Passing Cyber Essentials – get your submission right first time

Disclaimer: This guide has been written by a Cyber Essentials Lead Assessor and is only intended for those wishing to certify with Indelible Data Limited. The purpose is to help clients get the submission right at the first attempt and save time. This document is not intended to be a definitive Cyber Essentials guide and has not been issued by, or on behalf of, The National Cyber Security Centre (NCSC) or the NCSC’s sole Cyber Essentials Partner, IASME. Information in this guide is subject to change without prior notice.

Overview

Completing the Cyber Essentials question set can, at first, appear daunting. This guide aims to take away the uncertainty and guide the applicant through the Cyber Essentials Basic Level submission process and is split into 3 sections:

  1. Describing the journey from initial enquiry through to final submission and subsequent assessor feedback
  2. Detailing how to scope the assessment
  3. Addressing the requirements of the questions and explaining areas where most applicants either misunderstand or simply do not respond to the questions as comprehensively as expected.

The aim is to ensure submissions are not made until the applicant is confident all the questions have been completed correctly – hence increasing the chances of passing the submission first time!

Note: It is tempting to just jump to section 3 and address the questions, however if you have not defined the scope correctly, then the questions cannot be assessed properly.

…………Important update…………… An increasing number of companies (especially the larger organisations) are receiving an “overall fail” due to mobile devices that are unable to run supported operating systems. Currently this is Android 8 and above or iOS 14. The logistics involved in remediating such  issues can be time consuming, especially as staff are working from home, so we recommend that assembling a mobile device inventory is one of the first things that a company does in order to meet contractual deadlines (then, of course, ensure the devices are patched up to date).

1. The journey

Your journey can begin without even getting in touch with us at all. There is a free-to-download spreadsheet version of the questions available on our website here: https://www.indelibledata.co.uk/free-cyber-essentials-questionaire-download/

Please feel free to use the spreadsheet however you wish – many customers use it as a planning and scheduling tool to identify areas of concern and address them accordingly.

All questions must ultimately be entered into an online portal to achieve certification. There is no way of importing the contents of the spreadsheet questionnaire into the portal, though we do offer a service to input this on your behalf when, after seeking further clarification where required, we are confident that the responses are sufficient to pass. This service can be found here: https://www.indelibledata.co.uk/product/pre-assessment-check-service-for-ce-level-1/

Just for clarity, you do not need to download the spreadsheet version of the questionnaire – it is there solely to help.

When applying for Cyber Essentials, pay in the shop here: https://www.indelibledata.co.uk/product/cyber-essentials-level-1assessment-against-the-cesg-minimum-standard-for-cyber-essentials/to receive a login to the assessment portal.

A few details are taken and, once payment is made, a login to the portal is emailed and a password sent separately via SMS.

Simply login to the portal and respond to the questions…. But not until you have read the next section of this guide where we describe the common mistakes made!

If your submission does fail, don’t worry – just take a look at the assessor feedback, implement the required changes and resubmit. If this is done within 10 working days, there is no resubmission charge.

It should be said that most failures are due to non-compliant answers – rather than non-compliant systems – and these can often be rectified within a few days of receipt of the assessor feedback.

We do, on occasion, fail companies outright when we find such things as unsupported computer or mobile device Operating Systems that are likely to take much longer than 10 days to rectify. If something like this occurs with your submission – we urge you to keep us informed and work with us.

Indelible Data Limited works with many independent Practitioners and Trusted Partners who help clients to achieve certification. Many Trusted Partners offer a turn-key solution to certification. This includes registering your company on the portal, completing the questionnaire on your behalf and working with us to clear-up any grey areas that might arise to ensure a smooth path to certification.

2. Scoping the submission.

So, here are the common issues we find with scope that we receive. We urge you to read this section carefully before submission – it will reduce the time taken for your company to achieve certification.

2.1 Scoping Networks

This can be easy, or a very complex task. We recommend locating the part of this section that best fits your company’s scenario rather than reading the entire scoping section. For example, if your company meets the “Micro-companies where the head office is the home” description – it is highly likely that you just need to read this and then move on to section 4.

 The larger the organisation, the more of sections 1-3 will likely apply.

