Do you Need Professional IT Assistance or Not ?
This is part two of the Cyber Essentials blog series Top 7 things you need to know before you start your assessment.
In this article, we will discuss in detail if you still need professional IT assistance or not. This is the first thing that you should know before taking the Cyber Essentials Assessment. We will also focus on several common questions that applicants struggle with.
To answer this question, do you still need professional IT assistance or not? – it depends.
If your environment is small, typically under five staff with no servers. You’ll likely be able to meet the required technical controls.
However, if you’re a larger organisation or have servers or a complex environment, you will require either internal or external IT assistance.
Just a reminder, as a Cyber Essentials Assessor, we are looking for evidence (which your answers need to provide) that you understand the question, and also that the control you have implemented (paper policy or technical) meets the required standard.
In the early part of the assessment, you will need to provide a detailed breakdown of your technical environment and we will have a separate article to discuss this topic.
In the middle and later sections, you will need to demonstrate technical competency.
Cyber Essentials is based on around 68 questions, with 26 of them being administrative/policy-based and the remainder being technical.
To help you further your exam, let’s take a look at some of the questions.
Router or hardware firewalls.
Provide a list of network equipment
For any routers that you manage, you will need to have changed the default password and list the brand/model and firmware revision and its date. If the device is no longer supported, your assessment will be marked as non-compliant.
Do you have firewalls at your boundaries?
This is where it can get highly technical if you have multiple offices or work in a shared office. This is a critical requirement for Cyber Essentials and must be super clear in your answer.
Do you offer any “Sensitive applications” via the internet?
This is tricky and essentially means that you need to know of any services or applications you have configured to access the internet. And this needs to be documented and for each service, you need a business justification. It’s common for applicants to answer NO here, and elsewhere state they have a VPN or other service. Make sure you are clear on the requirements for this question.
Are your internet routers or hardware firewalls configured to allow access over the internet?
Normally this is a no – but it depends on the type of router you have. If you do allow this, it must be secured.
Laptops and Desktops
Firewalls must be enabled
Again this is the default settings, but I’m aware of some applicants who have turned off their firewalls.
Where possible, have you removed or disabled all software that you use.?
This can be another tricky one and you will need to provide a brief explanation of the steps you have taken to meet this control.
Are all operating systems and firmware (routers/mobile devices) supported.?
This again goes back to your scope and you will need to list all operating systems in use throughout your organisation.
It’s quite common to see applicants list mobile devices or server operating systems that are no longer supported.
Are all high risk or critical security updates deployed within 14 days.?
The larger the organisation, the more robust a process the assessor will be looking for.
And a similar question but subtly different in that it focus on applications (e.g Firefox/Chrome/Java etc). Most applicants we deal with do not have a robust third party update policy, and this is likely the single greatest risk most organisations face!
Cyber Essentials focuses on administrator-level accounts and in particular, you MUST not run as a local admin in your day to day account. If you do, it’s relatively straightforward to create a new admin account, then downgrade your normal account – but be careful you don’t lock yourself out.
So hopefully you’ve found this useful. Remember, there are a total of 42 questions that require technical input. My advice is that you have a look at the Cyber Essentials question set and identify what questions you will struggle to answer. In most instances, they are the more technical questions.
Getting certified by a government organisation is not an easy task. But due to the ever-evolving IT industry, we need to adapt and learn new ways not just to improve our skills but also to protect our businesses. It is also best to find someone who can help you prepare in your Cyber Essentials Assessment. Check our Cyber Essentials and Cyber Essentials Plus programmes. You can also Book a Chat with us to know more about how we can help you get your Cyber Essentials certification.