Our client is a public limited company established in 1996, with over 50 staff and a published turnover of £24.5 million. They have designed, built, financed and maintained the Lewisham extension to the DLR line. Currently, they operate this extension under a concession agreement with Transport for London. They operate a 24/7 office so security is important no matter what time of the day or week it is.
The Clients’ Challenge
As with many of our clients, they had concerns over General Data Protection Regulation (GDPR) and how a data breach would affect them. A director at the organisation had been on courses so had a very good understanding of what was required regarding what data was kept and what policies should be in place when processing it. The challenging part for them was making sure that proper technical/security measures had been put in place to protect the data itself, regardless of whether that data should or should not be there in the first place. Being mindful of hearing about multiple breaches caused by other organisations not following the best method, they wanted to make sure that they knew what the current best practices were and that they were being followed correctly. By doing this they wanted to minimise the risk of a data breach.
Minimizing the risk of a data breach is critical due to potential fines issued and the damage that can be caused to an organisations’ reputation. Recently record-breaking fines have been issued to companies such as British Airways stating, “Insufficient technical and organisational measures to ensure information security”. Although our clients are not the same size as British Airways, any fines would still be potentially very large. It became clear that our client felt a strong responsibility for the data they have, not only because of the risk of potential fines but a real understanding of the affects that a data breach can have on an individual.
Our client is a PLC who meets the criteria which oblige them to take annual audits, one of which revolves around their usage of IT. This one-off inspection is much like a MOT inspection where the organisation is compliant at that particular point in time. However as with a car, anything can happen within a year and this means there is a potential to be out of compliance after the inspection has taken place. With this in mind, our client always took policies very seriously, however monitoring every aspect of a large policy manually was not a workable option.
We proposed working with them to complete the Cyber Essentials Plus certification through CyberSmart. This certification is based around security best practices around both the configuration of a network and the items that should be included within your IT policy. There are two levels of Cyber Essentials, the Standard and the Plus version. The Standard is a self-certified certification whereas the Plus version also includes an external audit to ensure that everything is in place the way it should be. CyberSmart also gives the ability to install agents onto each of the units which monitor several of the key aspects relating to CyberEssentials so that compliance can be monitored throughout the year.
Our proposal would address the clients’ challenges by using the CyberEssentials framework as a set of best practices, having an external audit to prove what was in place and then monitoring it to ensure key elements were in place throughout the year.
How we implemented our proposal
The process of achieving the Cyber Essentials Plus certification is to firstly complete the Standard version and then organise to have this “upgraded” to the Plus version. We refer to the criteria of this certification as the “50 questions”, although this has now grown and some of them have multiple parts. As an overview our process for completing the “50 questions” with our client was:
Define the scope of what devices would be part of the certification:
This step can be a minefield as not every device is required to be a part of the assessment. For example, a mobile phone that has no data does not need to be, but one that does have access to data would. In addition, any device that is not part of the scope needs to be segregated from devices that are. This is always a good starting point as devices that would clearly not pass the Cyber Essentials certification can be highlighted immediately.
Assessing edge of network devices:
We checked that firewalls were up to date and that they are entitled to future security updates from the manufacturer. Any traffic that was forwarded to local devices needed to have a business reason for doing so as well as removing any forwarding which was no longer required.
Password Security Policy:
Password policies are firstly discussed with our contact before checking that the agreed policy was being enforced by their server or application that is hosting data. Every system that hosted data was checked against this policy.
Administrator Accounts Policy:
We produced an export of the current administrator accounts that had been setup and then discussed if they were still required. After this we disabled the accounts which were no longer needed and agreed a schedule of how often this should be checked. Where possible we highlighted where two-factor authentication could be used to secure administrator accounts.
User Accounts Policy:
We followed exactly the same procedure that was performed for checking the administrator account. In addition, the processes of highlighting when a user account is no longer required was reviewed.
We put provisions into place so that operating system security updates would be installed weekly exceeding the 14-day requirement.
Malware Protection Policy:
This stage can take several different routes depending on how you plan on protecting the network. In this instance we agreed to use anti-malware software in combination with only allowing installations from a trusted app store.
Approved Software Policy:
We started by exporting a list of software that was currently installed. Firstly, we checked for possible business reasons behind using the software before checking that the software was both still supported by the developer for security updates and was not being used against its licensing. After this the draft list was agreed with our contact.
PCs and Servers:
At this stage we needed to ensure that the Patching, Malware and Approved software policies were being met by each of the units. This involved deploying CyberSmart agents in addition to our own. The CyberSmart agent then highlighted which units needed to have AutoPlay, Antimalware, firewalls enabled/disabled in addition to any accounts that were signing in as a local administrator.
After carrying out all the steps above we were ready to apply for the Standard certification. Using the CyberSmart tools this passed first time and the certification was awarded the very next day.
The next stage was to apply for the Plus version which again we did through CyberSmart. At this stage they reviewed every detail of the certification we had already achieved and gave us a pre-audit checklist designed to highlight areas that normally result in failure.
Whilst running through the checklist, I made an observation, there seemed to be a lot more emphasis on the Anti-Virus package and how it handled files in different circumstances.
After running through the pre-check list, we were ready to have our audit. At this stage we had a phone call with a CyberSmart representative who ran through checks on a random desktop and server whilst collecting evidence of how the systems reacted to different scenarios. Finally, a port scan was conducted on the internet connection so that they could confirm everything was locked down as per what was stated during the certification.
Our clients are now listed on the Cyber Essentials website having successfully completed the Cyber Essentials Plus certification. The Cyber Essentials standard and plus certifications were both awarded on the first attempt.
For more information on Cyber Essentials Plus and GDPR please click here.
Case Study written by Andy Cook