What is the Cyber Essentials scheme, and,

how do we comply?
21st August 2014

Alastair Stewart
IT Governance Ltd
www.itgovernance.co.uk
Introduction

• Alastair Stewart
• PCI DSS Consultant at IT Governance Ltd
• Cyber Essentials Consultant & Trainer
• Associate of (ISC)2 for CISSP

© IT Governance Ltd 2014

2
Agenda
• Cyber breaches: key facts
• What sorts of breaches?
• An overview of Cyber Essentials
• The requirements of CES
• IT Governance; a CREST-accredited certification body
• Meeting the CES requirements at your own pace and
within budget
• How documentation aids compliance
• Going beyond CES
• Using CES as part of your wider cyber resilience
© IT Governance Ltd 2014

3
Cyber breaches: key facts
• In 2013 81% of large organisations & 61% of small
organisation suffered data breaches.

• The median number of breaches per company were:

Large organisations: 16
60% of breached
Small organisations: 6 small organisations
close down within 6
months
• Average cost of the worst single breach: – National Cyber
Large organisations: £600k - £1.15m Security Alliance
Small organisations: £65k - £115k

• 59% of respondents expect more breaches this than last

© IT Governance Ltd 2014
PwC and BIS: 2014 ISBS Survey
4
What sorts of breaches?
Of Large Organisations:
• External attack – 55%
• Malware or viruses – 73%
• Denial of Service – 38%
• Network penetration (detected) – 24%
– (if you don’t think you’ve been breached, you’re not looking
hard enough)
• Know they’ve suffered IP theft – 16%
• Staff-related security breaches – 58%
• Breaches caused by inadvertent human error – 31%

PwC and BIS: 2014 ISBS Survey

© IT Governance Ltd 2014

5
Cyber Risk: How Should Boards
Respond?
Governance of Cyber Security
Business Management “is
“Corporate Cyber Risk
Objectives the act of getting
governance consists environment
people together
of the set of to accomplish
processes, customs, Board
desired goals
policies, laws and and objectives
institutions affecting using available
the way people Evaluate resources
direct, administer or efficiently and
control a corporation.” effectively.”
(Wikipedia) (Wikipedia)
Direct Monitor
Proposals

Conformance
Performance
Policies
Plans &

Security Management
Business and IT, Activities and Processes
Governance ≠ Management
© IT Governance Ltd 2014

6
Cyber Security Framework
Effective cyber security depends on resilience: co-ordinated,
integrated preparations for rebuffing, responding to and
recovering from a wide range of possible attacks.

• A strategy is essential.
• A management system is fundamental.
• Defence, continuity, and recovery must each be provided for.
• No single stand-alone solution is sufficient.

• Money will be required

• 80% of breaches could be prevented through basic security

‘hygiene’
© IT Governance Ltd 2014

7
Why assess Cyber Security risk?
Demands for assurance
74% of respondents say their customers prefer dealing with
suppliers with proven cyber security credentials, while 50%
say their company has been asked about its information
security measures by customers in the past 12 months.

The need for increased compliance

Given our findings, and the fact the existence of best
practice information security standard ISO/IEC 27001 is
known to 87% of respondents, it is striking that only 35% of
responding organisations are compliant with the standard.

© IT Governance Ltd 2014

8
The Cyber Essentials Scheme
• A government scheme
designed to make the UK a
safer place for online
business
• Part of the governments
National Cyber Security
Strategy
• Outlines requirements for
mitigating the most common
internet based threats
• Designed not to exclude
SME’s
© IT Governance Ltd 2014

9
Background to CES
• Has evolved from other schemes and HMG guidance
such as
– 10 Steps to Cyber Security
– Small Businesses: What you need to know about cyber security
• Forms the next stage from these schemes
• Gives practical controls to implement
• Involves a level of independent testing to give assurance
to other parties
• Designed as a security profile for all businesses to follow
• Addresses SME specific challenges in implementing
cyber security
© IT Governance Ltd 2014

10
Certification Options

• Cyber Essentials
– Self-Assessed by completing a questionnaire
– Certification Bodies will verify compliance
– Different CB’s will use different methods to verify
compliance
• Cyber Essentials Plus
– All of the previous option
– Also includes independent vulnerability testing
• The different options don’t indicate the security
stance, but the robustness of the check on the
security stance
© IT Governance Ltd 2014

11
Scoping Controls of CES

• The scope should be clearly defined at the start

of a CES project
• It should include internal and external systems
• You should consider service providers such as
cloud service or hosting providers
• Should exclude bespoke or highly complex IT
systems (SCADA, POS etc.)
• A meaningless scope creates a useless
implementation
© IT Governance Ltd 2014

12
The CES Controls

1. Boundary firewalls and internet gateways

Objective: Information, applications and computers within the organisation’s internal
networks should be protected against unauthorised access and disclosure from the
internet, using boundary firewalls, internet gateways or equivalent network devices.

