Busy Reader Guide – Cyber Essentials Scheme

The UK Government backed, National Centre of Cyber Security (NCSC) Cyber Essentials Scheme (CES), developed in association with industry, aims to protect organisations of all sizes against cyber-attack. It comes in two distinct flavours, a self-assessed ‘basic’ level and a ‘plus’ version (CES+) which adds an independent, 3rd party technical validation of claims made regarding compliance. Accreditation to CES/CES+ is administrated by the sole UK accreditation body IASME which delegates accreditation to some 150 certification bodies.

Certification is often required for UK Government contracts e.g. the Ministry of Defence’s DEFSTAN 05-138 (Defence Standard 05-138) requirement (either at CES or CES+ levels depending on assessed risk to MoD Identifiable Information (MII)) and, for wider government, as stated in Procurement Policy Note 09/14.

The CES addresses five main technical control areas for a specified scope, as determined by the applicant:-

• Boundary firewall – network boundary and/or endpoint boundary (unless over VPN).
• Secure configuration – removal/disabling of unnecessary software/services.
• Access control – issued following a specified process and on a ‘least privilege’ basis.
• Malware protection – use of whitelisted software, antivirus software and/or sandboxing.
• Patch management – use of currently supported software which is patched.

Registration and self-assessment are all done in an online web form, eliciting a fairly detailed description of the organisation to be assessed, as well as its IT estate, so as to answer questions related to the five technical areas above. Usually explicitly excluded from testing for CES+ are Bring Your Own Device (BYOD), owned by staff members, unless written authority is provide by those staff members, and wireless networks.

The scheme is aimed at small and medium sized organisations where Commercial-off-the-Shelf (COTS e.g. ‘vanilla’ Windows, Apple, etc.) technology is used to enable business functions as opposed to IT provider organisations where such ‘vanilla’ IT is likely to be highly tailored; other governance regimes may be more applicable here.

Emphasis is placed on documented, business need for software and/or services running along with the requirement to change default passwords which (in the case of CES+) are tested for. In terms of patching software, it is expected that all software is patched within 14 days of the manufacturer releasing such a patch. Where software, including operating systems, is no longer supported, and able to be patched, such software will need to be.

Little security technology is mandated per se, though there are explicit requirements when it comes to malware control and realistic expectations that modern operating systems have host-based firewalls; where such security technology is either mandated or present, it is expected to be well configured and is usually tested as such for CES+. In the case of antivirus software, it is expected that software engines are updated within 30 days of a new engine being released and 24 hours of new signatures being released. Where application whitelisting or sandboxing is employed, there should be no mechanism to circumvent them.

Key Takeaways :

  • Comes in 2 flavours, self-assessed only and 3rd party validated.
  • Scope is as-defined by the applicant.
  • Addresses 5 fairly high-level technical areas, ‘the basics’.
  • Patching has to be to a high standard for CES+.

For further details on how Hereford InfoSec can help you with Information Risk Management, security controls’ implementation and security monitoring see our contact information below.

Link to: Get in touch

Any more questions? Please get in touch!

Hereford Infosec Limited | PO box 363, Hereford, HR1 9PR
Phone: 01432 344480 | Email: info@herefordinfosec.co.uk
Registered in England and Wales: 06308957

About | Privacy & Cookies | Contact | Terms

© 2020 Hereford Infosec Limited