We recommend you perform the following steps:

2.1.1 Identify all networks managed by the company

Networks can include:

  • Office networks
  • Virtual / Cloud infrastructure
  • Home offices where the company has provided the routers/firewalls and is therefore incharge of that network

For these networks, all devices that are connected are in scope if they contain company data and any of the following:

  • Have standard user accounts that connect to the internet interactively (such as web browsing or opening emails).
  • Can be seen from the internet (often due to a port forwarding rule on the firewall)
  • Are at the boundary of the network controlling the flow of information to the untrusted network (typically this is a boundary firewall connected to the internet)

2.2.2 Identify those networks not managed by the company, this includes:

  • Shared office facilities (such as WeWork etc)
  • Internet Cafes
  • Home users (using non-company managed equipment)

Shared office facilities

For those companies with multiple staff based in shared office facilities connecting to cloud services such as office 365, G-Suite or Dropbox etc, we would really like to see a firewall installed in-front of your company machines (so that you can then manage a “company” network), or that you ask the facility to provide a Virtual Local Area Network (VLan) for you, but we appreciate that neither of these can always be achieved without issue. So:

  • For shared offices with a segregated network (where either VLan or Firewall has been implemented to separate your company from other companies), all devices on that network are in scope – it should be treated as a company managed network described above.
  • For devices not on a company managed network (i.e. they just connect straight onto to the shared office facility’s network along with other devices from other companies) then your company’s devices are permitted to use a host-based firewall to separate each company device from other untrusted machines on the network. In such circumstances, it is only each company device that is in scope, rather than the whole untrusted network. You must ensure that the Host-based/Personal firewall is configured to not allow any unsolicited inbound connections (this is often achieved by setting the network environment to “public” – but check with your firewall vendor for the correct settings.

Shared office facilities connecting to head office resources

For those companies with multiple staff based in shared office facilities that remotely connect to resources owned by the company (say, for example, accessing company servers located at a data centre or on-premise at the head office), there is likely to be some form of VPN in use, this means staff are effectively tunnelling through the shared office facility’s infrastructure. We would still prefer these endpoints to be on a “company-managed” network (described earlier) within the facility but understand if this is not the case. All devices will still need to have a host-based firewall installed that does not permit any unsolicited inbound connections.

Companies applying for more than one legal entity to be certified.

We often assess companies that, for contractual reasons, require the certificate to cover more than one legal entity name. For example, ACME Wholesale Ltd may also require ACME Logistics Ltd to be Certified. If this is the case, the following options are available:

  • If there are more than one company name but it is effectively exactly the same company with only the name being different then the customer just needs to write a letter, signed by a board member to say everything except the name is the same. Then we issue extra certificates free of charge.
  • If the company is different in any other way – different staff or different IT equipment then they need a new assessment because the answers will be different.
  • If the two legal entities do not have a network boundary between them then they have to both be named on the certificate and the scope is both companies.

University, College and Training provider’s student networks.

If the student/training network is on a different network segment to the main business/ office administration network, then it can be excluded (on the assumption the training network will not have access to business information such as corporate email etc).

If the student/training devices are on the same network, then they must be in-scope for the assessment. We recommend separating student networks from corporate/business information for this reason.

Once separated, and de-scoped, the training facility can still certify as “Whole organisation” in these circumstances.

Working from hotels or internet cafes etc

For those devices that work in other non-company managed locations, such as staff working from Hotels / Starbucks etc, we prefer that the company uses a VPN to “tunnel through” the untrusted infrastructure, but again, we understand that this cannot always be achieved, so:

  • On an untrusted network (such as Starbucks, where the User/Company is not in charge of the network infrastructure) the devices are permitted to use a host-based-firewall to separate that device from other untrusted machines on the network. In such circumstances, it is only the device that is in scope rather than the whole untrusted network. We strongly advise the use of a VPN in such circumstances, but these are not required to achieve Cyber Essentials Certification.

Staff working from home

The only devices that require to be declared in scope are the devices accessing organisational data. The controls for firewalls would need to be applied to the home router, and software firewall turned on.

Ideally a different Wi-Fi such as a “guest network” should be in use by other devices around the house, but this is not essential to receive certification.

If endpoints are using VPNs, then the home router/firewall does not fall into scope. However, if the home user devices are configured so all of the internet traffic is going via a company-controlled proxy server, then the router/firewall is still in scope.

In other words, the only way to descope a home user’s firewall is to use a VPN which is “always-on” and “Full Tunnel” (not “Split Tunnel”).

Cloud Based VPNs

Cloud-based VPN services, such as Nord  VPN and Pure VPN have not been approved as being compliant with the scheme as the user cannot apply the controls at the VPN termination point (internet boundary).

