Cyber Essentials Scheme
The UK government is improving cyber security in its supply chain. From 1 October 2014, all suppliers must be compliant with the new Cyber Essentials Scheme controls if bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services.
Cyber Essentials was developed by the government, in consultation with industry. It offers a sound foundation of basic cyber hygiene measures which, when properly implemented, can significantly reduce a company’s vulnerability. The scheme’s set of five critical controls is applicable to all types of organisations, of all sizes, giving protection from the most prevalent forms of threat coming from the internet. These Cyber Essentials five critical controls are: -
- Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation
- Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is it up to date
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
The Cyber Essentials scheme as 2 levels of assurance- Cyber Essentials Basic and Cyber Essentials Plus. Certificates, are provided to organisations that successfully comply with all the requirements of the scheme, which can be displayed on the company’s website as proof of compliance. According to Mersyber- http://cyberinfo.co.uk, as of August 2016 there were 71 and 7 Scottish companies certified to Cyber Essentials Basic and Plus respectively.
Cyber Essentials Basic certification is awarded on the basis of a verified self-assessment. Companies assess themselves against the Cyber Essentials controls via a questionnaire, which is overseen by senior management. The completed questionnaire is then submitted to a certification body for review and approval before certification is awarded. This option offers a basic level of assurance and can be achieved at low cost.
Cyber Essentials Plus offers a higher level of assurance through validation assessment of the companies’ cyber security approach. The validation assessment process includes external and internal vulnerability scans, malware control test and others. Given the more resource intensive nature of this process, we anticipate that Cyber Essentials Plus will cost more than the foundation Cyber Essentials certification.
To assist companies, achieve certification against Cyber Essentials Scheme, certification bodies like NetHost Legislation are accredited by accreditation bodies like IASME to perform this function. The Cyber Essentials scheme certification process is illustrated below.
Some Thoughts for The Future
Information threat is an ever present problem and companies need to be mindful of this and implement companywide information security governance strategy. To support this strategy best practice standards need to be used as a benchmark and integrated into the governance strategy.
- There is no perfect bullet and residual risk will always be present no matter the approach deployed by companies. The aim for all companies is to ensure the residual risk is lower than their acceptable risk, and make sure:-
- Their risk assessment is up to date.
- There is an effective set of controls in place.
- There is an effective incident management process in operational use.
- There is an appropriate measurement process in place.
- There is adequate training and awareness given to all staff.
- There is regular monitoring and review of activities taking place to check the effectiveness of their information security.
- Improvements are made to their set of controls as indicated by the monitor and review process.
About the author
Dr Abiola Abimbola, PhD has been in the information security industry for over 15 years and worked in telecom, financial, and educational sector amongst others. Currently part of NetHost Legislation security team in Aberdeen, Scotland.
Dr. Abimbola’s Linkedin Profile
To be featured or find out more:
e-mail us on firstname.lastname@example.org
call us on 0845 643 5375
or contact Janice on Linkedin
First published on Company Connecting July 2016