THE CYBER CHALLENGE
If you intend to do business with the United Kingdom (UK) Government, and you handle any aspect of personal and sensitive information, you cannot even bid without having completed Cyber Essentials certification. (more at http://www.cyberessentials.org/)
Not dissimilar to the benefits of following CIS Critical Security Controls, or in the adoption of the NIST Cybersecurity Framework, alignment with this substantially smaller certification lays claim to preventing "80% of cyber attacks" - http://www.itgovernance.co.uk/cyber-essentials-scheme.aspx
In addition to mitigation against phishing and most types of hacking, UK Cyber Essentials is a partial means of supporting standards: ISO 27001, Information Security Forum, IASME Consortium (2013), 10 Steps to Cyber Security
For larger organizations, when risk is assessed higher, the Cyber Essentials Plus certification is applied, requiring vulnerability tests to be performed.
EnterpriseGRC now offers UK Cyber Essentials Policy Pack among its many automated risk assessments that operate across all data environments including elastic cloud and docker containers.
The Cyber Essentials Challenge
Get your head into the cloud - Cloud Services
Almost all organizations use cloud services and externally provided IT. The scope of Cyber Essentials includes these dependencies. Where the business has purchased infrastructure as a service (IaaS) from a cloud service provider and has control of the operating system on IT equipment, these assets are absolutely subject to phishing or hacking threats. These cloud systems must be examined to prove their secure configuration, user access control, malware protection and patch management.
Among five major areas of control, small and larger organizations need to demonstrate basic technical cyber protection for secure configuration. This challenge covers personal information as it occurs in IoT, under constantly changing conditions for safe configuration, across multiple control frameworks, and under the mandate of many different forms of audit and assessment. Examples of control include:
- Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfill their role.
- Unnecessary user accounts (e.g. Guest accounts and unnecessary administrative accounts) should be removed or disabled.
- Any default password for a user account should be changed to an alternative, strong password.
- Unnecessary software (including application, system utilities, and network services) should be removed or disabled.
- The auto-run feature should be disabled (to prevent software programs running automatically when removable storage media is connected to a computer or when network folders are accessed).
- A personal firewall (or equivalent) should be enabled on desktop PCs and laptops and configured to disable (block) unapproved connections by default.
Basic technical cyber protection for secure configuration requires that User Accounts should be managed through robust access control. Security programs monitor that
- All user account creation should be subject to a provisioning and approval process.
- Special access privileges should be restricted to a limited number of authorized individuals.
- Details about special access privileges (e.g. the individual and purpose) should be documented, kept in a secure location and reviewed on a regular basis (e.g. quarterly).
- Administrative accounts should only be used to perform legitimate administrative activities, and should not be granted access to email or the internet.
- Administrative accounts should be configured to require a password change on a regular basis (e.g. at least every 60 days).
- Each user should authenticate using a unique username and strong password before being granted access to applications, computers, and network devices.
- User accounts and special access privileges should be removed or disabled when no longer required (e.g. when an individual changes role or leaves the organization) or after a predefined period of inactivity (e.g. 3 months).
Information Technology Management is accountable to:
- Implementing the necessary technical controls to preserve the confidentiality, integrity, and availability of the state entity’s information assets.
- Managing the risks associated with those assets.
- Monitoring for and reporting to the Information Security Officer any actual or attempted security incidents.
For Cyber Essentials, the organization will need to attest that its service provider’s system delivering that service meets the Cyber Essentials requirements for which the service provider is responsible. Existing evidence (such as that provided through PCI certification of a cloud service and appropriately scoped ISO 27001 certifications) may be considered as part this process.
For Cyber Essentials Plus, the organization will need to ensure that its service provider’s system delivering that service is tested as meeting the Cyber Essentials requirements for which the service provider is responsible.
Why align UK Cyber Essentials, NIST 800-53 r4 and ISO/IEC 27002:2013?
UK Cyber Essentials "presents requirements for mitigating the most common Internet-based threats to cyber security." It is expected that deploying these controls will better defend UK businesses against the most common forms of cyber attack.
The assurance schema is developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by UK Government. As summarized by Cyber Essentials Scheme: Requirements for basic technical protection from cyber attacks, technical controls focus on five essential mitigations within the context of the ‘10 Steps to Cyber Security’. They reflect those covered in well-established and more extensive cyber standards, such as the ISO/IEC 27000 series, the ISF’s Standard of Good Practice for Information Security and the IASME Standard.
ISO is an independent, non-governmental international organization with a membership of 163 national standards bodies. EnterpriseGRC offers assessment models to support technical aspects of ISO/IEC 27002:2013, which gives guidelines for organizational information security standards and practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment.
Among its many other benefits, the alignment with ISO and UK Cyber Essentials standards enables users to:
- implement commonly accepted information security controls
- further, evolve a risk-based approach in developing their own information security management guidelines.