The VPN must terminate on the network (or cloud infrastructure) that is in-scope of the assessment and the company/user must be able to apply the firewall controls where the user breaks out onto the internet.

Fire Wall as a Service (FWaaS) is permitted as long as the user is able to configure the cloud firewall to meet the requirements of section A4.

Working from home due to the pandemic

If users are forced to work from home during the pandemic, OR they have the option to work from home and this has constituted > 50% of their time, then they are designated “Home workers” and therefore must meet IASME’s existing Home worker requirements (above). Don’t forget:

  • Answer all relevant router/firewall questions (such as changing default passwords, no internet accessible configuration allowed, no ports open that aren’t required, etc).
  • We do not scan home routers for CE Plus
  • Within the home network, they do not need to segregate from the kids’ Xbox or other personal home computers with a physical firewall – but must have a properly configured Host-based Firewall.
  • All devices accessing company information are in scope (so must be declared on the questionnaire) – this even includes personal devices accessing web-based company email.
  • Home routers may only be removed from scope if a VPN terminates on the corporate network or cloud infrastructure to access the company data (so Nord VPN, for example would not be sufficient to remove the routers from scope). Only “full tunnel” VPN is sufficient to remove home router/firewalls from scope

Micro-companies where the head office is the home.

Even though, technically, the company is still in-charge of the network if it has paid for the ISP/ home router service – not every device on that network is deemed in-scope. Ideally a different Wi-Fi, such as a “guest network” should be in use – but not essential for certification

The only devices that require to be declared in scope are the devices accessing organisational data. The controls for firewalls would need to be applied to the home router, and software firewall turned on.

You must respond to all questions – none may be answered as N/A even if you are a sole trader – you must manage your access accounts and document accordingly (see section A7 of the question set below for guidance.)

Companies that use an outsourced IT company for support

It is the applicants responsibility to instruct the 3rd party of the CE requirements and make sure they are applied. We cannot accept responses that simple state “This is handled by our IT support provider”. For process questions (such as creating or removing accounts), the applicant must state who informs the IT company, and who checks the process has been carried out correctly etc – and this must be formally documented.

Technical requirements (for example, where the applicant must not use Administrative accounts for web access) must also be answered in relation to the IT provider when they are connected to the applicant’s network.

2.2.3. Reducing the scope if required

Removing Servers from scope

Servers are in scope if they

  • can be seen from the internet (i.e. have a port forwarded to a given service)
  • are used interactively with the web (such as a RDS/Citrix server or simply contain standard user accounts that can access the web/email)

There are no scenarios we can think of to allow you to descope servers on your network that can be “seen” from the internet, however those servers that can’t be “seen” but access the web interactively, can be descoped if they can only access a couple of trusted IPs for the purpose of downloading updates or uploading to a trusted site, for example. But the whitelisting must be done via the boundary firewall – not the device.

Removing End-User Devices from scope

By removing internet access, the device is automatically out of scope. Devices can have access to a few trusted IP addresses on the internet and still be counted as having “no internet access” (the technical definition is “able to connect to arbitrary devices on the internet”) – but the blocking must be done at the boundary firewall.

You may also isolate devices by segregating networks – but if this is performed, then you cannot go for the “whole company” scope. This would also mean that those “segregated” devices must not access company information (from the cloud or anywhere else over the internet or internally) that is associated in any way with the information contained within the in-scope network.

Networks containing endpoints that are non-compliant

If your company has networks that you wish to take out-of-scope, say a training network has legacy software on it (and has access to the internet), then this can be achieved, but you would not be able to certify as “whole company”. The out-of-scope network must be bound by a firewall, or other means of segregation, such as VLAN.

 Guest Wifi within the organisation

Segregated Wifi “guest access” networks can be excluded from scope and still allow the company to choose “whole organisation” as long as no devices containing company data use the guest Wifi.

Multinational companies wanting to scope-down to UK operations only.

This can be achieved in Cyber Essentials. For example, even if the head office is in the US and the IT team there can remotely manage the devices in the UK, we can still scope just the UK Operations as long as they have a firewall or other packet level control (VLAN/ACL) and documented business reasons for that access. Effectively the overseas sites would be classed as “internet traffic”, with the UK company on the trusted side of the firewall.

Web-based Remote Desktop Services (virtual desktops)

Important note – this was updated in October 2020 to reflect recent guidance.

There are occasions where contractors/staff out in-the-field need to access company resources, and you can’t be sure if their devices comply with the requirements of Cyber Essentials.

