Download - IASME Governance Self-Assessment Preparation Booklet · CONFIDENTIAL WHEN COMPLETED © The IASME Consortium Ltd 2018 All rights reserved 1 IASME Governance, including Cyber …

CONFIDENTIALWHENCOMPLETED

© The IASME Consortium Ltd 2018 All rights reserved

©TheIASMEConsortiumltd2018

Allrightsreserved.

ThecopyrightinthisdocumentisvestedinTheIASMEConsortiumltd.Thedocumentmustnotbereproduced,byanymeans,inwholeorinpartorusedformanufacturingpurposes,exceptwiththepriorwrittenpermissionofTheIASMEConsortiumltdandthenonlyonconditionthatthisnoticeis

includedinanysuchreproduction.

InformationcontainedinthisdocumentisbelievedtobeaccurateatthetimeofpublicationbutnoliabilitywhatsoevercanbeacceptedbyanymemberofTheIASMEConsortiumltdarisingoutofany

usemadeofthisinformation.

Compliancewiththisstandarddoesnotinferimmunityfromlegalproceedingnordoesitguaranteecompleteinformationsecurity.

.

IASME Governance Self-Assessment Preparation

Booklet Includes Assessment against Cyber Essentials and GDPR



1

IASMEGovernance,includingCyberEssentialsandGDPRcomplianceSelf-Assessment

Version10.8March2018

IntroductionThiscombinedquestionnaireexploresthetechnicalissuesoftheCyberEssentialsandthebroaderscopeoftheIASMEGovernanceStandard.TheEuropeanUnion’sGeneralDataProtectionRegulation(GDPR)requirementsarealsoincluded.BasedoncurrentgovernmentguidanceandpolicyitislikelythatanyorganisationproposingtooffergoodsandservicestoEUmembersstateswillneedtocomplywiththeEUGeneralDataProtectionRegulation(GDPR)fromMay2018.Thesearethequestionsyouwillbeaskedtocompletethroughtheonlineassessmentplatform.QuestionswhichapplyonlytotheIASMEgovernancestandardareinred,questionswhichapplyonlytotheGDPRrequirementsareinblueallotherquestionsapplytotheCyberEssentialsrequirementsandareinblack.

Allanswersareassessed.YouranswersmustbeapprovedbyaBoardlevelrepresentative,businessownerortheequivalent,otherwisecertificationcannotbeawarded.Pleaseanswerallthequestionstothebestofyourknowledgeandaddbriefnoteswithmostanswers.

AchievingcompliancewiththeCyberEssentialsprofileortheIASMEgovernancestandardindicatesthatyourorganisationhastakenthestepssetoutintheHMGCyberEssentialsSchemedocumentsorthebroaderIASMEgovernancestandard.ItdoesnotamounttoanassurancethattheorganisationisfreefromcybervulnerabilitiesandneitherIASMEConsortiumLimited(asAccreditationBody)northeCertificationBodyacceptsanyliabilitytocertifiedorganisationsoranyotherpersonorbodyinrelationtoanyreliancetheymightplaceonthecertificate.

A"pass"undertheGDPRassessmentdoesnotmeanthatyouareassessedasbeinglegallycompliant.Itindicatesonlythatyourorganisationisstartingonthepathwaytocomplianceandiscommittedtoensuring'privacybydesign'.

YoushouldensurethatyourorganisationobtainsspecialistlegaladviceontheGDPRasonanyotherdataprotectionissue.ThisGDPRassessmentisnotlegaladviceandmustnotberelieduponassuchandIASMEacceptsnoliabilityforlossordamagesufferedasaresultofrelianceonviewsexpressedhere.

ThefullextentoftheGDPRregimeanditsapplicationpostBrexit(forexample)isnotyetfullyknownbuttheassessmentaddresseswhatweconsidertobekeyelementsandtohelporganisationsdemonstrateprogresstowardsmeetingthepolicyobjectivesthatunderpinstheGDPR.

Ifyouareawardedacertificateyouwillalsobesentabadgetouseincorrespondenceandpublicityandmustaccepttheconditionsofuse.

FurtherguidanceontheCyberEssentialsschemecanbefoundat

https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html



2

Your Company

Pleasetellusalittleabouthowyourcompanyissetupsowecanaskyouthemostappropriatequestions.

1. Whatisyourorganisation'sname(forcompanies:asregisteredwithCompaniesHouse)?

2. Whatisyourorganisation'sregistrationnumber(ifyouhaveone)?

3. Whatisyourorganisation'saddress(forcompanies:asregisteredwithCompaniesHouse)?

[Notes]

[Notes]

[Notes]



3

4. Whatisyourmainbusiness?Agriculture,ForestryandFishingMiningandQuarryingManufacturingElectricity,Gas,SteamandAir-conditioningSupplyWatersupply,Sewerage,WastemanagementandRemediationConstructionWholesaleandRetailtradeRepairofmotorcarsandmotorcyclesTransportandstorageAccommodationandfoodservicesInformationandcommunicationFinancialandinsurance

RealestateProfessional,scientificandtechnicalAdministrationandsupportservicesPublicadministrationanddefenceCompulsorysocialsecurityEducationHumanHealthandSocialWorkArtsEntertainmentandRecreationOtherserviceactivitiesActivitiesofhouseholdsasemployers;undifferentiatedgoodsandservicesproducingforhouseholdsforownuseActivitiesofextraterritorialorganisationsandbodies

[Notes]



4

5. Whatisyourwebsiteaddress?

6. Whatisthesizeofyourorganisation?BasedontheEUdefinitionsofMicro(<10employees,<€2mturnover),Small(<50employees,<€10mturnover),Medium(<250employees,<€50mturnover)orLarge.

