Cyber Essentials Questionnaire

Transcription

1 Cyber Essentials Questionnaire Introduction The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber security test where IT is a business enabler rather than a core deliverable. It is mainly applicable where IT systems are primarily based on Common-Off-The-Shelf (COTS) products rather than large, heavily customised, complex solutions. The main objective of the Cyber Essentials assessment is to determine that your organisation has effectively implemented the controls required by the Scheme, in order to defend against the most common and unsophisticated forms of cyber-attack. This questionnaire is a self-assessment, which must be approved by a Board member or equivalent, and will then be verified by a competent assessor from ID Cyber Solutions, the certification body. Such verification may take a number of forms, and could include, for example, a telephone conference. The verification process will be at the discretion of ID Cyber Solutions. Scope of Cyber Essentials The Scope is defined in the scheme Assurance Framework document, available on the scheme web site You will be required to identify the actual scope of the system(s) to be evaluated as part of the questionnaire. How to avoid delays & additional charges You may incur additional charges if details are not sufficiently supplied, answer the questions as fully as possible giving supporting comments, paragraphs from policies and screen shots where possible. As a rule of thumb if it takes longer to assess the submission than you spent preparing it, you may be charged.

2 Organisation Identification Please provide details as follows: Organisation Name (legal entity): Sector: Parent Organisation name (if any): Size of organisation micro, small, medium, large. (See definition below) of employees Point of Contact name: Salutation (Mr, Mrs, Miss etc.) Initial First Surname Job Title: address: Telephone Number: Building Name/Number Address 1 Address 2 Address 3 City County Postcode Certification Body: ID Cyber Solutions Do you wish to be excluded from the register of Cyber Essentials certified companies? Exclusion means customers will not be able to find your entry. If this is left blank you will be entered. From time to time government departments and other interested bodies may wish to use your company for marketing Cyber Essentials. If you do not wish to be promoted in this way please enter NO in the box. If this is left blank you imply your consent.

3 SME Definition Company category Employees Turnover or Balance sheet total Medium-sized < m 43 m Small < m 10 m Micro < 10 2 m 2 m Business Scope Please identify the scope of the system(s) to be assessed under this questionnaire, including locations, network boundaries, management and ownership. Where possible, include IP addresses and/or ranges. A system name should be provided that uniquely identifies the systems to be assessed, and which will be used on any certificate awarded. (te: it is not permissible to provide the company name, unless all systems within the organisation are to be assessed): How many work sites are in scope? For Our Glasgow and Edinburgh offices are in scope for the test, excluding our development server located in our Glasgow office. These two sites are collectively known under the system name of Overall business systems. How are they connected? For Our Glasgow and Edinburgh offices are connected via VPN, with users from Edinburgh connecting to our file sharing server located in Glasgow. Have out-of-scope areas been sufficiently segregated (NAT/Firewall)? For Our out-ofscope development server is connected to our network but is segregated by a firewall. What Cloud Services are used (Dropbox, Office 365, Google Drive)? For We regularly use Office 365 to manage and access our system, as well as to store some working files. Please provide a URL (or send supplemental documentation) that shows each cloud provider s security processes and certifications

4 Boundary Firewalls and Internet Gateways Question Answer Comment 1 Have you installed Firewalls or similar devices at the boundaries of the networks in the Scope? What make are your Firewalls and who administers them? For Both of our offices are protected by identical Cisco ASA 5520 Firewalls. These were installed and are maintained by our outsourced IT company AAA Solutions. 2 Have the default usernames/passwords on all boundary firewalls (or similar devices) been changed to a strong password? 3 Have all open ports and services on each firewall (or similar device) been subject to justification and approval by an appropriately qualified and authorised business representative, and has this approval been properly documented? 4 Have all commonly attacked and vulnerable services (such as Server Message Block (SMB) NetBIOSm tftp, RPC, rlogin, rsh, rexec) been disabled or blocked by default at the boundary firewalls? When were the credentials changed, and who by? What are the complexity rules of the passwords? For Our outsourced IT company changed the passwords when the firewalls were installed three months ago. They have told us that the passwords are at least 15 characters long with a mixture of letters, numbers and special characters. What is the approval process when a new port is opened and who administers this? For Our Operations Manager issues a request to the outsourced IT company stating the reason for the port to be open and consults with them about any potential security issues. The outsourced IT company then arranges a suitable time to perform the operation. How do you know this to be the case? Who s role was it to check and when was this done? For This was checked by our Operations Manager shortly after the firewalls were installed. They asked the outsourced IT company to confirm that all of the