On such occasions, layer 7 / web-based remote desktop services are deployed (RDS, Citrix etc). In such circumstances, though the endpoints are not actually connecting to the network, they are “accessing company data and services”, and are therefore brought into scope. This includes BYOD and Company supplied computers. The boundary firewall (even if ISP provided) will also be in scope in this scenario.

The firewall can only be taken out of scope in this scenario if there is a full tunnel VPN session “tunnelling” through it that terminates on the corporate network. This would obviously still leave the endpoint in scope.

Companies may require their Virtual Desktop environment to be certified as part of a contract. This is fine, and the company does not need to bring all other external companies accessing that environment into scope. However, if those external companies require certification themselves (even if they just want the scope to be the VDI environment they are using), they would need their own portal account and answer all the questions regarding their company – including those that access the Virtual Desktop services.

Non web-based Remote Desktop Services (virtual desktops)

All devices connecting to virtual desktops via the corporate network are in scope and must fulfill the requirements of the scheme. So, for example, even if a user just uses the RDS versions of Outlook, Microsoft Word, Chrome and Acrobat Reader every day, the machine will not be compliant if the installed versions on the device itself have not been patched accordingly – even if they are not used (so please remove unnecessary applications from the device).

Users of thin clients that can only attach to an RDP environment (i.e. we can class the terminals as dumb) are out of scope are they cannot connect to the internet. Should the thin client have the built-inability to connect to the internet (i.e. some have browser capability or have built-in applications such as email) then it is in scope. To keep such a device out-of-scope, then the corporate firewall must not allow internet traffic to or from the device.

De-scoping a home user’s router/firewall

Some companies prefer not to rely on home users to configure their router/firewalls correctly to comply with the requirements of Cyber Essentials.

The only way to remove the router from scope is to use a VPN from the endpoint to “tunnel through” the user’s router/firewall. Using any other method, such as forcing user devices to use a web proxy, is not sufficient. VPNs must be “Full Tunnel” and not “Split Tunnel” where the home router IP is advertised should they type “What is MY IP” into a google search.

De-scoping mobile devices (smartphones and tablets)

If the mobile device can access the internet and it accesses company data that is either resident on the company network or via other hosted/cloud services (such as email in Office 365 or Gmail) then that device is in scope and must be included in the responses.

We are often asked if mobiles can be de-scoped if they do not connect to the in-scope network – or they access company data that is unrelated to that network.

The general rule is, if the data in the cloud is not related to the information  contained in the in-scope network, then you could de-scope those mobiles that just access the cloud. It’s an unlikely scenario as, if the client is requiring a certificate to meet the requirements of a contract, it is likely that some email interaction would be required with that customer. If you scoped-down to a given network, and had an email server on that network for a specific contract, then it may be possible to de-scope the mobiles that just access the unrelated cloud emails.

2.2.4 Scope recap

Remember, all devices are in scope if they contain company data and either:

  • Have standard user accounts that connect to the internet interactively (such as web browsing or opening emails)
  • Can be seen from the internet (often due to a port forwarding rule on the firewall)

This includes mobile phones and even non-company devices that connect using 4G or via home or other untrusted networks.

If a device can only connect to one or two known, trusted IP addresses to download updates, for example, then this can be deemed not to have Internet access for the purposes of Cyber Essentials. This is a great way to descope servers.

3. Addressing the questions

The common areas of failure and clarification relate to the following questions:

  • A 2.6 (computers and associated Operating Systems),
  • A 2.7 (Mobile Devices and associated Operating Systems)
  • A 2.9 (Network equipment)
  • A 4.5 (Documented services)
  • A 6.1 (Supported operating systems)
  • A 6.2 (Supported applications)
  • A 7.7 (Use of Admin accounts and the internet)
  • A 8.1 (Malware protection methods)
  • Online declaration (this must be signed by a board level, or equivalent, individual).

So we highly recommend that you, at least, read the information below regarding those questions.

Other common areas are those questions that require a process to be described or a service to be documented. Please ensure you describe and document as appropriate. Saying that you have not implemented such things will result in a non-conformance.  Even if you are a sole trader, please document your processes where required and remember, you may not answer N/A to any question.

Here is a breakdown of the questions in full (it is not exhaustive as we do not find issues with every question:

 

A2.1 Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer “No” to this question you will not be invited to apply for insurance.