7. Howmanystaffarehomeworkers?Homeworkersarestaffwhosemainworklocationistheirhomeaddressandwhoworkthereforthemajorityoftheirtime.Thisdoesnotincludeofficeworkerswhooccasionallyworkathomeorwhentravelling.

Scope of Assessment

Pleasebrieflydescribetheelementsofyourorganisationwhichyouwanttocertifytothisaccreditation.Thescopeshouldbeeitherthewholeorganisationoranorganisationalsub-unit(forexample,theUKoperationofamultinationalcompany).Allcomputers,laptops,servers,mobilephones,tabletsandfirewalls/routersthatcanaccesstheinternetandareusedbythisorganisationorsub-unittoaccessbusinessinformationshouldbeconsidered"in-scope".Alllocationsthatareownedoroperatedbythisorganisationorsub-unit,whetherintheUKorinternationallyshouldbeconsidered"in-scope".

8. Doesthescopeofthisassessmentcoveryourwholeorganisation?

Pleasenote:YourorganisationisonlyeligibleforfreeCyberInsuranceifyourassessmentcoversyourwholecompany,ifyouanswer"No"tothisquestionyouwillnotbeinvitedtoapplyforinsurance.

[Notes]

[Notes]

[Notes]

[Notes]



5

9. Ifitisnotthewholeorganisation,thenwhatscopedescriptionwouldyouliketoappearonyourcertificateandwebsite?

10. Doesyourorganisationholdorprocesspersonaldata(asdefinedbyyourcountry'sdataprotectionlegislation)?

11. HaveyoucompletedaDataProtectionImpactAssessment,orPrivacyImpactAssessmentinthelast12months?

12. IsyourusageofpersonaldatasubjecttotheEUGDPR?IfyouholdandprocesspersonaldataaboutEUcitizens,youmustcomplywiththeEUGDPRwhereveryouarelocatedintheworld).

13. Pleasedescribethegeographicallocationsofyourbusinesswhichareinthescopeofthisassessment.

14. Pleaselistallequipmentwhichisincludedinthescopeofthisassessment(pleaseincludedetailsoflaptops,computers,servers,mobilephonesandtablets).

Alllaptops,computers,serversandmobiledevicesthatcanaccessbusinessdataandhaveaccesstotheinternetmustbeincludedinthescopeoftheassessment.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



6

15. Pleaseprovidedetailsofthenetworksthatwillbeinthescopeforthisassessment(suchasofficenetwork,homeofficesandfirewalls).

16. Pleaseprovidethenameandroleofthepersonwhoisresponsibleformanagingtheinformationsystemsinthescopeofthisassessment?

Managing Security

Pleasetellusabouthowyoumanagesecuritywithinyourorganisation.

17. Pleaseprovidethenameoftheboardmember/director/partner/trusteeidentifiedasresponsibleforinformationsecurityanddataprotection?

18. IsinformationsecurityanddataprotectionastandingagendaitemforyourBoardMeetings?

19. Pleaseprovidethenameandroleofthepersonwhohasoverallresponsibilityforsecurityinyourorganisation?Thisshouldbeanamedboardmemberordirector.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



7

20. Pleaseprovidethenameandroleofthepersonwhohasoverallresponsibilityfordataprotectioninyourorganisation?Thisshouldbeanamedboardmemberordirector.

21. Howdoyouensurethatyouprovidesufficientfundingandasuitablenumberofappropriatelyskilledstafftodevelopandmaintaingoodinformationsecurity?

Information Assets

Riskassessmentandrecoveryfrominformationandcybersecurityincidentsbothrelyonhavingagoodunderstandingofyourkeyinformationassets.Onlythencanyouappreciateyourattacksurfaceandwhatyou’vegottolose.Theimpactofanysecurityincidentwillbemostsevereifithappenstotheassetswhichkeeptheorganisationgoing.

22. Doesyourorganisationhaveuptodateassetregisters?

23. Howdoesyourassetmanagementsystemtrackyourownandothercompany'sintellectualpropertywithinyourorganisation?

[Notes]

[Notes]

[Notes]

[Notes]



8

24. Howdoesyourassetregistertrackinformationassets(iecategoriesofinformation)?Aninformationassetmightbeasetofdata(forexample"employeeinformation")whichwillhavealocationattachedtoit(forexample"theserverintheHRdepartment")andanowner(forexamplethe"HRdirector").

25. Doallassets(bothphysicalandinformationassets)havenamedowners?

26. Howisremovablemediarecordedandmanaged?

27. Confirmanddescribehowallmobilephonesandtabletsaretrackedintheassetregister,pinorpasswordprotected,encryptedandremotelywipeable.Pleasedescribeallcriteriawithinthisquestion.

Thiscanbeachievedusingbuilt-intoolsoradditionalmobiledevicemanagementsoftware.

28. Isallpersonaldataandspecialcategorydataidentified(e.g.byprotectivemarking)andproperlyprotected?Describehowthisisdone.

29. Howdoyouensureallflowsofpersonalandspecialcategorydataaredocumentedincludingwheredatawasobtainedandalldestinationsofdata?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



9

30. Isallsensitiveinformationidentified(e.g.byprotectivemarking)andproperlyprotected?

31. Describehowyourprocessesallowdatasubjectstorequestchangestoincorrectdataordeletionofdata?

32. Whenassetsarenolongerrequired,isalldatasecurelywipedfromthemoraretheassetssecurelydestroyed?Describehowthisisdone.

Specialsoftwarecanbeusedtosecurelywipedataandexternalcompaniescanbeusedtoprovideasecuredestructionservice.