5 necessary services had been disabled. Question Answer Comment 5 Confirm that there is a corporate policy requiring all firewall rules that are no longer required to be removed or disabled in a timely manner, and that this policy has been adhered to (meaning that there are currently no open ports or services that are not essential for the business)? Policy exists and has been implemented 6 Confirm that any remote administrative interface has been disabled on all firewall (or similar) devices? 7 Confirm that where there is no requirement for a system to have Internet access, a Default Deny policy is in effect and that it has been applied correctly, preventing the system from making connections to the Internet? Policy exists but has not been implemented Policy does not exist What is the name of the policy document? When was the last check performed to verify the policy is being adhered to and who signs off on the checks? For Our outsourced IT company maintains a policy document on our behalf titled Business Firewall Rules which is reviewed and checked at our 3-monthly catch-up meetings with the outsourced IT company. Our Operations Manager signs off on any changes to the policy and he is satisfied that the policy is being adhered to. Whose responsibility is it and when was this checked? Are firewalls ever configured remotely by anyone, and if so what compensating controls are used? For Our outsourced IT company administers our firewalls remotely via SSH which is configured to their IP address only. This was checked by our Operations Manager when the firewalls were installed three months ago. Do you have any machines that require this (i.e. machines you are keeping out of scope)? Are servers ever used to browse the web? For Our development server does not need to connect to the internet and has a Default Deny policy in effect. Our other servers are strictly access controlled and are never used to browse the internet.

6 Please provide any additional evidence to support your assertions above: Secure Configuration Question Answer Comment 8 Have all unnecessary or default user accounts been deleted or disabled? 9 Confirm that all accounts have passwords, and that any default passwords have been changed to strong passwords? 10 Has all unnecessary software, including OS utilities, services and applications, been removed or disabled? How is this administered and whose responsibility is it to check this? What is the process to ensure this is carried out? For Our outsourced IT company adheres to a set image for new computers which includes disabling any default user accounts. Our HR Manager ensures that any accounts belonging to ex-employees are removed within 7 days. How is it ensured that all accounts have strong passwords? Are technical controls in place to enforce complex passwords or is it a paper based policy? For All of our passwords protected systems ask users to set passwords when they first log in and make sure that they meet our minimum strength requirements. Whose role is it to commission a computer and how is it ensured that only approved services and applications have been installed and enabled? Is it part of policy to remove all unnecessary bundled software? For All computers are procured through our outsourced IT company who adhere to a default image which removes

7 11 Has the Auto Run (or similar service) been disabled for all media types and network file shares? 12 Has a host based firewall been installed on all desktop PCs or laptops, and is this configured to block unapproved connections by default? Installed and configured Installed, but not configured t installed any unnecessary software. How was this disabled? For Auto Run and Auto Play have been disabled for all of our computers, and is part of our outsourced IT providers default image for all new computers. How is this checked? For Our outsourced IT providers default image includes preconfigured rton antivirus and firewall which is installed on every PC and laptop. 13 Is a standard build image used to configure new workstations, does this image include the policies and controls and software required to protect the workstation, and is the image kept up to date with corporate policies? 14 Do you have a backup policy in place, and are backups regularly taken to protect against threats such as ransomware? Who created the build image and whose responsibility is it keep it up to date? If a build image is not used are build instructions of build best practice guidelines followed, and what are they? For Example: Our outsourced IT provider providers a default image for all new computers which adhere to all of our security requirements. These requirements are reviewed at 3-monthly meetings with the outsourced IT provider and updated if necessary. Describe your backup process (online, CD, hard drive etc.) and if they are segregated from other systems (i.e. could malware affect them if every other system was compromised?). For Our outsourced IT provider performs and maintains backups of all of our systems every 24 hours. We also have a backup

8 15 Are security and event logs maintained on servers, workstations and laptops? server which mirrors our internal file sharing server, but this is more convenient than robust. Regardless, we are confident that our backups with our outsourced IT providers are sufficiently segregated. Which logs are enabled? For Access logs are maintained for all of our servers in addition to Windows event and error logs for all of our computers. Please provide any additional evidence to support your assertions above:

9 Access Control Question Answer Comment 16 Are user account requests subject to proper justification, provisioning and an approvals process, and assigned to named individuals? 17 Are users required to authenticate with a unique username and strong password before being granted access to computers and applications? 18 Are accounts removed or disabled when no longer required? What is the process for adding a new user account (e.g. for a new employee)? For Our HR Manager makes a request to add a new user account which must be approved by the Operations Manager. This request is then sent to the outsourced IT company who adds the new user account. Are all of your sensitive systems password protected? Have you identified any users that share login accounts? For All of our sensitive systems require users to authenticate before being granted access. We have a strict policy against users sharing login credentials and do not write passwords down. Do you have a procedure for removing unnecessary user accounts and are regular checks carried out to ensure that all unnecessary users have been removed? 19 Are elevated or special access privileges, such as system administrator accounts, restricted to a limited number of Our policy states that all unnecessary user accounts are to be removed within 7 days. Our HR Manager makes a request to remove the account which is approved by the Operations Manager. This request is then sent to the outsourced IT company which removes the account. The HR Manager checks the account is removed and is responsible for maintaining only necessary user accounts. What are the role of these individuals? For