As stated earlier, if your company has networks that you wish to take out-of-scope, say a training network that has legacy software on it, then this can be achieved, but you would not be able to certify as “whole company”. The out of scope network must have a boundary, such as a firewall or other means of segregation, like a VLAN. The scope on the certificate for this example would need to include the statement “ – excluding training network”

 Segregated Wifi “guest access” networks can still be excluded from scope and still allow the company to choose “whole organisation” as long as no devices with company data use the guest Wifi.

 

 A2.6 Please list the quantities of laptops, computers and servers within the scope of this assessment. You must include model and operating system versions for all devices.

Check that devices are selected correctly as described in the Scoping Networks section earlier.

The assessment cannot be marked if the operating system versions are not presented correctly. This is the degree of detail we require:

  • Windows 10 Pro (v.1909)
  • Windows Server 2012 R2
  • Mac Catalina 10.15.2
  • Linux Ubuntu 18.04

If you wish, you can provide an itemised list, or provide a sentence or two, for example:

“We have approximately 100 Windows 10 Pro machines running a mixture of versions 1903, 1909 and 2004. All 8 Macs run Catalina 10.15.2. Our 14 Windows servers run either Server 2012 R2 or Server 2016. Our 70 mobile devices are a mixture of Android 9.1, 10.1 and Apple iOS 14.0.1”.

Please check carefully, before submission, that the Operating Systems are supported.

Our assessors spend a lot of time familiarising themselves with current versions of Operating Systems and will not be able to identify unsupported or unpatched versions if they are not declared. The question will be unscored (therefore fail) if insufficient detail is given.

If an Operating System is currently unsupported at the time of application, please do not submit the responses. Our assessors cannot accept responses that state “…we are currently upgrading Windows XP devices to Windows 10 Pro 2004 over the next couple of weeks…” Please only submit the response once the upgrade has been completed.

Our assessors will only accept “End-of-Life” Operating Systems if you declare that you have purchased Extended Security Updates and state the “Valid Until” date.

You must also state if thin clients (designed to communicate with remote desktop services) are used together with the operating systems of these. Any Laptops/desktops connecting to the network that use Remote Desktop Services are also in scope – whether they use their own desktop to access the internet or not – and must meet the requirements of all the controls.

 

A2.7 Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system version for all devices.

Check that devices are selected correctly as described in the Scoping Networks section earlier.

Please ensure that all the devices that hold company data (including emails) have been included in the scope and have a supported Operating System.

The assessment cannot be marked if the Mobile device’s operating system versions are not presented correctly. This is the degree of detail we require:

  • Android 9.1
  • iOS 14.0.1

If you wish, you can provide an itemised list, or provide a sentence or two, for example:

“Our 70 mobile devices are a mixture of Android 9.1, 10.1 and Apple iOS 14.0.1”.

 As with A2.6 (above), please check carefully before submission that the mobile operating systems are supported. Our assessors will not be able to identify unsupported or unpatched versions if they are not declared. The question will be unscored (therefore fail) if insufficient detail is given.

If a mobile Operating System is currently unsupported, please do not submit the responses yet. Our assessors cannot accept responses that state something along the lines of “…we are currently upgrading Android 6 devices to Android 10 over the next couple of weeks…” Please only submit the response once the upgrade has been completed.

Only the most current version of iOS is classed as supported (so if iOS 14.x is available, then iOS 13.5 will be classed as unsupported)

Also, for A2.6 and 2.7 above, we recommend consulting the following resources before submitting your responses:

Windows: https://support.microsoft.com/en-us/lifecycle/search/ and  https://docs.microsoft.com/en-us/lifecycle/products/export

Macintosh:      https://support.apple.com/en-gb/HT201222

https://everyi.com/by-capability/maximum-supported-ios-version-for-ipod-iphone-ipad.html

Android: https://www.lifewire.com/android-versions-4173277

Linux: Visit the relevant release eg. https://ubuntu.com/about/release-cycle

 

 A2.8 Please provide a list of the networks that will be in the scope for this assessment

Please list all networks that are managed by the organisation. You don’t have to list the details of all home user networks (unless configured by your company) or those of Internet Cafes.

For those companies working in shared office facilities, we would really like to see a firewall installed in-front of your company machines (i.e. so that you can then manage a “company” network), but we appreciate that this cannot always be achieved.

If you are unable to segregate networks in a shared/multi office environment, please mention this and state that devices will be reliant upon each computer’s personal firewall.

A2.9 Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).

Please don’t forget to also describe the home routers involved (such as “ISP provided”, or “company supplied” etc).