Cloud Services

Someorganisationsusepubliccloudservicestostoreorsharefilesbetweenemployees,suppliersandcustomers.CloudservicesincludeOffice365,GSuite(GoogleApps),Dropbox,SalesforceandAmazonWebServices(AWS).33. Doyouuseapubliccloudprovidertostoreorsharefilesandinformationbetweenemployees?Ifso,pleaselistallproviders.

34. Whereisthedatathatissenttoapubliccloudproviderstored?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



10

35. Ifyoustorepersonaldatawithyourcloudprovider,doyoustoreanyofthatdataoutsideoftheEuropeanEconomicArea(EEA)?

36. Ifyestotheabove,haveyouobtainedexplicitconsentfromdatasubjectstotransfertheirdataoutsideoftheEuropeanEconomicArea(EEA)?

37. Ifyestotheabove,doesyourprovidercertifytoanagreementsuchasEU-UKPrivacyShieldortootherbindingcorporaterulesthatconfirmthelevelofprotectiongiventothatdata?

38. Dothepubliccloudprovidersthatyourorganisationusesholdanyrecognisedsecurityaccreditations?

39. Isyourdataencryptedbeforebeingpassedbetweenyoursiteandthepubliccloudprovider(ieencryptedintransit)?

40. Isyourdataencryptedwhilstbeingstoredorprocessedbythepubliccloudprovider(ieencryptedatrest)?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



11

Risk Management

Itisimportanttoidentifythethreatstotheorganisationandassesstheresultingrisk.Theapplicabilityofthecontrolstoyourbusinessisdeterminedpartlybyariskassessmentandpartlybyyourriskappetite.IASMEknowsthattoofewSMEshaveaformalinformationriskassessment,norabusinessriskassessmentofanykind.However,theydohaveakeensenseoftherisksandfrailtyoftheirbusinessatboardlevel.TheorganisationshouldcreateandregularlyreviewRiskAssessments.

41. DoyouhaveacurrentRiskAssessment?

42. Hasyourriskassessmentbeenreviewedinthelast12months?Whoreviewedit?

43. Doestheriskassessmentcoverthescopeofthisassessment?

44. WastheriskassessmentapprovedatBoardLevel?

[Notes]

[Notes]

[Notes]

[Notes]



12

Data Protection

Theorganisationshouldhaveapolicytomanagepersonaldataasdefinedbyyourcountry'sdataprotectionlegislation.TheInformationCommissioner’sOffice(ICO)websiteprovidesmoreinformationonthistopicintheUK.BasedoncurrentgovernmentguidanceandpolicyitislikelythatanyorganisationproposingtooffergoodsandservicestoEUmembersstateswillneedtocomplywiththeEUGeneralDataProtectionRegulation(GDPR)fromMay2018.

45. Haveyouputpoliciesandproceduresinplacetomitigateriskstopersonaldata?

46. Arethesepoliciesandproceduresprovidedtoallemployees,requiredtobefollowedineverydaypracticeandlinkedtodisciplinaryprocedures?Howdoyouachievethis?

47. IsDataProtectionreferredtoinemployeecontractsofemployment?

48. Dopoliciesandproceduressetclearresponsibilitiesforhandlingofpersonaldata,includingwhereappropriatereferencetoresponsibilitiesheldbyyourDataProtectionOfficer?

49. Whenyourorganisationcollectspersonaldatafromasubjectdoyouclearlystatewhatitisbeingcollectedfor,howitwillbeprocessedandwhowillprocessitanddoesthedatasubjecthavetoprovideconsentforthis?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



13

50. Whereyoucollectdatafromchildrendoyouactivelyseekparentalconsent?Howdoyourecordthis?

51. Doesyourriskassessmentcoverthemanagementofpersonaldataorspecialcategorydata?

52. WhatisyourprocessfordealingwithSubjectAccessorDataPortabilityrequestswithin30days?

Underdataprotectionlegislation,individualshavearighttoobtainacopyoftheinformationyouholdaboutthem.

53. Whatisyourprocessforcorrectinginaccuraterecords,deletingrecordsorsuspendingtheprocessingofrecords?

Underdataprotectionlegislation,individualshavetherighttohaveinaccuraciescorrectedandmayhavetherighttohaveinformationaboutthemdeletedfromsystems.

54. Doyouhavedocumenteddataretentionperiodsanddothesecovercontractualandlegalrequirements?

55. Doyouhavedocumenteddataclassificationcriteria?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



14

56. DoyouhaveadataprotectionordataprivacystatementcompliantwiththerequirementsoftheGeneralDataProtectionRegulation(GDPR)anddoesthestatementprovideapointofcontactfordataprotectionissues?Whoisthepointofcontact?

57. Whereyouareholdingdatabasedupontheconsentofthedatasubject,howdoyourecorddetailsoftheconsent?

58. Doyouhavemechanismsinplacewhichmakeitaseasyforthedatasubjecttoremoveconsentfordataprocessinganddoyouensureitisaseasytoremoveconsentasitwasforthemtogiveit?

59. Foreachpieceofpersonalinformationyouhold,doyourecordthepurposeforwhichitwasobtained?Whereisthisrecorded?

60. Foreachpieceofpersonalinformationyouhold,doyourecordthejustificationforobtainingit?Whereisthisrecorded?

Justificationsforobtainingtheinformationmightincludeexplicitconsent,contractfulfilment,performingapublicfunction,meetingalegalrequirementoranotherlegitimateinterest.

61. Foreachpieceofspecialcategorydatayouhold,doyourecordthejustificationforobtainingit?Whereisthisrecorded?

Justificationsforobtainingspecialcategory(orsensitivepersonaldata)couldincludespecificconsent,useforemploymentpurposesortomeetamedicalneed.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



15

62. Foreachpieceofpersonalinformationyouhold,doyourecordwhetheryourorganisationisthedataprocessororthedatacontroller?

63. Ineachcontractyouholdwithsuppliersandcustomersinvolvingtheprocessingofpersonaldata,doyouconfirmwhetheryouarethedatacontrollerordataprocessor?

