Cyber Essentials Checklist

The baseline Cyber Essentials self-assessment has a series of requirements that an organisation must have to be certified. With these requirements in place and the Cyber Essentials certificate, you can reduce cybersecurity risks by up to 80%. While it is a self-assessment, some sections can be very technical and difficult to understand. At OmniCyber we offer a consultancy service to help guide you through the assessment and ensure the process goes smoothly. Ahead of answering the questions it can be useful to know what the assessor is looking for. We have prepared this Cyber Essentials checklist for you to check which measures your organisation needs to put in place before the assessment. Cyber Essentials is split into five main controls, each with their own set of demands.

1. Firewalls
2. Secure Configuration
3. User Access Control
4. Malware Protection
5. Security Update Management

Firewalls

Firewalls are a security system that monitors and controls data traffic. Boundary firewalls protect networks of devices, whereas software firewalls protect individual devices. Most devices come with software firewalls already installed.   Cyber Essentials checklist for firewalls:  

• Every device must be protected by a firewall
• Administrative access must have a strong password
• Administrative access must be protected by at least one of the following:
  • Multi-factor authentication
  • An IP allow list with a small list of trusted addresses
• Firewalls must automatically block unauthenticated inbound connections
• Inbound firewall rules must be approved and documented by an authorised person
• Unnecessary firewall rules must be removed or disabled promptly
• A software firewall must be used on any device used on an untrusted network, such as a public Wi-Fi network

Secure Configuration

This control refers to the way computers and networks are set up, as many devices are not totally secure with their factory configurations. Devices can have pre-installed insecure apps or administrative accounts which can give hackers a door to your cyber operations.   Cyber Essentials checklist for secure configuration:  

• Unnecessary user accounts must be removed regularly
• Default or weak passwords must be changed
• Unnecessary software or apps must be removed
• Any settings allowing software to automatically open or run files must be turned off or removed
• Any user must be properly authenticated before granting them access to the organisation’s network
• Locking controls must be in place on physical devices, to restrict the number of failed login attempts. Either:
  • Reducing the rate of attempts, by increasing the time a user has to wait between failed logins. This should allow a maximum of 10 attempts in 5 minutes.
  • Limiting the number of attempts, by locking the device after a maximum of 10 failed logins.

User Access Control

User access control refers to the varying amounts of access and control that can be given to different accounts on your network. As a basic rule, users such only have as much access to devices, applications or services as they need to carry out their duties. Reducing the number of accounts with special privileges boosts your security, as these accounts are the most dangerous if they are compromised.   Cyber Essentials checklist for user access control:  

• A creation and approval process for new accounts must be in place
• Any user must be properly authenticated before granting them access to the organisation’s network
• Unnecessary user accounts must be removed regularly
• Multi-factor authentication (MFA) must be used where possible
• Administrative accounts must be used purely for administrative tasks, anything that can be done with a standard account, should be (e.g. opening emails)
• Organisations should encourage users to choose unique and secure passwords, by:
  • Educating users on how to choose secure passwords and avoid common mistakes like pets’ names or repeating passwords.
  • Recommending longer passwords
  • Not enforcing password expiry or strength conditions,
  • Providing secure password storage options
• A process for quickly changing breached passwords must be in place

Malware Protection

Malware refers to software that infects devices for malicious purposes, that can involve, but isn’t limited to damaging systems and stealing data. Malware is often installed on a device from phishing email attachments and unsafe downloads or software. Malware protection must be implemented on all devices involved in the organisation, and can work in three main ways:  

• Detection and disabling malware (anti-malware)
• Only allowing software to run that you know to trust (allow listing)
• Running suspicious software in a way that prevents access to all data (sandboxing)

Cyber Essentials checklist for malware protection:  

• All devices must have malware protection in at least one of the three forms
• Anti-malware software must:
  • Be kept up to date
  • Scan all files immediately when accessed
  • Scan web pages automatically when accessed
  • Prevent the user connecting to any suspicious websites, unless the user has a clear need for access and accepts the potential risk
• Allow listing:
  • Only approved apps must be allowed to run on the organisation’s devices. Any app must be approved before being installed, and the organisation must maintain a list of apps that have been approved for users
• Sandboxing:
  • Any unknown or suspicious code must be run in a sandbox that prevents it from accessing data stores, local networks or device features such as a webcam or microphone

 

Security Update Management

Any piece of software can have vulnerabilities, gaps in its security that can allow hackers into the system once they have been discovered. Suppliers will regularly release updates that patch any known flaws in their software. Cyber Essentials checklist for security update management:

• All software on the organisation’s devices must be licensed and actively supported by the supplier
• Old, unsupported software must be removed from devices, or prevent from connecting to the internet
• Automatic updates must be enabled when available
• Any updates described as ‘critical’ or ‘high-risk’ must be applied within 14 days of release
  • The same applies to updates addressing vulnerabilities with a CVSS v3 score of 7 or above, or if no information on the vulnerability severity is given by the supplier.
  • It is recommended, but not essential, that all vulnerability updates are applied within 14 days.

With all of these measures in place, your organisation is ready for the Cyber-Essentials self-assessment. Contact one of our experts today to discuss your cybersecurity needs.