If home routers are company supplied, then we do need to know the make and model.

However, if any home devices access organisation data via a VPN application on the computer that “tunnels” through the router – then we do not need to know the make and model of the home router.

If the company has configured home users with a site-to-site VPN (where the home router itself is instigating the VPN connection) then the make and model would need to be given.

Other than that, simply state the make and model of all network boundary equipment (this should not include internal routers and switches etc).

Remember that home firewall/routers require the same controls to be applied (such as changing default passwords ensuring no unnecessary ports are open etc)

So, just to recap. where you have stated there are home workers we need to know if the organisation supplies them with network equipment, if they use VPN to connect directly to the office or if they use their normal ISP provided router to connect to cloud services. The VPN must be “Full Tunnel” and not “Split Tunnel”.

An example of a response could be “… The head office network is separated from the internet by a Cisco ASA 5505 firewall. Two of our Technical staff have been issued with Draytek 2760 firewalls. The rest of the home users use ISP supplied routers and their home devices are seperated from other devices on the home network by personal firewalls. Two directors have been issued with VPN software to connect to our office network…”

 

A4.2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?

We need, first of all, to know that the password has been changed from whatever it was shipped with. Even if this is unique to the router/firewall it still counts as “default” in the eyes of Cyber Essentials and must be changed.

We then need to know how you changed it – this can just be as simple as mentioning the router configuration page – or, for larger organisations, the process of who inform who, then who changes it and then who signs-off that it has been changed?

For smaller organisations and home users, you can generally change the default password by logging into the web interface for the device (often located at 192.168.1.1 or 192.168.1.254)

 

A4.4 Do you change the password when you believe it may have been compromised? How do you achieve this?

This question relates to Firewalls and Routers as well as Laptops and Desktops.

So, as well as describing the process to change any suspected end-user account password, also include the process for changing firewall and associated services credentials as these may be performed by different roles.

Please do not forget to include the process here. For example, “… we call our IT support team immediately” or “our security team follow the procedures covered by our incident response policy” is only half the story. We also need to know how would such a need be reported, and who (role) would reset the password, and who (role) would check it had been done.

 

A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?

This question is often mis-read due to the double negative. If you have fully documented all services that are advertised to the internet (from a network for which you are responsible) then answer “No”. Answering “Yes” would be informing us that the company is unsure what ports/services are open.

 

A5.1 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

Please don’t forget to describe the process here. We not only need to know the process of ensuring any “bundled” software is removed before deployment – but also how you ensure unnecessary software is removed going forward. Such as via systems reviews, company policy etc.

 

A5.3 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

Mobile devices, such as device PINS, must also be at least 8 characters. If using face/finger recognition, the underlying PIN must be at least 8 characters.

 

A5.5 Do you run software that provides sensitive or critical information (that shouldn’t be made public) to External users across the internet?

We just need to know about the services that have been made available from networks that are under your company’s control. So, for example, Office 365 documents (via Sharepoint, Onedrive etc) or any other Software as a Service platform should not be included here.

An example where you would be expected to answer “yes” would be if your company’s on-premise Exchange Server 2016 is presented to the internet or you operate a VPN for staff to connect to resources on the office network.

Another example would be if you have implemented Infrastructure as a Service, and you are responsible for the software on that infrastructure providing sensitive data across the internet, then you should answer “yes” to this question.

 

A6.1 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?

Do not forget to answer “Yes” or “No” in the response. You can then refer to, or copy the responses from, A2.6 an A2.7 to support this statement.

We require a statement to show how you ensure firmware is updated when required (some computers have “agents” installed to alert the user to firmware updates).

Remember that Operating Systems for Firewalls/Routers are also in scope and you must let us know that the  version of the Firmware is supported by the manufacturer or ISP. This is often via the ISP (especially for home user router/firewalls) – but Firewalls that have been purchased separately are likely to require some form of manual operation to update the OS/Firmware and we need to know that this has been done where required.

Common assessor responses to applicants that have not fully answered this question include:

“Windows Server 2008 is no longer being supported – please confirm that Extended Security Updates (ESU) have been purchased if these servers connect to the internet – and let us know when the ESU expires.”

 “Unsupported Operating Systems must be updated or removed from the in-scope network (or not have access the internet). Please let us know when the Windows 7 Operating Systems have been upgraded to Windows 10.”

 “Please confirm that all mobile operating systems are also supported”.

 

A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

Again, please do not forget to answer “Yes” or “No” to this question, then follow it up with a summary of applications to support this.