64. Whereyoudisclosepersonaldatatoasupplier/providerdoesthecontractexplicitlyimposetheobligationtomaintainappropriatetechnicalandorganisationalmeasurestoprotectpersonaldatainlinewithrelevantlegislation?

People

Peopleareyourgreatestalliesinprotectingyourorganisation'sinformation.Theycanalsopresentariskbecausetheyhaveprivilegedaccesstoinformation.Itisimportantthereforetoensurethatyouknowasmuchaboutthemaspossiblebeforeyouemploythem.Thisisusuallydonebytakingupreferences,andincertaincasesthroughformalvettingprocedures.

Itisessentialthatnewemployeesaregivenabriefingontheircorporateandsecurityresponsibilitiesbefore,orimmediatelyafteremployment.Employeecontractsshouldalsoincludesecurityobligationsandremindersshouldtakeplaceatregularintervals.

Employeeswithspecialresponsibilityforsecurity,orwithprivilegedaccesstobusinesssystemsshouldbeadequatelytrained/qualifiedasappropriate.Onterminationofemployment,useraccessprivilegesshouldbeimmediatelywithdrawnandtheemployeede-briefedontheirpost-employmentconfidentialityresponsibilities.

65. Doyoutakeupreferencesand/orconfirmemploymenthistorywhenemployingnewstaff?Howdoyoudothis?

[Notes]

[Notes]

[Notes]

[Notes]



16

66. Wherecriminalrecordchecksarecarriedout,doyouensurethatexplicitconsenthasbeenobtainedfromemployeesandthatsuchchecksarecarriedoutforlawfulpurposes?

67. Providethenameandroleofthepersonresponsibleforsecurityanddataprotectiontrainingandawareness.

68. Doallstaffandcontractorsreceiveregularinformationsecurityanddataprotectiontraining(atleastannually)?Describehowthisisdone.

69. Doyougivenewemployeesabriefingontheircorporateandsecurityresponsibilitiesbefore,orimmediatelyafteremployment,preferablyreinforcedbyreferenceliterature?Howdoyoudothis?

70. Doemployeecontractsincludesecurityobligations(suchasanobligationtocomplywiththesecuritypolicy)andareremindersgivenatregularintervals?

71. Areemployeeswithresponsibilityforinformationsecurity,orwithprivilegedaccesstobusinesssystems,appropriatelyqualifiedandsuitablytrained?

72. Onterminationofemployment,areuseraccessprivilegesimmediatelywithdrawnandtheemployeede-briefedontheirpost-employmentconfidentialityresponsibilities?Howdoyoudothis?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



17

Security Policy

Theorganisationmusthaveanimplementedsecuritypolicytomatchitsriskprofile.ThisisusuallytheultimateresponsibilityoftheCIO/Director.

IASMEprovidesamodeltemplatepolicywhichcanbeadaptedtotheindividualcircumstancesofmostorganisations.

Datesforachievingobjectivescanbesetwithinthepolicy,whichshouldbereviewedbytheBoardatregularintervalsorwhensecurityincidentsoccurorchangesintheriskthelandscapeemerge.

73. DoyouhaveacurrentSecurityPolicy?

ASecurityPolicycanbestand-aloneorincorporatedintootherpolicy,butitshouldsetoutyourobjectivesformanagingyoursecurity.

74. HasyourPolicybeenreviewedinthelast12months?

75. DoesthePolicycoverthescopeofthisassessment?

76. Providethenameandroleofthepersonwhoapprovedthepolicy?

77. Isthereapolicyreviewandconsultationprocess?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



18

78. DoesthepolicyrefertoIntellectualPropertyRightsandlegalrequirements?

79. Doesthepolicyrefertopersonnelsecurity?

80. Doesthepolicyrefertoassetmanagement?

81. Doesthepolicyrefertoaccessmanagement?

82. Doesthepolicyrefertophysicalandenvironmentalsecurity?

83. Doesthepolicyrefertocomputerandnetworksecurity?

84. Doesthepolicyrefertosecurityfrommalwareandintrusion?

85. Doesthepolicyrefertosecurityincidentmanagement?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



19

86. Doesthepolicyrefertobusinesscontinuitymeasures?

87. Doesthepolicyrefertohandlingpersonaldata(and,whereappropriate,referenceyourdataprotectionpolicy)?

88. Isthepolicydistributedtoallemployees?

89. Isthesecuritypolicypartofallemployees’contractualobligations?

90. Dothecontractswithallyoursuppliersensurethattheymeettherequirementsofyoursecuritypolicyaroundhandlingdataandkeepinginformationsecure?

91. Listanybusinesssector-specificlaws/regulationsrelatingtorisktreatmentorinformationsecuritywhichapplytoyourbusiness.

92. ListanyUKorEUlaws/regulationsrelatingtorisktreatmentorinformationsecuritywhichapplytoyourbusiness.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



20

93. ListanyotherInternationallegislation/regulationsrelatingtorisktreatmentorinformationsecuritywhichapplytoyourbusiness.

94. Doyoustorecreditcardinformation?

95. Ifyestoabove,arethesystemsthatyouusetostorecreditcardinformationcomplianttoPCI-DSSregulation?

96. Isyourbusinesspartofapublicglobalorganisationthatisrequiredtohaveexternalfinancialreporting?

[Notes]

[Notes]

[Notes]

[Notes]



21

Physical and Environmental Protection

Protectionofyourinformationandcybersecurityextendstothephysicalprotectionofinformationassetstopreventtheft,loss,ordamageandtheirimpactontheavailabilityofyourbusinessinformationandassociatedresources.

Usuallythisisnomorethanthecommonsenseapproachtodoorlocks,windowbars,andvideosurveillanceetc,asdictatedbytheorganisation’sphysicalenvironment.However,insomecases,physicalprotectionmaybedictatedbygovernmentalorlegalrequirements.

Ifyourequipmentrequiresanyparticularworkingconditions–suchasheating,ventilation,orairconditioning(HVAC)–becarefultomaintainthesewithintheguidelinessetoutbytherespectivemanufacturers.

97. Areonlyauthorisedpersonnelwhohaveajustifiedandapprovedbusinesscasegivenaccesstorestrictedareascontaininginformationsystemsorstoreddata?Howdoyouachievethis?

98. Aredeviceswhichrequireparticularworkingconditions-suchasheatingandcooling-providedwithasuitableenvironmentwithintheguidelinessetoutbytheirrespectivemanufacturers?Howdoyouachievethis?

99. Doallbusinesspremiseshaveeffectivephysicalprotectionand,ifindicatedbyariskassessment,surveillanceandmonitoring?Howdoyouachievethis?

[Notes]

[Notes]

[Notes]



22

Office Firewalls and Internet Gateways

Firewallisthegenericnameforsoftwareorhardwarewhichprovidestechnicalprotectionbetweenyoursystemsandtheoutsideworld.Therewillbeafirewallwithinyourinternetrouter.CommoninternetroutersareBTHomeHub,VirginMediaHuborSkyHub.Yourorganisationmayalsohavesetupaseparatehardwarefirewalldevicebetweenyournetworkandtheinternet.Firewallsarepowerfuldevicesandneedtobeconfiguredcorrectlytoprovideeffectivesecurity.Questionsinthissectionapplyto:HardwareFirewalldevices,Routers,ComputersandLaptopsonly

100. Doyouhavefirewallsattheboundariesbetweenyourorganisationsinternalnetworksandtheinternet?Youshouldhavefirewallsinplacebetweenyourofficenetworkandtheinternet.Youshouldalsohavefirewallsinplaceforhome-basedworkers,ifthoseusersarenotusingaVirtualPrivateNetwork(VPN)connectedtoyourofficenetwork.Remembermostinternet-routerscontainafirewall.

101. Whenyoufirstreceiveaninternetrouterorhardwarefirewalldeviceitwillhavehadadefaultpasswordonit.Hasthisinitialpasswordbeenchangedonallsuchdevices?Howdoyouachievethis?

102. Isthenewpasswordonallyourinternetroutersorhardwarefirewalldevicesatleast8charactersinlengthanddifficulttoguess?

Apasswordthatisdifficulttoguesswillnotbemadeupofcommonorpredictablewordssuchas"password"or"admin",orincludepredictablenumbersequencessuchas"12345".

[Notes]

[Notes]

[Notes]



23

103. Doyouchangethepasswordwhenyoubelieveitmayhavebeencompromised?Howdoyouachievethis?

104. Doyouhaveanyservicesenabledthatareaccessibleexternallyfromyourinternetroutersorhardwarefirewalldevicesforwhichyoudonothaveadocumentedbusinesscase?Attimesyourfirewallmaybeconfiguredtoallowasystemontheinsidetobecomeaccessiblefromtheinternet(suchasaserveroravideoconferencingunit).Thisissometimesreferredtoas"openingaport".Youneedtoshowabusinesscasefordoingthisbecauseitcanpresentsecurityrisks.Ifyouhavenotenabledanyservices,answer"No".

105. Ifyoudohaveservicesenabledonyourfirewall,doyouhaveaprocesstoensuretheyaredisabledinatimelymannerwhentheyarenolongerrequired?Describetheprocess.

106. Haveyouconfiguredyourinternetroutersorhardwarefirewalldevicessothattheyblockallotherservicesfrombeingadvertisedtotheinternet?

Bydefault,mostfirewallsblockallservicesfrominsidethenetworkfrombeingaccessedfromtheinternet,butyouneedtocheckyourfirewallsettings.

[Notes]

[Notes]

[Notes]

[Notes]



24

107. Areyourinternetroutersorhardwarefirewallsconfiguredtoallowaccesstotheirconfigurationsettingsovertheinternet?

Sometimesorganisationsconfiguretheirfirewalltoallowotherpeople(suchasanITsupportcompany)tochangethesettingsviatheinternet.IfyouhavenotsetupyourfirewallstobeaccessibletopeopleoutsideyourorganisationsoryourdeviceconfigurationsettingsareonlyaccessibleviaaVPNconnection,thenanswer"no"tothisquestion.

108. Ifyes,isthereadocumentedbusinessrequirementforthisaccess?

109. Ifyes,istheaccesstothesettingsprotectedbyeithertwo-factorauthenticationorbyonlyallowingtrustedIPaddressestoaccessthesettings?Listwhichoptionisused.

110. Doyouhavesoftwarefirewallsenabledonallofyourcomputersandlaptops?YoucancheckthissettingonMaclaptopsintheSecurity&PrivacysectionofSystemPreferences.OnWindowslaptopsyoucancheckthisbygoingtoSettingsorControlPanelandsearchingfor"windowsfirewall".

111. Ifno,isthisbecausesoftwarefirewallsarenotcommonlyavailablefortheoperatingsystemyouareusing?Pleaselisttheoperatingsystems.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



25

Secure Configuration

Computersareoftennotsecureupondefaultinstallation.An‘out-of-the-box’set-upcanoftenincludeanadministrativeaccountwithastandard,publiclyknowndefaultpassword,one orormoreunnecessaryuseraccountsenabled(sometimeswithspecialaccessprivileges)andpre-installedbutunnecessaryapplicationsorservices.Allofthesepresentsecurityrisks.

Questionsinthissectionapplyoperatingsystemsandapplicationsrunningon:Servers,Computers,Laptops,TabletsandMobilePhones.

112. Whereyouareabletodoso,haveyouremovedordisabledallthesoftwarethatyoudonotuseonyourlaptops,computers,servers,tabletsandmobilephones?Describehowyouachievethis.Thisincludesapplications,systemutilitiesandnetworkservices.

113. Haveyouensuredthatallyourlaptops,computers,servers,tabletsandmobiledevicesonlycontainnecessaryuseraccountsthatareregularlyusedinthecourseofyourbusiness?

114. Haveyouchangedthedefaultpasswordforalluserandadministratoraccountsonallyourlaptops,computers,servers,tabletsandsmartphonestoanon-guessablepasswordof8charactersormore?

115. Doallyourusersandadministratorsusepasswordsofatleast8characters?Astrongpasswordtypicallyisamixtureofatleast8characters,numbersandsymbols,thelongerthebetter.

[Notes]

[Notes]

[Notes]

[Notes]



26

116. Doyourunsoftwarethatprovidessensitiveorcriticalinformation(thatshouldn'tbemadepublic)toexternalusersacrosstheinternet?

117. Ifyes,doyouensureallusersoftheseservicesuseapasswordofatleast8charactersandthatyoursystemsdonotrestrictthelengthofthepassword?

118. Ifyes,doyouensurethatyouchangepasswordsifyoubelievethattheyhavebeencompromised?

119. Ifyes,areyoursystemssettolockoutaftertenorfewerunsuccessfulloginattempts,orlimitthenumberofloginattemptstonomorethantenwithinfiveminutes?

120. Ifyes,doyouhaveapasswordpolicythatguidesallyourusers?Thepasswordpolicymustinclude:guidanceonhowtochoosenon-guessablepasswords,nottousethesamepasswordformultipleaccounts,whichpasswordsmaybewrittendownandwheretheycanbestored,andiftheymayuseapasswordmanager.

121. Is"auto-run"or"auto-play"disabledonallofyoursystems?ThisisasettingwhichautomaticallyrunssoftwareonaDVDormemorystick.Youcandisable"auto-run"or"auto-play"throughcontrolpanel/systempreferences.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



27

Software Patching Toprotectyourorganisation,youshouldensurethatyoursoftwareisalwaysup-to-datewiththelatestupdatesor“patches”.If,onanyofyourin-scopedevices,youareusinganoperatingsystemwhichisnolongersupported,e.g.MicrosoftWindowsXPormacOSMountainLion,andyouarenotbeingprovidedwithupdatesfromanotherreliablesource,thenyouwillnotbeawardedcertification.Mobilephonesandtabletsarein-scopeandmustalsouseanoperatingsystemthatisstillsupportedbythemanufacturer.

Questionsinthissectionapplyto:Servers,Computers,Laptops,Tablets,MobilePhones,RoutersandFirewalls.122. Arealloperatingsystemsandfirmwareonyourdevicessupportedbyasupplierthatproducesregularfixesforanysecurityproblems?Pleaselistanyoperatingsystemsthatarenotsupported.

123. Areallapplicationsonyourdevicessupportedbyasupplierthatproducesregularfixesforanysecurityproblems?Pleaselistanyapplicationsthatarenotesupported.

124. Isallsoftwarelicensedinaccordancewiththepublisher’srecommendations?

125. Areallhigh-riskorcriticalsecurityupdatesforoperatingsystemsandfirmwareinstalledwithin14daysofrelease?Describehowdoyouachievethis.

126. Areallhigh-riskorcriticalsecurityupdatesforapplications(includinganyassociatedfilesandanypluginssuchasAdobeFlash)installedwithin14daysofrelease?Describehowyouachievethis.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



28

127. Haveyouremovedanyapplicationsonyourdevicesthatarenolongersupportedandnolongerreceivedregularfixesforsecurityproblems?

Operations and Management

Yourorganisationneedstoensurethatmanagementofcomputers,networksanddevicesiscarriedoutinacontrolledmannertoensurethatchangestoconfigurationareonlyimplementedwithauthorisation.Thisensuresyoursecurityenvironmentremainsappropriatefortheorganisation.

128. Ismanagementofcomputersandnetworkscontrolledusingdocumentedproceduresthathavebeenauthorised?Describehowyouachievethis.

129. Doestheorganisationensurethatallnewandmodifiedinformationsystems,applicationsandnetworksincludesecurityprovisions,arecorrectlysized,complywithsecurityrequirements,arecompatiblewithexistingsystemsandareapprovedbeforetheycommenceoperation?Describehowyouachievethis.

130. Wherepersonaldataisinuse,doyouensurethataprivacyimpactassessmentiscarriedoutfornewsystemsandprojects?

131. Arechangestoinformationsystems,applicationsornetworksreviewedandapproved?Describetheapprovalprocess.

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



29

132. Howdoyouensurethatallyoursuppliers(includingcloudprovidersandsub-contractors)followinformationsecurityproceduresthatarecertifiedtobethesameas,ormorecomprehensivethan,theinformationsecurityproceduresfollowedbyyourownorganisationforthedatainvolvedinthatcontract?AnexampleofsuchcertificationwouldbeanindependentauditofthewholebusinesstoISO27001,theIASMEGovernancestandardorCyberEssentials.

User Accounts Itisimportanttoonlygiveusersaccesstotheresourcesanddatanecessaryfortheirroles,andnomore.Allusersneedtohaveuniqueaccountsandshouldnotbecarryingoutday-to-daytaskssuchasinvoicingordealingwithe-mailwhilstloggedonasauserwithadministratorprivilegeswhichallowsignificantchangestothewayyourcomputersystemswork.