2. Secure Configuration
Objective: Computers and network devices should be configured to
reduce the level of inherent vulnerabilities and provide only the
services required to fulfil their role.
3. User Access Control
Objective: User accounts, particularly those with special access privileges (e.g.
administrative accounts) should be assigned only to authorised individuals, managed
effectively and provide the minimum level of access to applications, computers and
networks.
© IT Governance Ltd 2014

13
The CES Controls

4. Malware Protection
Objective: Computers that are exposed to the internet should be
protected against malware infection through the use of malware
protection software.

5. Patch Management
Objective: Software running on computers and network devices
should be kept up-to-date and have the latest security patches
installed.

© IT Governance Ltd 2014

14
Certification Bodies
• Accreditation bodies
– Accredits or licences organisations to be
certification bodies
– Ensures certification bodies are competent
and able to implement the certification
process
• Certification bodies
– Must meet the requirements set out by the
accreditation bodies
– Must follow the accreditation bodies
certification scheme
• Currently only two AB’s: IASME & CREST
• IASME CB’s can only certify to CE
• CREST CB’s can certify to CE and CE+
© IT Governance Ltd 2014

15
IT Governance Ltd; a CREST
approved CB
• We follow CREST’s certification scheme
• Allows certification at both levels
• CE is verified by external vulnerability
scanning
– Provides a more robust check than just the
questionnaire
• CE + uses internal vulnerability
assessments
– Assessments performed by CREST approved
penetration testers
© IT Governance Ltd 2014

16
 How to comply?

IT Governance can help.

© IT Governance Ltd 2014

17
 We are a CREST member and a
CREST-accredited certification
body for CES.

© IT Governance Ltd 2014

18
 We offer three solutions for certification.

DO-IT- GET A LITTLE GET A LOT OF

YOURSELF HELP HELP

You implement the We give you the We show you how to

requirements yourself implementation tools implement the
and we provide and provide requirements and
certification subject to certification subject to provide certification
compliance. compliance. subject to compliance.

 Certification  Training  On-site

 Toolkit consultancy
 Online help  Toolkit
© IT Governance Ltd 2014  Certification  Certification
19
Why us?

• CREST approved
• Able to offer both CE and CE+ certification
• Perform both the external and internal scanning
in house
• Expertise surrounding Cyber Resilience
• Able to integrate CES into other information
security standards

© IT Governance Ltd 2014

20
The Toolkit

• Designed to aid
in meeting the
controls
• Includes policy
and procedure
templates
• Utilises record
templates
• Includes a Gap
Analysis tool
© IT Governance Ltd 2014

21
The Gap Analysis Tool
• Easy and simple
interface
• Lists all the
controls and
requirements
• Offers locations to
find further
guidance
• Clear and simple
summary layout to
show progress
© IT Governance Ltd 2014

22
Why Policies and Procedures?

• Most effective way of implementing the controls

and maintaining compliance
– Allows you to set the accepted standard for the five
control areas
– Responsibility for the controls can be assigned
through policies
– Effectiveness of the controls can be monitored
– Procedures for implementing the controls can be
developed and standardised
• Writing policies requires a level of understanding
on management systems
© IT Governance Ltd 2014

23
Beyond CES

• CES is derived from ‘10 Steps

to Cyber Security’
– Only covers 5 of the 10
• Mapped to ISO/IEC 27001 &
27002
• Mapped to PCI DSS
• Compliance with another
standard doesn’t automatically
mean compliance with CES
© IT Governance Ltd 2014

24
 Next steps to consider
• Evolve your CES into an
ISMS and create a robust
and cyber resilient system
for your business
processes.
• Consider the Cloud
Controls Matrix (CCM) as
well as protecting devices
with BYOD policies and
procedures.
• Make the right choice for a
permanent solution.

© IT Governance Ltd 2014

25
ISO27001 The Cyber Security
Standard
ISO/IEC 27001, together with the international code of
practice, ISO/IEC 27002, provide a globally recognised
standard and best-practice framework for addressing
the entire range of cyber risks

- Could be a first step to ISO27001

- Could add strength to an existing ISMS

© IT Governance Ltd 2014

26
 Benefits
Being Cyber Resilient

Impress Impress Protect jobs Protect Survival

stakeholders customers reputation

Reduce Major cost

insurance costs Avoid saving
significant
disruption
Win new business:
- Existing markets
- Supply Chain Assurance
- Contracting with HMG

© IT Governance Ltd 2014

27
 Any Questions?
For more information on our products and services you can simply
email us here:
[email protected]
Or call us on:
+44 (0)1353 771107
Cyber Essentials: A Pocket Guide £3.49

Cyber Essentials Gap Analysis Tool £19.95

Cyber Essentials Documentation Toolkit £99.95

DIY Package CE: £400

CE Plus: £1,150
‘Get a little help’ Package CE: £885
CE Plus: £1,635
‘Get a lot of help’ Package CE: £1,245
CE Plus: £1,995

© IT Governance Ltd 2014

28