The Cyber Essentials Experience
June 2014
This month the UK Government Cyber Essentials Scheme was launched. Nexor committed to gaining Cyber Essentials certification, with Steve Kingan observing:
“I welcome the advent of the Cyber Essentials Scheme and believe it is an important development in improving the supply chain to HMG. Nexor has demonstrated that the Scheme can be straight forward to implement even for an SME. I am pleased that this new mark will become a mandated accreditation for all HMG suppliers of sensitive information technology procurements; and delighted that Nexor has been involved from the start of the Scheme.”
As an organisation, Nexor is committed to security, first implementing BS7799, a forerunner of ISO27001 in 2003, and having continuous certification since. So Cyber Essentials should be a breeze… Not being complacent, Cyber Essentials gave us the opportunity to undertake a thorough review of a sub-set of our technical security controls – a process we started in April, based on public drafts of the Cyber Essentials profile. For those not aware of Cyber Essentials there are 5 high level controls:
Firewalls and Internet Gateways
Secure Configuration
Access Control
Malware Protection
Patch Management
Each control then has a set of bullets describing good practice; we worked our way through each of the bullets validating, questioning and auditing our approach. Here are a few of the key activities:
We reviewed the firewalls rules – a good thing to do regularly anyway, and were able to remove a few legacy ‘holes’ that were no longer required, and gave us the opportunity to strengthen our change control process in this area.
Reviewed all of our assets that contain proprietary or customer information, reviewed who has access and who needs access. Our main concern here was that too many administrators had too much access. So we enhanced our processes for granting administrator access, ensured administrators knew their responsibilities, and re-organised roles to provide much greater segregation of (administrative) duties.
The management of one of our security controls is outsourced, while we had previously validated the supplier was ISO 27001 compliant, we recognised we did not know exactly what their management processes were related to their employees accessing our system. We do now!
Now here is the really interesting point...
Cyber Essentials is positioned by the government as the “Requirements for basic technical protection from cyber attacks.” However, our key findings were not technical weaknesses, but weaknesses in the processes that managed the technology. Once again, providing supporting evidence that security is not about technology, but about people and processes, supported by technology.
I am pleased to say that on June 11th, we obtained our Cyber Essentials Certification. How have you got on with your Cyber Essential Assessment?
See Also
UK Public Procurement Policy Note 09/14
UK Government Security Classification Scheme
About the author
Colin Robbins is a Principal Security Consultant, leading customer-funded research activities in secure interoperability and information exchange. He has specific technical interests in the Single Information Environment and Data Centric Security, as well as the processes of security, such as Secure by Design and Information Security Management Systems (ISMS). He is a Fellow of CIISec, and a former NCSC certified Security and Information Risk Adviser (Lead CCP).