Cyber Essentials for Small Businesses (Part 2)

INTRODUCTION

This guide offers a practical look at completing the Cyber Essentials certification. It is designed to help you understand the types of questions you will encounter during the self-assessment. I will walk you through each section of the assessment, complete with screenshots, so you can clearly see what is required at each step.

In this guide, I will cover the nine main sections as highlighted under the headings below. This walkthrough aims to demystify the process and helps you feel more confident about achieving Cyber Essentials certification.

1. SCOPE

In the scope section you are asked to provide details of the businesses existing infrastructure, by answering questions about your geographical location, end user devices, mobile devices, networks, cloud services etc. You also need to declare who is responsible for managing your IT service and the assessment.

Depending on your business’s setup and its complexity, you may have fewer or more questions to answer.

Refer to the screenshot below (see pic. 1) for a selection of the questions you will need to answer.

Pic. 1 – Scope of Assessment section

After this, there is a section on Insurance which contains 1 question and relates to UK businesses only and their insurance eligibility.

2. FIREWALLS

This section pertains to the firewalls and their configurations within your organization. Some questions require a simple ‘Yes’ or ‘No’ answer, while others need more detailed descriptions of your practices. For example, in response to question A4.2.1 about the Firewall Password Change Process, the following may be a response that applies to you;

Yes. We accessed the router’s admin page via its IP address and the Firewall admin page via its IP address. On both devices, we changed the default password to a more complex one.

Refer to the screenshot below (see pic. 2) for a selection of the questions you will need to answer.

Pic. 2 – Firewalls Section

3. SECURE CONFIGURATIONS

This section focuses on configuring your devices securely, including tasks such as removing unnecessary accounts and disabling autoplay on all devices. You may already have an in-house policy covering these settings. If not, consider creating a simple policy document to address this area.

Refer to the screenshot below (see pic. 3) for a selection of the questions you will need to answer.

Pic. 3 – Secure Configuration Section

4. DEVICE LOCKING

This section consists of two questions that inquire about your methods for locking devices and what those methods entail.

For example, the following answer is sufficient should it be the case for you. We use 6-digit PINs for accessing our laptops and mobile devices, with additional credentials required to access other software services.

You may have other secure methods for locking your devices, which should be outlined in this section.

Refer to the screenshot below (see pic. 4) for a selection of the questions you will need to answer.

Pic. 4 – Device Locking Section

5. SECURITY UPDATE MANAGEMENT

This section inquiries about the regular updating of your operating systems, software, browsers, and other applications. You will need to verify that these are consistently updated. Additionally, you should confirm that auto-updates are enabled, and if they are not, you must explain how you manually ensure they are kept up to date.

You may already have a policy document that addresses these updates within your company, or an IT department or service provider that performs regular checks in these areas.

Refer to the screenshot below (see pic. 5) for a selection of the questions you will need to answer.

Pic. 5 – Security Update Management Section

6. USER ACCESS CONTROL

This section asks questions about the processes around giving user accounts to new employees and removing them for leavers. Having a clear and documented process for managing user access control helps maintain the security of your systems and data, ensuring that only authorized personnel have access at any given time.

Refer to the screenshot below (see pic. 6) for a selection of the questions you will need to answer.

Pic. 6 – User Access Control Section

7. ADMINISTRATIVE ACCOUNTS

This section asks about how you manage who has administrative access to your devices and applications. One approach to manage this may be to have an Administrative Access Policy document like the one attached below addressing all the areas discussed in this section. That along with some calendar reminders to check everything monthly will keep things in check.

Refer to the screenshot below (see pic. 7) for a selection of the questions you will need to answer.

Pic. 7 – Administrative Accounts Section

8. PASSWORD BASED AUTHENTICATION

This section addresses passwords. It would be a good idea to have a password policy that you follow. MFA(multi factor authentication) being enabled on your services is crucial to completing this section.  I have attached a sample password policy below which addresses the areas in this section, there are also many examples online which you can adapt to your own business.

Having a well-defined password policy and implementing MFA will enhance your organization’s security posture and help you meet the requirements of this section.

Refer to the screenshot below (see pic. 8) for a selection of the questions you will need to answer.

Pic. 8 – Password Policy Section

9. MALWARE PROTECTION

This section addresses if you have malware protection on your devices and whether you restrict installation of applications, it also asks about how the the anti-malware is updated. The last question which relates to the applications you allow your users to install and is as follows;

You must create a list of approved applications and ensure users only install these applications on their devices. This includes employee-owned devices. You may use mobile device management (MDM) software to meet this requirement, but you are not required to use MDM software if you can meet the requirements using good policy, processes and training of staff.

Refer to the screenshot below (see pic.9) for a selection of the questions you will need to answer.

Pic. 9 – Malware Protection Section

Please see links below which give you access via google drive to policy documents for Administrative Access and Passwords.

Example Administration Access Policy

Example Password Policy Document

***

I hope this article was useful for you.

Share