Questionsinthissectionapplyto:Servers,Computers,Laptops,TabletsandMobilePhones.

133. Areusersonlyprovidedwithuseraccountsafteraprocesshasbeenfollowedtoapprovetheircreation?Describetheprocess.

134. Canyouonlyaccesslaptops,computersandserversinyourorganisation(andtheapplicationstheycontain)byenteringauniqueusernameandpassword?

135. Howdoyouensureyouhavedeleted,ordisabled,anyaccountsforstaffwhoarenolongerwithyourorganisation?

Whenanindividualleavesyourorganisation,youneedtostopthemaccessinganyofyoursystems.

[Notes]

[Notes]

[Notes]

[Notes]



30

136. Doyouensurethatstaffonlyhavetheprivilegesthattheyneedtodotheircurrentjob?Howdoyoudothis?Whenastaffmemberchangesjobroleyoumayalsoneedtochangetheiraccessprivileges.

Administrative Accounts

Useraccountswithspecialaccessprivileges(e.g.administrativeaccounts)typicallyhavethegreatestlevelofaccesstoinformation,applicationsandcomputers.Whentheseprivilegedaccountsareaccessedbyattackerstheycancausethemostamountofdamagebecausetheycanusuallyperformactionssuchasinstallmalicioussoftwareandmakechanges.Specialaccessincludesprivilegesoverandabovethoseofnormalusers.Itisnotacceptabletoworkonday-to-daybasisinaprivileged“administrator”mode.

Questionsinthissectionapplyto:Servers,Computers,Laptops,TabletsandMobilePhones.

137. Doyouhaveaformalprocessforgivingsomeoneaccesstosystemsatan“administrator”level?Describetheprocess.

138. Howdoyouensurethatstaffonlyuseadministratoraccountstocarryoutadministrativeactivities(suchasinstallingsoftwareormakingconfigurationchanges)?

139. Howdoyouensurethatadministratoraccountsarenotusedforaccessingemailorwebbrowsing?

[Notes]

[Notes]

[Notes]

[Notes]



31

140. Doyouformallytrackwhichusershaveadministratoraccountsinyourorganisation?

141. Doyoureviewwhoshouldhaveadministrativeaccessonaregularbasis?

142. Haveyouenabledtwo-factorauthenticationforaccesstoalladministrativeaccounts?

143. Ifno,isthisbecausetwo-factorauthenticationisnotavailableforsomeorallofyourdevicesorsystems?Listthedevicesorsystemsthatdonotallowtwo-factorauthentication.

[Notes]

[Notes]

[Notes]

[Notes]



32

Malware protection Malware(suchascomputerviruses)isgenerallyusedtostealordamageinformation.Malwareareoftenusedinconjunctionwithotherkindsofattacksuchas‘phishing’(obtaininginformationbyconfidencetrickery)andsocialnetworksites(whichcanbeminedforinformationusefultoahacker)toprovideafocussedattackonanorganisation.Anti-malwaresolutions(includinganti-virus)areavailablefromcommercialsuppliers,somefree,butusuallyascompletesoftwareandsupportpackages.Malwarearecontinuallyevolving,soitisimportantthatthesupplierincludesbothmalwaresignaturesandheuristicdetectionfacilitieswhichareupdatedasfrequentlyaspossible.Anti-malwareproductscanalsohelpconfirmwhetherwebsitesyouvisitaremalicious.Questionsinthissectionapplyto:Computers,Laptops,TabletsandMobilePhones.144. Areallofyourcomputers,laptops,tabletsandmobilephonesprotectedfrommalwarebyeither

A-havinganti-malwaresoftwareinstalled,B-limitinginstallationofapplicationstoanapprovedset(ieusinganAppStoreorapplicationwhitelisting)or

C-applicationsandboxing(iebyusingavirtualmachine)?

145. IfOptionA:Whereyouhaveanti-malwaresoftwareinstalled,isitsettoupdatedailyandscanfilesautomaticallyuponaccess?Thisisusuallythedefaultsettingforanti-malwaresoftware.

146. IfOptionA:Whereyouhaveanti-malwaresoftwareinstalled,isitsettoscanwebpagesyouvisitandwarnyouaboutaccessingmaliciouswebsites?

[Notes]

[Notes]

[Notes]



33

147. IfOptionB:Whereyouuseanapp-storeorapplicationsigning,areusersrestrictedfrominstallingunsignedapplications?

Bydefault,mostmobilephonesandtabletsdonotallowyoutoinstallunsignedapplications.Usuallyyouhaveto"root"or"jailbreak"adevicetoallowunsignedapplications.

148. IfOptionB:Whereyouuseanapp-storeorapplicationsigning,doyouensurethatusersonlyinstallapplicationsthathavebeenapprovedbyyourorganisationanddoyoudocumentthislistofapprovedapplications?

149. (C)Whereyouuseapplicationsandboxing,doyouensurethatapplicationswithinthesandboxareunabletoaccessdatastores,sensitiveperipheralsandyourlocalnetwork?Describehowyouachievethis.Ifyouareusingavirtualmachinetosandboxapplications,youcanusuallysetthesesettingswithintheconfigurationoptionsofthevirtualmachinesoftware.

[Notes]

[Notes]

[Notes]



34

Vulnerability Scanning AvulnerabilityscanisatechnicalexaminationofthesecuritystatusofyourITsystem.Itcanbeperformedbyanexpertorbysomeautomatictoolsandcanhelpyouanswerandprovideevidenceforsomeofthefollowingquestions.Somescanningtoolsareevenavailabletodownloadforfreefromtheinternet.Youcanalsouseacontinuousvulnerabilityscanningtooltomonitoryourongoingvulnerabilities.Pleasenotethatwedonotendorseanyparticularproduct.

