Cyber Essentials - Jisc · • Government launches its ‘Cyber Security Guidance for Business ......
Transcript of Cyber Essentials - Jisc · • Government launches its ‘Cyber Security Guidance for Business ......
Cyber Essentials
Gary Dooley Information Security Specialist 30th September 2015
Cranfield University
• Post-graduate only • Executive Short Courses, Conference, Hotel & Airfield facilities • Partnerships with Industry and Government • Two campuses; Bedfordshire and Wiltshire • Four Schools; 9 Thematic Areas
Ø Aerospace Ø Agrifood Ø Defence & Security Ø Energy Ø Environmental Technology Ø Leadership & Management Ø Manufacturing Ø Transport Systems
Cyber Essential Scheme - Background
Key timeline: • Government publishes its ‘Cyber Security Strategy’ (Nov 11) • Government launches its ‘Cyber Security Guidance for Business (Sept 12)
– This included the ‘10 Steps to Cyber Security’ • Business Skills & Innovation (BSI) issues ‘Call for Evidence’ (Mar 13) • BSI publishes its ‘Conclusions’ (Nov 13)
– Existing standards not “fit for purpose” – ISO27000-series, Information Security Forum (ISF) & IASME* – Industry keen to help develop something new
• BSI, ISF and IASME tasked to develop new standards • Launched in April 2014 by BSI • Oct 14; Government announces that all suppliers bidding for certain
personal and sensitive information handling contracts need CE *IASME = Information Security for Small & Medium Enterprises https://www.cyberstreetwise.com/cyberessentials/files/scheme-summary.pdf
10 Steps to Cyber Security
Cyber Essentials – What it covers
1. Secure configuration
2. Boundary firewalls and internet gateways
3. Access control and administrative privilege management
4. Patch management
5. Malware protection
CES – Accrediting Bodies
Four Accrediting Bodies: • CREST • IASME • QG Management • APMG Numerous Certification Bodies Two options • CE (Independently verified self-assessment) • CE+ (Independently tested & verified)
Accrediting Bodies - Differences
Item CREST IASME QG APMG
Ques2onnaire It depends* 115 ques2ons 34 ques2ons N/A
Vulnerability Scan (external) Yes No No Unknown
CREST -‐ hPp://www.cyberessen2als.org/ IASME -‐ hPps://www.iasme.co.uk/index.php/cyberessen2alsprofile/about-‐cyber-‐essen2als QG Management -‐ hPp://www.qgstandards.co.uk/cyber-‐essen2als/ APMG -‐ hPp://apmg-‐cyber.com/products/cyber-‐essen2als * Dependent on the Cer2fica2on body (CREST member)
Cyber Essen2als
Cyber Essen2als+
Internal security assessment (end devices)
Yes Yes Yes Yes
Cranfield Response
• Apr 14 – Cursory review by Operational Security (OPSec) Team and concern over areas of non-compliance = put on the “too hard” pile
• June 14 – SC Magazine state Governments intentions (Oct 14) • Oct 14 – Obtain checklists from IASME & IT Governance • Nov 14 – Jisc security email list (Tony Brookes, Derby) • Nov 14 – OpSec review of IASME questionnaire (115 questions) • Dec 14 – ITT from HMG requiring Cyber Essentials
– 6 months to comply • Jan/Feb 15 – Selected Certification Body & produced requirements
brief • Mar 15 – CB chosen, QG questionnaire submitted & certification
obtained (basic) • Apr 15 – Cranfield Management Development Ltd (CMDL) obtained
certification (basic)
Learning Points
• Choose which level of certification is required • Choose the certification path carefully • Be prepared to explain why controls are as they are • Remember to scope accordingly • Risk assessment and mitigation needs to be considered • The scheme was/is for SME’s running ‘simple’ networks and
environments • Universities are at the opposite end of this scale • Certification is a “snapshot” in time so avoid complacency • Use the ‘basic’ certification to build on security controls
Questions