10 authorised individuals? 20 Are special access privileges documented and reviewed regularly (e.g. quarterly)? 21 Are all administrative accounts only permitted to perform administrator activity, with no Internet or external permissions? 22 Does your password policy enforce changing administrator passwords at least every 60 days to a complex password? Elevated access is restricted to only our Operations Manager. All other administrative requests are submitted through the outsourced IT company. When were special access privileges last reviewed, and how are they documented (spreadsheet, database, etc.)? For Our documentation process is straightforward as our Operations Manager is the only member of staff with special access privileges and acts as our liaison with the outsourced IT company. All administrative accounts should be taken into consideration including domain and local computer admins. For Administrative accounts are only used when they are necessary. Administrative accounts are not used for dayto-day activities and instead the user is prompted for administrator credentials when an administrative action must be carried out. How is this policy enforced? Does your policy enforce less or more days between changes? For Our systems require users to set new passwords every 45 days. User passwords are automatically expired at the end of the password period which forces users to create a new password before being able to log in again. Please provide any additional evidence to support your assertions above:

11 Malware Protection Question Answer Comment 23 Please confirm that malware protection software has been installed on at least all computers with an ability to connect outside of the network in Scope? 24 Does corporate policy require all malware protection software to have all engine updates applied, and is this applied rigorously? 25 Have all anti malware signature files been kept up to date (through automatic updates or through centrally managed deployment)? 26 Has malware protection software been configured for on-access scanning, and does this include downloading or opening files, opening folders on removable or remote storage, and web page scanning? 27 Has malware protection software been configured to run regular (at least daily) scans? What malware protection software is used and how is it deployed? For All computers have rton antivirus and firewall installed. This is installed by default through the outsourced IT company s default computer image. It is advised that updates should occur within 90 days. For All of our malware protection software is set to automatically update whenever updates become available. How often is this checked and how is each machine kept up to date? For All of our malware signature files are kept up to date through automatic updates which are applied whenever they become available. Is it possible for users to change this setting? For Our malware protection software package provides complete protection including web page scanning and real-time scanning of downloaded files and removable storage. This configuration can only be changed by an administrator. What scan regime do you follow (full scan, quick scan, etc.)? For Our malware protection software is configured to perform quick scans every 6 hours and a full scan every 24 hours.

12 28 Are users prevented from running executable code or programs from any media to which they also have write access? Other than anti-virus software, are access control measures in place to prevent virus code modifying commonly run executable files? 29 Are users prevented from accessing known malicious web sites by your malware protection software through a blacklisting function? What mechanisms are in place to ensure that if a user clicks on a malicious link, the executable file does not execute? How are these mechanisms achieved? For Whenever a user clicks on a link or file attachment they are prompted that the file may be dangerous and to confirm that they wish to run it. Does your malware protection software do this or have you subscribed to a third party DNS service that filters such sites (if so, include is it called)? For Our malware protection software includes a feature which provides a website check through the malware protection software vendor s database. Please provide any additional evidence to support your assertions above: Patch Management Question Answer Comment 30 Is all software installed on computers and network devices in the Scope licensed and supported? If any software/os/device does not have support available how have you ensured that it is out of scope? For 31 Are all Operating System security patches applied within 14 days of release? All of our software and devices are fully licenced and supported with the exception of some legacy development tools on our out-of-scope firewalled development server. How do you enforce this (i.e. central patch deployment or individual machines set to update automatically)? For

13 32 Are all Application software security patches applied within 14 days of release? 33 Is all legacy or unsupported software isolated, disabled or removed from devices within the Scope? 34 Is a mobile working policy in force that requires mobile devices (including BYOD) to be kept up to date with vendor updates and app patches? All of our individual computers are configured to apply Operating System updates automatically, as soon as they are available. How do you enforce this (i.e. central patch deployment or individual machines set to update automatically)? For All of our individual computers are configured to apply application software updates automatically, as soon as they are available. What is the process used to ensure this happens and to record which software is on which devices? For Any deviations from the standard machine image are recorded by the Operations Manager in a spreadsheet. This spreadsheet (and the contents of the standard image) is reviewed at our 3-monthly meetings with the outsourced IT company to ensure that all software present on our machines is up to scratch. What kind of work is done via mobile devices and are they kept up to date? Do any non-company owned devices connect to the company network or is there a guest partition where they can connect? For

14 We maintain a guest area for guests to connect noncompany owned devices. We also have a number of company owned tablets which are used by workers onsite. These devices are set to automatically install updates when they become available. Please provide any additional evidence to support your assertions above: Approval It is a requirement of the Scheme that a Board level (or equivalent) of the organisation has approved the information given. Please provide evidence of such approval: