Obtaining the Cyber Essentials check mark – The 5 categories of measures explained
With cyber-attacks increasing globally both in prevalence and severity, there’s never been a more pressing need for organisations to implement a range of measures to keep the bad actors at bay. According to a report by Check Point Research, cybercrime rose 168% throughout Asia between May 2020 and May 2021, with Singapore experiencing one of the continent’s highest cyberattack increases at around 30%. It’s therefore imperative that you deploy a raft of security measures to keep business-critical data secure, no matter the size and scale of your IT infrastructure.
In our previous article we introduced the Cyber Security Agency of Singapore’s (CSA) “Cyber Essentials” certification scheme. We looked at the scheme’s core components and the benefits afforded to businesses who get certified.
Now let’s examine the process in more detail, including the controls and technical measures required in order to gain certification.
What does the certification process involve?
The certification process is carried out with the assistance of a CSA-appointed certification body, and involves a simple 4 stage process:
1) Set the boundaries for the certification process The first task is to outline the devices, infrastructure and systems that the assessment process will apply to. For maximum security it’s recommended that the process cover your IT infrastructure in its entirety, but it should at least examine your most business-critical systems. The IT environment to be subjected to assessment must be agreed with your elected certification body at the outset of the process.
2) Completion of a self-assessment questionnaire The second stage involves completion of a self-assessment questionnaire which sets out the measures and actions required to be undertaken for certification. Acting more as a checklist than a questionnaire, this stage affords the opportunity to apply any of the controls that your organisation may be lacking in order to reinforce your security posture.
3) The review stage Once the self-assessment questionnaire is completed it will be subject to a verification process by an appointed certification body of your choice. Supporting documentation may be required and a desktop review will be conducted to assess the veracity of claims made.
4) Certification is awarded
Upon successfully fulfilling the criteria of the scheme you will be awarded the Cyber Essentials mark, which will remain valid for 2 years. From starting the process to achieving certification can take as little as 1 months.
What exactly are the assessment criteria?
The self-assessment document sets out over 70 recommended actions divided into 4 categories: assets, secure/protect, update, backup and respond.
The assets category stresses the importance of keeping an inventory of data, software and hardware components that constitute your environment, as well as the importance of training staff on cybersecurity best practice. Some of the core required/recommended actions in this category include:
Extending cyber security awareness training to all employees, either by means of self-learning material or external training providers.
The development of “Cyber hygiene practices and guidelines” covering the likes of phising awareness, strong password policies and guidance on the secure handling of business-critical data.
Maintaining a current and accurate inventory of all hardware and software assets.
Discontinuing the use of hardware and software that has reached the end of its supported life.
Securely disposing of end-of-life assets by ensuring data is wiped before destruction.
Maintaining a detailed inventory of business-critical data, using the likes of spreadsheets or inventory management software.
The use of processes and technical measures to safeguard data of a highly sensitive nature, including document password protections and encryption.
Secure/Protect This category lays out the recommended technical and organisational measures that should be taken to defend against malicious software, prevent unauthorised access to data and services and ensure that devices and systems are optimised for security. Key recommendations and requirements include:
The deployment of anti-malware software across all endpoint devices, including desktops, laptops, mobile devices, servers and virtual environments.
The use of Firewalls both at the network’s edge and -where appropriate- at individual device level.
Ensuring employees only access company resources via trusted network connections.
Maintaining a current inventory of user accounts for identity management purposes.
Applying controls which limit access to data and resources on necessary-for-role basis.
Ensuring all passwords are long, complex and adhere to password security best practice.
The use of two factor authentication where feasible.
Ensuring devices are securely configured in line with industry recommendations such as Centre for Internet security (CIS) benchmarks.
Avoiding the use of default configurations.
The deletion or removal of redundant features and services.
Update In this category, requirements are set out relating to maintaining systems, software and devices by applying regular updates. Some of the key requirements and recommendations of this category include:
Ensuring the application of mission-critical software, operating system and device updates are carried out with urgency and as a top priority.
The use of automatic updating where available, to ensure critical systems receive the most recent updates in a timely manner.
Ensuring mobile devices, IoT devices and cloud environments are subject to regular update maintenance where such devices fall withing the scope of certification, and in the case of cloud environments, where your organisation holds responsibility for applying such updates.
Backup The backup category features recommendations and requirements relating to the deployment of comprehensive backup solutions. Some of the core guidance to consider includes:
Identifying mission-critical data and systems and deploying backup solutions to safeguard these assets as a priority.
Carry out backups on a regular basis, in accordance with organisational requirements.
Use backup solutions to safeguard cloud assets if the scope of certification requires it. Such data can be backed up to on-site hardware and to other cloud locations.
Backing up data to multiple locations, with same-site backups avoided where possible.
Backups should feature stringent access protections to safeguard against unauthorised access.
Ensure the recoverability of mission-critical data by testing backups on a regular basis.
This category details the framework that should be in place to repsond to a cyberattack. While ideally you’ll never have to action this part of the framework, being prepared with a post-incident plan is vital to minimise further damage and ensure swift recoverability. Key requirement and recommendations of this category include:
The installation of a current incident response plan, with instructional guidance for your organisation on how to react following some of the most common cyber incidents, including phishing attacks, ransomware and data breaches.
Making all employees aware of the plan and their respective roles within it.
Conducting an annual review of the response plan to assess its relevance and readiness.
The listed actions and recommendations above are not exhaustive, representing only a fraction of the requirements set out in the self-assessment questionnaire. A more comprehensive example of the assessment criteria can be obtained from the Cyber Security Agency of Singapore’s website https://www.csa.gov.sg/Programmes/sgcybersafe/cybersecurity-certification-for-organisations/cyber-essentials-mark
AsiaCloud - Your Trusted IT Partner
Using technology lets you focus on what you do best while getting more done. Many large "IT partners" make big promises and charge big fees for delivering them, but the actual service falls far short.
It is likely that you are paying too much for your technology, especially if it's old. You deserve a white glove service for what you are paying, and you may even be paying too much. We'll handle everything - warranties, renewals, unresponsive vendors - and keep your data protected from ransomware and hacking. Get in contact to find out more.