150. Whenwasthelasttimeyouhadavulnerabilityscanonyoursystem?

151. Howdidyouacttoimprovethesecurityofyoursystemonthebasisofthescanresults?

Monitoring Monitoringcanhelpidentifysuspiciousactivityonyoursystems.Knowwhichbusinesssystemsandprocessesyouneedtotrackandmonitorforacceptableactivity–accordingtheinformationsafetypoliciesthatyouhaveset-andhowyouwillidentifyanyunacceptableaspects.

152. Doestheorganisationregularlyrevieweventlogs?

[Notes]

[Notes]

[Notes]



35

153. Isanaudittrailofsystemaccessand/ordatausebystaffmaintainedandreviewedonaregularbasis?Describehowyouachievethis.

Backup and Restore Keyinformationshouldbebackedupregularlyandthebackupspreferablykeptinasecurelocationawayfromthebusinesspremises.Restoresshouldbetestedregularlyinordertotesttheperformanceofthebackupregime.

154. Aredatastoredonthebusinesspremisesbackedupregularly(atleastweekly)andrestorestestedatappropriateintervals(atleastmonthly)?

155. Areallbackupssecuredwithanappropriatelevelofprotectionforthetypeofdatatheycontain?

156. Isabackupcopyheldinadifferentphysicallocation?

[Notes]

[Notes]

[Notes]

[Notes]



36

Incident Management Allorganisationsshouldhavesecurityincidentmanagementprocedurestoallowanyincidents(suchaslossofdata,malwareinfectionsandphishingattacks)tobedealtwithsuccessfully.Itisimportantthatincidentsareeasytoreporttoaresponsibleentitywithoutblameandthattheorganisationlearnsthelessonsfromincidents.157. Areuserswhoinstallsoftwareorotheractivecodeontheorganisation’ssystemswithoutpermissionsubjecttodisciplinaryaction?

158. Areallinformationsecurityincidentsorsuspectedweaknessesreportedandrecorded,anddoyouprovideamethodforallemployeesandcontractorstoreportsecurityincidentswithoutriskofrecrimination(oranonymously)?

159. WhatisyourprocessforreportinglossesofpersonaldatatotheInformationCommissioner(oryournationaldataprotectionauthority)andthedatasubjects?

160. Areinformationsecurityincidentsinvestigatedtoestablishtheircauseandimpactswithaviewtoavoidingsimilarevents?

161. Ifrequiredasaresultofanincident,isdataisolatedtofacilitateforensicexamination?Howisthisdone?

162. Isarecordkeptoftheoutcomeofallsecurityincidentinvestigations?

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]

[Notes]



37

Business Continuity Plansforrecoveryandcontinuityshouldbedrawnupandreviewedregularly,andtestedinwholeorinpartsothatparticipantsintheplanunderstandtheirresponsibilities.Theaimisisfortheorganisationtokeepworkingthrough,andrecoverfrom,theeffectsofdeliberateattack,accidentaldamage,andnaturaldisasters.

163. Doestheorganisationensurethatbusinessimpactassessment,businesscontinuityanddisasterrecoveryplansareproducedforallmissioncriticalinformation,applications,systemsandnetworks?

164. Doestheorganisationreviewthebusinesscontinuityanddisasterrecoveryplansatleastonceperyearandwhoisinvolvedinthereview?

165. Doestheorganisationexercisethebusinesscontinuityanddisasterrecoveryplansatleastonceperyear?

[Notes]

[Notes]

[Notes]



38

InsuranceAllorganisationswithaheadofficedomiciledintheUKthathavethewholecompanyinscopeandaturnoverof<£20mgetautomaticcyberinsuranceiftheyachieveCyberEssentialscertification.Thecostofthisisincludedintheassessmentpackagebutyoucanoptoutoftheinsuranceelementifyouchoose.Thiswillnotchangethepriceoftheassessmentpackage.Ifyouwanttheinsurancethenwedoneedtoasksomeadditionalquestionsandtheseanswerswillbeforwardedtothebroker.TheanswerstothesequestionswillnotaffecttheresultofyourCyberEssentialsassessment.166. IsyourheadofficedomiciledintheUKandisyourgrossannualturnoverlessthan£20m?

Theanswertothisquestionisjustforinformationand,ifyouareeligiblefortheinsuranceandoptin,willbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

Ifyouhaveanswered"yes"tothelastquestion,thenyourcompanyiseligiblefortheincludedcyberinsuranceifyougaincertification.Thecostoftheinsuranceisincludedinthecostoftheassessment

167. Doyouwanttoacceptthiscyberinsurance?Theanswertothisquestionisjustforinformationand,ifyouareeligiblefortheinsuranceandoptin,willbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

168. Whatisyourtotalgrossrevenue?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

[Notes]

[Notes]

[Notes]



39

169. Isthecompanyoritssubsidiariesanyofthefollowing:medical,callcentre,telemarketing,dataprocessing(outsourcers),internetserviceprovider,telecommunicationsoranorganisationregulatedbytheFCA?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

170. DoesthecompanyhaveanydomiciledoperationorderivedrevenuefromtheterritoryorjurisdictionofCanadaand/orUSA?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionisjustforinformationandwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertification.

171. Whatistheorganisationemailcontactfortheinsurancedocuments?Youonlyneedtoanswerthisquestionifyouaretakingtheinsurance.TheanswertothisquestionwillbepassedtotheInsuranceBrokerinassociationwiththeCyberInsuranceyouwillreceiveatcertificationandtheywillusethistocontactyouwithyourinsurancedocumentsandrenewalinformation.

[Notes]

[Notes]

[Notes]