What is the UK Cyber Essentials scheme?

What is the Cyber Essentials scheme, and,
how do we comply?
21st August 2014
Alastair Stewart
IT Governance Ltd
www.itgovernance.co.uk

Introduction
• Alastair Stewart
• PCI DSS Consultant at IT Governance Ltd
• Cyber Essentials Consultant & Trainer
• Associate of (ISC)2 for CISSP
© IT Governance Ltd 2014
2

Agenda
• Cyber breaches: key facts
• What sorts of breaches?
• An overview of Cyber Essentials
• The requirements of CES
• IT Governance; a CREST-accredited certification
body
• Meeting the CES requirements at your own pace
and within budget
• How documentation aids compliance
• Going beyond CES
• Using CES as part of your wider cyber resilience
3

Cyber breaches: key facts
60% of breached
small organisations
close down within
6 months
– National Cyber
Security Alliance
4
• In 2013 81% of large organisations & 61% of small
organisation suffered data breaches.
• The median number of breaches per company were:
Large organisations: 16
Small organisations: 6
• Average cost of the worst single breach:
Large organisations: £600k - £1.15m
Small organisations: £65k - £115k
• 59% of respondents expect more breaches this than last
PwC and BIS: 2014 ISBS Survey

What sorts of breaches?
5
Of Large Organisations:
• External attack – 55%
• Malware or viruses – 73%
• Denial of Service – 38%
• Network penetration (detected) – 24%
– (if you don’t think you’ve been breached, you’re not
looking hard enough)
• Know they’ve suffered IP theft – 16%
• Staff-related security breaches – 58%
• Breaches caused by inadvertent human error – 31%
PwC and BIS: 2014 ISBS Survey

Cyber Risk: How Should Boards
Respond?
Governance of Cyber Security
Board
6
Cyber Risk
environment
Monitor
Performance
Conformance
Business
Objectives
Direct
Plans &
Policies
Evaluate
Proposals
Security Management
Business and IT, Activities and Processes
“Corporate
governance consists
of the set of
processes, customs,
policies, laws and
institutions affecting
the way people direct,
administer or control
a corporation.”
(Wikipedia)
Management “is
the act of getting
people together
to accomplish
desired goals and
objectives using
available
resources
efficiently and
effectively.”
(Wikipedia)
Governance ≠ Management

Cyber Security Framework
7
Effective cyber security depends on resilience: co-ordinated,
integrated preparations for rebuffing, responding to and
recovering from a wide range of possible attacks.
• A strategy is essential.
• A management system is fundamental.
• Defence, continuity, and recovery must each be provided for.
• No single stand-alone solution is sufficient.
• Money will be required
• 80% of breaches could be prevented through basic
security ‘hygiene’

Why assess Cyber Security risk?
8
Demands for assurance
74% of respondents say their customers prefer dealing with
suppliers with proven cyber security credentials, while 50%
say their company has been asked about its information
security measures by customers in the past 12 months.
The need for increased compliance
Given our findings, and the fact the existence of best
practice information security standard ISO/IEC 27001 is
known to 87% of respondents, it is striking that only 35% of
responding organisations are compliant with the standard.

The Cyber Essentials Scheme
• A government scheme
designed to make the UK a
safer place for online
business
• Part of the governments
National Cyber Security
Strategy
• Outlines requirements for
mitigating the most common
internet based threats
• Designed not to exclude
SME’s
9

Background to CES
• Has evolved from other schemes and HMG guidance
such as
– 10 Steps to Cyber Security
– Small Businesses: What you need to know about cyber security
• Forms the next stage from these schemes
• Gives practical controls to implement
• Involves a level of independent testing to give assurance
to other parties
• Designed as a security profile for all businesses to follow
• Addresses SME specific challenges in implementing
cyber security
10

Certification Options
• Cyber Essentials
– Self-Assessed by completing a questionnaire
– Certification Bodies will verify compliance
– Different CB’s will use different methods to verify
compliance
• Cyber Essentials Plus
– All of the previous option
– Also includes independent vulnerability testing
• The different options don’t indicate the security
stance, but the robustness of the check on the
security stance
11

Scoping Controls of CES
• The scope should be clearly defined at the start
of a CES project
• It should include internal and external systems
• You should consider service providers such as
cloud service or hosting providers
• Should exclude bespoke or highly complex IT
systems (SCADA, POS etc.)
• A meaningless scope creates a useless
implementation
12

The CES Controls
1. Boundary firewalls and internet gateways
2. Secure Configuration
3. User Access Control
13
Objective: Information, applications and computers within the
organisation’s internal networks should be protected against unauthorised
access and disclosure from the internet, using boundary firewalls, internet
gateways or equivalent network devices.
Objective: Computers and network devices should be configured to
reduce the level of inherent vulnerabilities and provide only the
services required to fulfil their role.
Objective: User accounts, particularly those with special access privileges (e.g.
administrative accounts) should be assigned only to authorised individuals,
managed effectively and provide the minimum level of access to applications,
computers and networks.