We are not expecting a comprehensive list containing the versions of every application on every machine. Instead, let us know the key applications, plugins and frameworks in place. For example, a response similar to:

“Yes we ensure all applications are fully supported. All of our desktops/laptops have Microsoft Office 365 installed. Some machines require Adobe Acrobat Reader DC and Java 8. Some other file utilities, such as Winzip 8 are also deployed on certain devices. Our technical team also requires the .Net 4 framework to be installed.  All applications on mobile devices are supported. They all have Outlook 2016 installed and some may have access to further Microsoft Office applications (such as Word and OneDrive).”

Common clarifications from our assessors include:

“Please also state Yes or No in the response given to declare whether these applications are supported and receive regular updates or not.”

“Please summarise the applications you use so the assessor can understand your setup and confirm that all applications are supported. This includes frameworks and plugins such as Java, Flash, Adobe Reader and .NET”

 “Please also summarise the applications in use on mobile devices that are used to access company data.”

 “You have declared that Acrobat Reader / Pro is in use. Please can you confirm that this is the DC version as it is the only version that is being supported”

 

A6.4 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

Again, please do not forget to answer “Yes” or “No” to this question, then follow it up with a description of how you ensure this is performed mentioning any corporate policies that users must follow or device policies issued by automated central management.

Also – we need to know how you ensure that router/firewall operating systems and services, and end user device firmware, are updated when required. ISP provided firewalls often have their firmware updated by the provider themselves and many laptops / desktops come with manufacturer bundled software to check for firmware updates – don’t forget to reflect the use of such update methods in your answer.

Typical responses by our assessors include:

“Please also state how you ensure mobile applications are updated where required (such as the use of mobile device management tools, or via company policy informing all users to set devices to auto-update)”

 “Your response appears to only describe how Windows applications are updated, please also include a summary of how the Macintosh and Linux devices are updated.”

“How do you ensure that the firmware on the firewall is kept up-to-date?”

 “We just need a little more information here to describe the process – is it a manual process, are the devices set to “auto-update”, or are updates “pushed” to each device from a central server?”

6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

Don’t forget that answers must relate to Internet Connected Servers, Computers, Laptops, Tablets, Mobile Phones, and web applications and services on Routers and Firewalls  as all are in-scope for this question.

 

A6.6 Have you removed any applications on your devices that are no longer supported and no longer receive regular fixes for security problems?

Note, this question relates to software that is no longer supported, rather than used – which should have been addressed in question A5.5.

When responding to this, please ensure mobile apps that access company data are also considered.

 

A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process?

Even if you are a sole trader, creating user accounts, including temporary accounts should they be required, must be a managed process and they must only created if absolutely necessary by, for example, using the Windows inbuilt add/remove user tool.

A7.2 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

You must ensure that no devices can be accessed without entering a username and password.  You will not pass this question if users can share accounts – this includes (internet connected) devices found in warehouses and retail etc.

It is not sufficient to block internet access from such devices within the computer’s own settings – if you must have shared accounts (probably for legacy reasons) – then the device must be blocked from accessing the internet using networking infrastructure controls or boundary firewall settings.

A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

We require a process described here. Even a sole trader must demonstrate that they are aware that they must remove their accounts (including temporary ones) when it is no longer required and state they have checked to see that only required accounts are active (and the method of checking conducted).

For companies using IT support providers, this response typically attracts responses saying “We contact our IT provider”. This is not sufficient as we need to know which person/role requests the account to be removed, the person/role that removes it (giving a brief description of the process – whether it is removed centrally or locally to each device etc) and the person/role that checks it has been removed.

A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

Smaller companies often set up a standard user for day-to-day activities using the inbuilt add/remove user facility. Sole traders generally require full access to the company information, but as the company grows, user accounts must be managed and provide only those rights required by that individual. Your response here should give a taste of the different access levels employed in the company.

A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.

Many applicants only half answer this question. You need to describe the process and confirm that this is documented (i.e. a written procedure for assigning Administrative rights). A formal process is required no matter how large or small the organisation is –  even if the account creation is outsourced to a third party IT Support provider.

A7.6 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

There must be a separate account to perform administrative duties than the usual day-to-day user account for creating/amending office documents etc.

A7.7 How do you ensure that administrator accounts are not used for accessing email or web browsing?

This response to this question is often incomplete, stating that, perhaps two accounts are used: one for day-to-day duties and one for administering the system. This is great practice, however, answering the question this way does not address the core requirement – i.e. not using the internet whilst being an administrator.

