Reference number: Business Scope Please identify the scope of the system(s) to be assessed under this questionnaire, including locations, network boundaries, management and ownership. Where possible, include IP addresses and/or ranges. A system name should be provided that uniquely identifies the systems to be assessed, and which will be used on any certificate awarded. (te: it is not permissible to provide the company name, unless all systems within the organisation are to be assessed): How many sites are in scope? How are they connected? Have out-of-scope areas been sufficiently segregated (NAT / Firewall)? What Cloud Services are used (Dropbox, Office 365, Google Drive) Please provide a URL (or send supplemental documentation) that shows each cloud provider s security processes and certifications

Boundary Firewalls and Internet Gateways Question Answer Comment 1 Have you installed Firewalls or similar devices at the boundaries of the networks in the Scope? Make of Firewalls? Who administers them? Example: Our Head office is protected by a Cisco SA 500 This was installed and is maintained by our outsourced IT company XX Solutions. 2 Have the default usernames/passwords on all boundary firewalls (or similar devices) been changed to a strong password 3 Have all open ports and services on each firewall (or similar device) been subject to justification and approval by an appropriately qualified and authorised business representative, and has this approval been properly documented? When was this done and who by (which department or provider?) What are the complexity rules of passwords? Example: The outsourced IT company have declared that they changed the password to one that requires 15 characters mixture of upper and lower case, special char and a number. What is the approval process? Who administers this? Example: The Operations Manager issues a request ticket to the IT company stating the reason for the port to be open after considering security implications. The IT company then arrange a suitable time to perform the operation 4 Have all commonly attacked and vulnerable services (such as Server Message Block (SMB) NetBIOSm tftp, RPC, rlogin, rsh, rexec) been disabled or blocked by default at the boundary firewalls? How do you know this to be the case? Who (role) did this and when was it last checked?

Question Answer Comment 5 Confirm that there is a corporate policy requiring all firewall rules that are no longer required to be removed or disabled in a timely manner, and that this policy has been adhered to (meaning that there are currently no open ports or services that are not essential for the business)? Policy exists and has been implemented Policy exists but has not been implemented Policy does not exist What is the name of the corporate policy document? When was the last check performed to verify that the only ports open that are those essential for business? Who signs this off (name / role)? 6 Confirm that any remote administrative interface has been disabled on all firewall (or similar) devices? 7 Confirm that where there is no requirement for a system to have Internet access, a Default Deny policy is in effect and that it has been applied correctly, preventing the system from making connections to the Internet Checked by? When? If the firewall ever configured remotely by anyone (for example by IT Support) and if so how is this done? If the remote admin interface must be enabled, what other compensating controls are used? Do you have any machines that require this (i.e. you are keeping out of scope?) Does anyone browse the web on a server? Please provide any additional evidence to support your assertions above:

Secure Configuration Question Answer Comment 8 Have all unnecessary or default user accounts been deleted or disabled How do you know this? Whose role is it to check this? What is the process to ensure this is done? 9 Confirm that all accounts have passwords, and that any default passwords have been changed to strong passwords? 10 Has all unnecessary software, including OS utilities, services and applications, been removed or disabled 11 Has the Auto Run (or similar service) been disabled for all media types and network file shares? 12 Has a host based firewall been installed on all desktop PCs or laptops, and is this configured to block unapproved connections by default? Installed and configured Installed, but not configured t installed How was this achieved? Are technical controls in place to enforce complex passwords or is it paper based policy? Whose role is it to commission a machine and how do they ensure that only approved services and applications have been installed and enabled? Is it part of policy to remove all unnecessary bundled software? How did you disable this (a screen shot may be useful)? How do you know this (A screen grab to show this would be useful)?

13 Confirm that a standard build image is used to configure new workstations and that this image includes the policies and controls and software required to protect the workstation, and that the image is kept up to date with corporate policies? 14 Confirm that you have a backup policy in place, and that backups are regularly taken to protect against threats such as ransomware? 15 Confirm that security and event logs are maintained on servers, workstations and laptops? Who created the image (dept / role) and whose responsibility is it to keep it up to date? If a build image is not used are build instructions or build best practice guidelines followed? If so, what are they? Describe the backup process (online / Disk / Tape etc) and what makes you confident that malware that can encrypt everything the user can access will not affect the backups? What logs are enabled? Please provide any additional evidence to support your assertions above:

Access Control Question Answer Comment 16 Are user account requests subject to proper justification, provisioning and an approvals process, and assigned to named individuals? Mention the New starters procedure if you have one. Describe the following process: Requested by: Approved by: User added by: 17 Are users required to authenticate with a unique username and strong password before being granted access to computers and applications? Have you identified any users that share login accounts how are these managed? 18 Are accounts removed or disabled when no longer required? 19 Are elevated or special access privileges, such as system administrator accounts, restricted to a limited number of authorised individuals? Mention the Leavers procedure if you have one. When did you last check that only valid users are on the system? Are regular checks done to ensure out of date accounts have been identified and removed? What is the role of these individuals? 20 Are special access privileges documented and reviewed regularly (e.g. quarterly)? When did you last review the special access privileges? How are these documented (spreadsheet / database etc)

21 Are all administrative accounts only permitted to perform administrator activity, with no Internet or external email permissions? 22 Does your password policy enforce changing administrator passwords at least every 60 days to a complex password? Domain and Local Computer Admins are included in this what controls are in place to prevent this internet and email access for admins? How is this enforced? Would you like to justify more days? Use of password keepers? Please provide any additional evidence to support your assertions above:

Malware Protection Question Answer Comment 23 Please confirm that malware protection software has been installed on at least all computers with an ability to connect outside of the network in Scope 24 Does corporate policy require all malware protection software to have all engine updates applied, and is this applied rigorously? 25 Have all malware signature files been kept up to date (through automatic updates or through centrally managed deployment)? 26 Has malware protection software been configured for on-access scanning, and does this include downloading or opening files, opening folders on removable or remote storage, and web page scanning? 27 Has malware protection software been configured to run regular (at least daily) scans? What Malware protection software is used? How is it deployed? This should be within 90 days. Are samples done? How do you know each machine is up to date? Can users change this setting? Describe the scan regime Full scan / quick scan / etc 28 Apart from Anti Virus Software, are commonly accessed executables protected from being attacked by malicious files? How is this achieved? What mechanisms are in place to ensure that if a user clicks on a malicious link, the executable file does not execute? 29 Are users prevented from accessing known malicious web sites by your malware protection software through a blacklisting function? Does the AV do this or have you subscribed to a third party DNS service that filters such sites (name it)? Please provide any additional evidence to support your assertions above:

Patch Management Question Answer Comment 30 Is all software installed on computers and network devices in the Scope licensed and supported? 31 Are all Operating System security patches applied within 14 days of release? 32 Are all Application software security patches applied within 14 days of release? 33 Is all legacy or unsupported software isolated, disabled or removed from devices within the Scope? 34 Is a mobile working policy in force that requires mobile devices (including BYOD) to be kept up to date with vendor updates and app patches? If any software / OS is out of support, then how have you ensured that this is out of scope? How do you ensure this are patches centrally deployed or individual machines set to automatically update for example? How do you ensure this are patches centrally deployed or individual machines set to automatically update for example? What process is used to record software on devices? Do non-company owned devices connect to the business network? Is there a Guest partition where they connect? What sort of work is done via mobile devices? Please provide any additional evidence to support your assertions above: Approval

It is a requirement of the Scheme that a Board level (or equivalent) of the organisation has approved the information given. Please provide evidence of such approval: A Signature (scanned) or an email from the senior director s email account is sufficient in most cases.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback