Cyber Essentials Assessment

Cyber Essentials Assessment

  • Use a wizard based Cyber Essentials Assessment which is based on Requirements for IT infrastructure v3.1.

  • The Cyber Essentials Assessment, uses user responses to the questions in the assessment to create an action plan to help move towards meeting the Cyber Essentials requirements.

  • Navigate to Company Level → Compliance → Assessments → Cyber Essentials section to use the default template to start with Cyber Essentials Assessment.

  • Click on Default Template to create your assessment for Cyber Essentials. The assessment is divided into 8 sections. Every section has a set of questions to be answered for this assessment. Few of the answers will be auto-populated based on CyberCNS scans that are successfully completed.

  • Below are the different sections with descriptions which will be used for IT Infrastructure assessment.

YOUR COMPANY

  • It consists of 10 Questions.

  • In this section, we need to know a little about how your organization is set up so we can ask you the most appropriate questions.

  • To start with please provide Assessment Name. The current assessment will be stored by this name.

  • Once all the details are provided click on Save and click on Next for the next page.

SCOPE OF ASSESSMENT

  • It consists of 10 Questions.

  • In this section, we need you to describe the elements of your organisation which you want to certify for this accreditation. The scope should be either the whole organisation or an organisational sub-unit (for example, the UK operation of a multinational company). All computers, laptops, servers, mobile phones, tablets, and firewalls/routers that can access the internet and are used by this organisation or sub-unit to access organisational data or services should be considered "in-scope". All locations that are owned or operated by this organisation or sub-unit, whether in the UK or internationally should be considered “in-scope”. A scope that does not include user devices is not acceptable.

  • Once all the details are provided click on Save and click on Next for the next page.

INSURANCE

  • It consists of 3 Questions.

  • All organisations with a head office domiciled in the UK or Crown Dependencies and a turnover of less than £20 million get automatic cyber insurance if they achieve Cyber Essentials certification. The insurance is free of charge, but you can opt out of the insurance element if you choose. This will not change the price of the assessment package. If you want the insurance, then we do need to ask some additional questions and these answers will be forwarded to the broker. The answers to these questions will not affect the result of your Cyber Essentials assessment. It is important that the insurance information provided is as accurate as possible and that the assessment declaration is signed by a senior person at the Board level or equivalent, to avoid any delays to the insurance policy being issued.

  • Once all the details are provided click on Save and click on Next for the next page.

BOUNDARY FIREWALLS AND INTERNET GATEWAYS

  • It consists of 12 Questions.

  • A firewall is a generic name for a software(host-based) or hardware device that provides technical protection between your networks and devices and the Internet, referred to in the question set as boundary firewalls. Your organization will have a physical, virtual, or software firewall at the internet boundary. Software firewalls are also included within all major operating systems for Laptops, Desktops, and Servers. Firewalls are powerful physical, virtual, or software devices, which need to be configured correctly to provide effective security.

  • Once all the details are provided click on Save and click on Next for the next page.

SECURE CONFIGURATION

  • It consists of 10 Questions.

  • Computers and Cloud Services are often not secure upon default installation or setup. An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges), and pre-installed but unnecessary applications or services. All of these present security risks.

  • Once all the details are provided click on Save and click on Next for the next page.

SECURITY UPDATE MANAGEMENT

  • It consists of 15 Questions.

  • To protect your organisation you should ensure that all your software is always up-to-date with the latest security updates. If, on any of your in-scope devices, you are using an operating system that is no longer supported (For example Microsoft Windows XP/Vista/2003/Windows 7/Server 2008, MacOS High Sierra, Ubuntu 17.10), and you are not being provided with updates from the vendor, then you will not be awarded certification. Mobile phones and tablets are in scope and must also use an operating system that is still supported by the manufacturer.

  • Once all the details are provided click on Save and click on Next for the next page.

USER ACCESS CONTROL

  • It consists of 16 Questions.

  • It is important to only give users access to the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with e-mail whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.

  • Once all the details are provided click on Save and click on Next for the next page.

MALWARE PROTECTION

  • It consists of 1 Question with sub-questions.

  • Malware (such as computer viruses) is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attacks such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages.

  • Once all the details are provided click on Save and click on Complete to complete the assessment.

Assessment Actions

  • These Assessments are added as a record with details like Assessment Name, Assessment Start Date, Assessment Last Updated Date, Assessment Completed Date & Status.

  • If saved as a Draft, the information added to Assessments can be Edited using the Action Column.

  • The assessments saved as Completed can not be edited.

  • A Delete assessment action will delete the assessment record.

  • A View/Download action will download the assessment. This will download a zip file with docx, xlsx, and evidence details based on CyberCNS successful scans.

  • This completes the documentation of Cyber Essentials.