What information does a Cyber Essentials Standard Assessment ask for?
/The CE Standard Assessment is broken down into 6 parts:
- The scope of the assessment
- Protecting the boundary
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
Each part poses questions based on industry best practices I’ll add some examples below. The number of questions will vary slightly depending on the answers that you have but in total there are around 40 questions you will have to answer mainly with Yes/No responses but adding comments is encouraged as this gives the assessor evidence that you are compliant and may help the assessor to understand areas that whilst you may not be technically compliant
It is important to remember that this is not a pass-fail scenario necessarily, the aim of the CE Standard Assessment is not only to give you confidence you are adopting best practices but it is also there to help you understand what those best practices are and to adjust how you are set up to ensure you are adopting them wherever possible – if you are not adopting the best practice you will be given chance to make changes to your IT systems where they are not compliant and re-submit the assessment.
Furthermore, there are grey areas that may mean a particular answer would represent a failure for a large organisation (e.g. no substantial firewall in place) but would not for a small organisation since the corresponding attack surface is smaller and a smaller organisation would not be able to justify or afford expensive hardware firewalls for example.
Scope of the assessment – this section is not marked since it is intended to define what areas of your IT system fall within scope of this assessment, this is important as following a successful assessment and the issue of a CE certification the area of your organisation that the certificate applies to will be detailed on the certificate.
For example the scope section is also the area of the assessment where you can paint a picture of how your organisation is structured from the user perspective, what technologies are in use, are your users home-based and if so how many.
Protecting the boundary – This section is aimed at how do you protect your network perimeter – i.e. the point at which your internal network connects to the internet.
For example Do you have firewalls in place protecting your IT systems and computing devices? Do you have a process for recording any changes that are made to firewall rules?
Secure Configuration – Having the equipment in place to protect your environment is only as good as how it is configured – this section of the assessment is aimed at making you think about how your protection is configured.
For example have you changed the default usernames and passwords that came with your internet firewall? Has software that is not required been removed from the devices? (Most software has vulnerabilities that are addressed periodically via patches – if you have the software you don’t need then potential vulnerabilities can be removed by removing the software).
User Access Control – This section examines how you are approaching security from a user perspective with regards to user accounts passwords and the levels of access that users are given to shared resources.
For example, do your users have individual user accounts? Is there a procedure for creating and removing user accounts when people join and leave your organisation?
A big part of this section relates to you adopting the guidance provided by the National Cyber Security Centre around password that can be found using the link below:
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
If you have not been keeping up-to-date on password best practises this is definitely worth a read as some of the traditional practices and approaches that are second nature to admins have changed.
Malware Protection – Fairly self-explanatory this section, this can be as simple as using Windows Defender which is free with the Windows OS and is an acceptable minimum in the author's opinion but personally would use something a bit more substantial. The questions are fairly standard and depending on the complexity of the anti-malware software you are running you may tick all of the boxes or just some of them.
Some example questions, what approach do you take to malware protection? Is your malware protection kept up to date? Do you perform on-access scanning of files?
Patch Management – This is the final section of the assessment and only has two questions, is all of your software licensed and do you apply critical and high priority patches within 14 days of their release.
And that’s it, the questions are not difficult although you may need help from your technical colleagues if you are not responsible for the IT environment yourself and you can also enlist the help of ComputerWorld specialists via the Enhanced CE Assessment package (NB: this is not the same as the CE Plus Assessment).
Remember this is not a Pass/Fail Assessment you may need to answer No to some of the questions because you are not compliant but your organisation size may mitigate the effect of that non-compliance and you can also adjust or change your setup and re-submit the assessment when you are compliant.