Our typical response to applicants is “… how does the organisation ensure that those who have admin accounts do not use them to access emails or browse the web?”

You may not need a technical solution to achieve this, it could be based on good policy and procedure as well as regular training for staff.

If your company uses an outsourced IT provider to manage your systems, then you must let us know how you are assured that they do not access the internet using system administrator credentials whilst on your network. So please check they also have a policy of not browsing the web/opening emails whilst performing administrative duties.

It is possible to identify “trusted sites” that administrators may wish to use repeatedly, such as Vendor update sites etc. It is important to note that all whitelisting must be done by the firewall to prevent those with Admin rights accessing untrusted sites – which would generally need a better firewall than Small Businesses own.

Even though whitelisting can be achieved through internet settings (setting up restricted sites etc) on the Windows Machine,  Admins accessing the web require the Hardware Firewall/Router to block untrusted sites rather than Windows Internet settings.).

The safest way to pass this question, for small businesses especially,  is to not browse the internet as Admin. You don’t need a technical control in place to prevent this – policy / training instructing admins not to interact with the internet with such privileges is sufficient.

 

A7.11 If no [to 7.10], is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

You need to only consider Multi Factor Authentication for devices that already have provision for it. No further expense is expected by the standard to try and meet this requirement.

If IT administrators access the in-scope devices over the internet, and the firewall allows multi factor authentication, by issuing a code to a device already purchased by the company (say, a mobile phone) then it must be switched on unless access is only permitted from a trusted set of IP addresses.

 

A8.1 Are all of your computers, laptops, tablets and mobile phones protected from malware by either A – having anti-malware software installed, B – limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C – application sandboxing (i.e. by using a virtual machine)?

Though not always the case, it is likely that desktops / laptops and servers will be covered by the installation of Anti Malware (option A), and mobile devices will be covered by using the Mobile’s relevant App store. Because of the iPhone’s / Android’s sandboxing architecture, option C can only be chosen (as long as not jailbroken, of course) if they are only attached to a network that is out of scope and “whole company” has not been declared. This is because, though sandboxed, they generally allow access to the network without permission.

As you can see it gets complex – so best to choose option B for mobile devices unless you work in a very specific way.

Android does allow AV products to scan the phone option A is viable for these if implemented.

The Majority of applicants state Option B to cover their mobile devices, which is fine.

The Apple OSX built-in antivirus (called XProtect) is not sufficient to pass cyber Essentials. XProtect can be likened to the Windows Malicious Software Removal tool and is designed to target certain code only, therefore A full Anti Virus product is required.

Here are some common responses by our assessors:

  • From earlier responses, the company has smartphones (iPhones, Android). It is likely that these are covered by Option B or C which was not ticked. Please could you tick the Option B and/or C Boxes and complete the extra fields that appear. These extra field state whether users can only install apps approved by the store and that you have documented the apps that are permitted to access company data (such as outlook, onedrive, excel etc).
  • A2.7 states that you have no mobile devices in scope – yet you have chosen Option B here. Please can you clarify?

 A8.2-8.5

As stated, you need to have Option B to cover the iPhones (and Androids that don’t have AV installed). As long as the devices are not jailbroken, Rooted or in developer mode (or other Certificates have been installed manually to install non app/play-store apps) you will pass 8.4.

8.5 is rather misleading – you just need to identify those apps that hold or access company information – such as Outlook, OneDrive, etc. So your list of applications will generally be quite small (you don’t have to prevent or make a list of devices with BBC iPlayer or Trainline etc installed) you just need to, at least, enforce the use of apps that access company data by company/paper policy – not necessarily a technical policy (though Mobile Device Management Software would give you a higher degree of assurance that the devices are compliant).

Online declaration (upload of signature) –

Make sure the company name is exactly the same as that you have stated to be on the certificate. If it is different, the submission will be returned.

If you are a sole trader, please state your positions as “owner” rather than a lower title (such as “consultant”) – this is so that the insurance company are 100% sure that it is a senior person on the declaration rather than have to locate the part of the questionnaire where you may have mentioned being a sole trader. It will likely be returned if you are opting-in to Cyber Insurance.

Please ensure it is a wet signature and scan/photograph the document for upload to the portal. It is likely that a “script” font will not be accepted by the insurers if opting for this this service. Again, it will likely be returned if you are opting-in to Cyber Insurance.