2. Background to Cyber Essentials
•UK Government – many breaches due to lack of simple controls implemented
•Review of these breaches over 4 years resulted in identification of 5 key technical
controls (Office Firewalls and Internet Gateways, Secure Configuration, Security
Update Management, Access Control, Malware Protection)
•Backed by the NCSC – National Cyber Security Centre – and run by IASME
•UK Government is mandating Cyber Essentials in many contracts
2
3. What is Cyber Essentials?
Cyber Essentials
Cyber Essentials is a government –backed scheme focusing on
the five important technical security controls
3
4. Benefits of Cyber Essentials
4
• Improve the security posture of your institution (internal and external).
• Align your institution with a government-backed UK Standard
• Demonstrate security within your supply chain
• Ability to work with UK government contracts, partnerships and
third parties
5. Changes in Cyber Essentials
5
• New question set – Montpellier April 2023
• Only light touch changes from IASME
• MFA required for all administrator accounts and user accounts (staff and students)
• Only make and model of devices required
• Anti-malware software no longer needs to be signature based
• Sandboxing removed as option
6. Scoping Cyber Essentials
• Whole organisation
• All devices that access organisational data
• No exclusions
• Strongest security implications
• https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-
Infrastructure-v3-1-January-2023.pdf
• Limited Scope (Sub-set)
• Focused areas of the network
• Can cover areas needed for funding but not others
• Defined by network Boundaries (VLAN/Firewall)
• Exclusion statement required
6
7. Scoping Continued
• Education – Admin network only if there’s a network separation
• Home Workers (contracted or legally required to work from home for any amount of time)
• Use a VPN, software firewall, or apply controls to their home network – good practice
• Cloud Services
• SAAS – In scope (must ensure service is configured securely, e.g MS365)
• PAAS – In scope (where you provide and manage the applications e.g Azure Web Apps
• IAAS – In scope (AWS and Azure) – you can apply controls
• Mobile Devices – Access business data and are in scope
• Should have MDM or anti-virus installed, or otherwise meet requirements
• Voice and 2FA only – not in scope
• BYOD (if they access business data) – they are in scope
7
8. Protection against Internet Threats
8
Social
Engineering
(Phishing)
Vulnerabilities
(Hacking)
Password
Guessing
9. Where does CE sit?
9
CE focuses on prevention!
Cyber
Security
Investment
10. 5 Key Security Controls
FAIL – if there is no sign off by Executive management, and also if running out of support operating systems
10
Office Firewalls and Internet Gateways
Firewall rules, default password, length of password and review process
Secure Configuration
Formal process for admin accounts, segregation of duties, tracking privileged accounts, reviewing of accounts, MFA for admins,
gold image and default passwords
Security Update Management
OS and firmware within support, vendor recommendations, 14 days security patch cycle, end of life support, open
source supported (if they have an active community) phones and servers
Access Control
Software management, user accounts, local accounts passwords, admin account use, length of password, lock outs, password
policy and least privilege
Malware Protection
Malware protection on all devices, updates/scans, restricted access to unsigned software (approved) and sandboxing
12. What Next ?
12
• Download the questions and review prior to booking the assessment
• https://iasme.co.uk/cyber-essentials/free-download-of-cyber-essentials-self-
assessment-questions/
• Come to the Jisc Cyber Essentials drop-in clinics for support and advice
• Focused on Education and Research, for CE and CE+ questions
• https://www.jisc.ac.uk/training/cyber-essentials-drop-in-clinic
• Book Assessment with Jisc
• Discuss scope with us, then complete the self-assessment in the online portal
• Answer questions – 5 controls plus some organisational info, signed off at an
executive level, adding additional justification for answers
• Re-Assess - Any remediations must be completed within 2 working days
• Certification!
13. Security is not just for Christmas?
13
• Need to do the assessment on a yearly basis
• Ensure you have budget and time to do the preparation work,
and any remediation for the re-assessment
• Ensure you have Executive management buy-in and support
for this process
• Can lead into Cyber Essentials Plus