The CES Controls
4. Malware Protection
5. Patch Management
14
Objective: Computers that are exposed to the internet should be
protected against malware infection through the use of malware
protection software.
Objective: Software running on computers and network devices should
be kept up-to-date and have the latest security patches installed.

Certification Bodies
• Accreditation bodies
– Accredits or licences organisations to be
certification bodies
– Ensures certification bodies are competent
and able to implement the certification
process
• Certification bodies
– Must meet the requirements set out by the
accreditation bodies
– Must follow the accreditation bodies
certification scheme
• Currently only two AB’s: IASME &
CREST
• IASME CB’s can only certify to CE
• CREST CB’s can certify to CE and CE+
15

IT Governance Ltd; a CREST
approved CB
• We follow CREST’s certification scheme
• Allows certification at both levels
• CE is verified by external vulnerability
scanning
– Provides a more robust check than just the
questionnaire
• CE + uses internal vulnerability
assessments
– Assessments performed by CREST approved
penetration testers
16

17
How to comply?
IT Governance can help.

18
We are a CREST member and a
CREST-accredited certification
body for CES.

DO-IT-YOURSELF
 Certification
19
We offer three solutions for certification.
You implement the
requirements yourself
and we provide
certification subject to
compliance.
GET A LITTLE
HELP
GET A LOT OF
HELP
 Training
 Toolkit
 Online help
 Certification
 On-site
consultancy
 Toolkit
 Certification
We give you the
implementation tools
and provide
certification subject to
compliance.
We show you how to
implement the
requirements and
provide certification
subject to compliance.

Why us?
• CREST approved
• Able to offer both CE and CE+ certification
• Perform both the external and internal scanning
in house
• Expertise surrounding Cyber Resilience
• Able to integrate CES into other information
security standards
20

The Toolkit
• Designed to aid
in meeting the
controls
• Includes policy
and procedure
templates
• Utilises record
templates
• Includes a Gap
Analysis tool
21

The Gap Analysis Tool
• Easy and simple
interface
• Lists all the
controls and
requirements
• Offers locations to
find further
guidance
• Clear and simple
summary layout to
show progress
22

Why Policies and Procedures?
• Most effective way of implementing the controls
and maintaining compliance
– Allows you to set the accepted standard for the five
control areas
– Responsibility for the controls can be assigned
through policies
– Effectiveness of the controls can be monitored
– Procedures for implementing the controls can be
developed and standardised
• Writing policies requires a level of understanding
on management systems
23

Beyond CES
• CES is derived from ‘10 Steps
to Cyber Security’
– Only covers 5 of the 10
• Mapped to ISO/IEC 27001 &
27002
• Mapped to PCI DSS
• Compliance with another
standard doesn’t automatically
mean compliance with CES
24

Next steps to consider
25
• Evolve your CES into an
ISMS and create a robust
and cyber resilient system
for your business
processes.
• Consider the Cloud
Controls Matrix (CCM) as
well as protecting devices
with BYOD policies and
procedures.
• Make the right choice for a
permanent solution.

ISO27001 The Cyber Security
Standard
ISO/IEC 27001, together with the international code of
practice, ISO/IEC 27002, provide a globally recognised
standard and best-practice framework for addressing
the entire range of cyber risks
26
- Could be a first step to ISO27001
- Could add strength to an existing ISMS

Benefits
Impress
stakeholders
27
Being Cyber Resilient
Reduce
Protect Survival
jobs
insurance costs
Major cost
saving
Impress
customers
Protect
reputation
Avoid
significant
disruption
Win new business:
- Existing markets
- Supply Chain Assurance
- Contracting with HMG

Any Questions?
For more information on our products and services you can simply
email us here:
team@itgovernancepublishing.co.uk
Or call us on:
+44 (0)1353 771107
28
Cyber Essentials: A Pocket Guide £3.49
Cyber Essentials Gap Analysis Tool £19.95
Cyber Essentials Documentation Toolkit £99.95
DIY Package CE: £400
CE Plus: £1,150
‘Get a little help’ Package CE: £885
CE Plus: £1,635
‘Get a lot of help’ Package CE: £1,245
CE Plus: £1,995

What is the UK Cyber Essentials scheme?

Related slideshows

More Related Content

What is the UK Cyber Essentials scheme?