Cyber Essentials

Gary Dooley Information Security Specialist 30th September 2015

Cranfield University

•  Post-graduate only •  Executive Short Courses, Conference, Hotel & Airfield facilities •  Partnerships with Industry and Government •  Two campuses; Bedfordshire and Wiltshire •  Four Schools; 9 Thematic Areas

Ø  Aerospace Ø  Agrifood Ø  Defence & Security Ø  Energy Ø  Environmental Technology Ø  Leadership & Management Ø  Manufacturing Ø  Transport Systems

Cyber Essential Scheme - Background

Key timeline: •  Government publishes its ‘Cyber Security Strategy’ (Nov 11) •  Government launches its ‘Cyber Security Guidance for Business (Sept 12)

–  This included the ‘10 Steps to Cyber Security’ •  Business Skills & Innovation (BSI) issues ‘Call for Evidence’ (Mar 13) •  BSI publishes its ‘Conclusions’ (Nov 13)

–  Existing standards not “fit for purpose” –  ISO27000-series, Information Security Forum (ISF) & IASME* –  Industry keen to help develop something new

•  BSI, ISF and IASME tasked to develop new standards •  Launched in April 2014 by BSI •  Oct 14; Government announces that all suppliers bidding for certain

personal and sensitive information handling contracts need CE *IASME = Information Security for Small & Medium Enterprises https://www.cyberstreetwise.com/cyberessentials/files/scheme-summary.pdf

10 Steps to Cyber Security

Cyber Essentials – What it covers

1.  Secure configuration

2.  Boundary firewalls and internet gateways

3.  Access control and administrative privilege management

4.  Patch management

5.  Malware protection

CES – Accrediting Bodies

Four Accrediting Bodies: •  CREST •  IASME •  QG Management •  APMG Numerous Certification Bodies Two options •  CE (Independently verified self-assessment) •  CE+ (Independently tested & verified)

Accrediting Bodies - Differences

Item   CREST   IASME   QG   APMG  

Ques2onnaire   It  depends*   115  ques2ons   34  ques2ons   N/A  

Vulnerability  Scan  (external)   Yes   No   No   Unknown  

CREST  -­‐  hPp://www.cyberessen2als.org/  IASME  -­‐  hPps://www.iasme.co.uk/index.php/cyberessen2alsprofile/about-­‐cyber-­‐essen2als  QG  Management  -­‐  hPp://www.qgstandards.co.uk/cyber-­‐essen2als/  APMG  -­‐  hPp://apmg-­‐cyber.com/products/cyber-­‐essen2als    *  Dependent  on  the  Cer2fica2on  body  (CREST  member)  

Cyber  Essen2als    

Cyber  Essen2als+    

Internal  security  assessment  (end  devices)  

Yes   Yes   Yes   Yes  

Cranfield Response

•  Apr 14 – Cursory review by Operational Security (OPSec) Team and concern over areas of non-compliance = put on the “too hard” pile

•  June 14 – SC Magazine state Governments intentions (Oct 14) •  Oct 14 – Obtain checklists from IASME & IT Governance •  Nov 14 – Jisc security email list (Tony Brookes, Derby) •  Nov 14 – OpSec review of IASME questionnaire (115 questions) •  Dec 14 – ITT from HMG requiring Cyber Essentials

–  6 months to comply •  Jan/Feb 15 – Selected Certification Body & produced requirements

brief •  Mar 15 – CB chosen, QG questionnaire submitted & certification

obtained (basic) •  Apr 15 – Cranfield Management Development Ltd (CMDL) obtained

certification (basic)

Learning Points

•  Choose which level of certification is required •  Choose the certification path carefully •  Be prepared to explain why controls are as they are •  Remember to scope accordingly •  Risk assessment and mitigation needs to be considered •  The scheme was/is for SME’s running ‘simple’ networks and

environments •  Universities are at the opposite end of this scale •  Certification is a “snapshot” in time so avoid complacency •  Use the ‘basic’ certification to build on security controls

Questions