A primary objective of the UK Government’s National Cyber Security Strategy is to make the UK a safer place to conduct business online. However, determining the benefits of cyber security and knowing where to start are a significant challenge for many organisations. EnterpriseGRC clients gain advantage through alignment with international standards compliance. The simple act of managing Information Security Management Systems, or ISMS, program effectiveness supports elements in achieving compliance with all of the following laws:
- UK Data Protection Act 1998
- The Computer Misuse Act 1990 (UK)
- Federal Information Security Management Act 2001 (US)
- Gramm‐Leach‐Bliley Act (GLBA) 1999 (US)
- Federal Financial Inst. Examination Council’s (FFIEC) security guidelines (US)
- Sarbanes‐Oxley Act (SOX) 2002 (US)
- State security breach notification laws (e.g. California) (US)
- Health Insurance Portability and Accountability Act (HIPAA) 1996 (US)
Gaining the most from your ISMS program implementation
In addition to satisfying multiple aspects in world standards and regulations, the achievement of ISO 27001 certification is recognized for:
- Improved company reputation and image
- Proof of senior management’s commitment to the security of the organization
Companies embarking on the path of UK Cyber Essentials, Cyber Essentials Plus, or any number of other similar certifications such as ISO 27001 or PCI DSS 3.2, need assistance to establish, monitor, maintain and measure improvement in their information security management systems. Leveraging the EnterpriseGRC Elastic Compliance Network with tools like Allgress and Cavirin ARAP’s IS027002, NIST and UK Cyber Essentials Policy Packs allows clients to:
- Identify information assets and their associated security requirements
- Assess information security and treat risks according to their relative tolerance
- Select and implement relevant controls to manage or mitigate threats
- Monitor, maintain and improve the effectiveness of controls associated with the organization’s information assets
Using CIS Benchmarking or even automating large scale assessment via Automated Risk Analysis Platform (ARAP™) assists Chief Risk & Security, as well as IT and DevOps leadership in gathering configuration data used to address their top security and compliance challenges:
- Settings that indicate missing patches for operating systems and applications.
- Monitoring and detecting sensitive data loss (data exfiltration)
- Locating policies that enable weak passwords.
- Lack of logs and audit trails necessary to conduct forensics
- Security validation for new systems
- Missing or outdated anti-malware technology
- Settings that enable encryption of sensitive information in transit
- The information necessary to remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls.
Compliance in any environment
- Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
- A “hyperplane” of integrated “risk assessment” amongst segmented vulnerability domains
- Works with Private, Hybrid, and Public Clouds
- Support AWS, Azure, GCP (Google Cloud Platform)
- Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
- Supports current compliance authority (PCI DSS, HIPAA, NIST, SOC 2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
- Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
- Complies with DISA standards in all aspects of delivery and reported results
- Know the critical assets and who’s responsible for them
- Get everyone involved in cyber-resilience
- Assure they have the knowledge and autonomy to make good decisions
- Be prepared for both unsuccessful AND successful attack
- Prevent a cyber-attack from throwing your organization into complete chaos.
To learn more about certifications visit http://www.itgovernance.co.uk/cyber-essentials-scheme.aspx, or read from the Official website for Cyber Essentials, and a Self-Assessment Questionnaire to help determine which of the two certifications a company needs: https://www.cyberstreetwise.com/cyberessentials/
Supporting standards and guidance
- ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems – Requirements
- ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
- Information Security Forum – The Standard of Good Practice for Information Security (2013)
- The IASME Consortium – The Standard for Information Assurance for Small and Medium Sized Enterprises – (2013)
- HMG 10 Steps to Cyber Security
- Further advice is available through the CESG Listed Advisor Scheme detailed at www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx.
UK Cyber Essentials Compliance with EnterpriseGRC Solutions
EnterpriseGRC Solutions develops the security policy to system rules mapping. Company members are active contributors to all major standards and organizations that are responsible for the mapping of regulatory requirements. Identified as experts in the most highly leveraged national and international standards, these efforts result in rapid process and policy compliance evaluation as demonstrated by the ARAP product. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration hardening and change management, Cavirin ARAP has implemented all assessments with NIST Cybersecurity Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit from the extended use of multiple frameworks to align Information Security Programs and Policy. EnterpriseGRC provides this service for multiple SaaS companies across Europe and the US.
ABOUT EnterpriseGRC Solutions
EnterpriseGRC Solutions is empowered to implement governance, security, risk, and compliance automation products and programs, emphasizing system based policies specific to security settings for secure configuration management. EnterpriseGRC is a women-owned small business offering compliance readiness, Security & GRC tools, Enterprise Security Architecture, Cybersecurity Risk Assessment, and a wide variety of resources for security and GRC technology support. Founded October of 2002 as Phoenix Business and Systems Process, and rebranded in 2011 as EnterpriseGRC Solution, the company is positioned to solve an organization's greatest cloud security and cyber challenges. True to its tagline "Simple Solutions to Complex Problems" the company offers pragmatic, remote and on-site web-enabled compliance implementation, training, strategy, management consulting, security and risk management services.
Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become more agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.