Cyber Essentials Checklist: Is your IT company competent to help you pass?

Many businesses turn to their IT company to help them pass Cyber Essentials accreditation. The National Cyber Security Centre (NCSC) recently provided guidance and a Cyber Essentials checklist for businesses using their IT support business to implement the security controls needed to pass Cyber Essentials. The guidance helps organisations to check whether their third party IT company is helping them to meet Cyber Essentials criteria. NCSC's message is clear; while IT providers maybe good at traditional IT and have good technical knowledge, it doesn't mean they have good understanding of cybersecurity.

It is important to check that your IT company has put security measures in place correctly before self certifying for Cyber Essentials. In this article we offer a checklist of questions to ask your IT support company or consultant to find out if they are appropriately securing your business to comply with Cyber Essentials.

1. Do you have a Service Level Agreement?

You should have a Service Level Agreement with your outsourced IT company. It is important to be clear on your IT company is responsibilities. From a security perspective, the service level agreement (SLA) should clarify who is responsible for looking after specific cybersecurity controls. We find many businesses join Superfast IT to realise, for example, that their server hadn't been updated or their data hadn't been backed up for years by their previous IT company. Ensure your IT company's responsibilities are formally logged.

2. Instruct your IT company

While your IT company may look after your network and manage most aspects of your IT, it is still your responsibility to take care of your network security. You should provide clear and detailed instructions about the security controls you want the IT company to implement, because responsibility ultimately falls upon you.

3. Is your IT company Cyber Essentials certified?

Cyber Essentials is the minimum level of certification a UK company can gain to prove it is cybersecurity compliant and can prevent the majority of cyber-attacks. IASME and NCSC highly recommend that businesses look for an IT provider that is Cyber Essentials certified. It will demonstrate that your IT provider is serious about cybersecurity. It also demonstrates they are competent in implementing the security controls.

4. qualifications of your cybersecurity consultant

Ask your IT consultant what cybersecurity qualifications they have. Discover thier level of knowledge. If they have the following qualifications, it means they have a good understanding of cybersecurity:

CISMP - Certificate in Information Security Management Principles

IASME Cyber Essentials Assessor

5. Ask what controls your IT support has implemented

If your IT company is implementing Cyber Essentials controls on your behalf, it is important to check that the requirements have been met. Remember, it is your signature that verifies that the controls are in place. There are a number of questions you should ask your IT company, as recommended by IASME, to confirm that the controls have been put in place to meet the requirements of the standard. 

Cyber Essentials checklist for your it company

Ask you IT support company the following questions to ensure you are meeting Cyber Essentials standard and understand what they have and haven't implemented:

1. Is your organisation Cyber Essentials certified?
   Yes/No
   
   
2. Have you read the Cyber Essentials Requirements for IT Infrastructure document?
   Yes/No
   
   
3. In the event that we are to apply for Cyber Essentials Plus in the future, will you give consent for us to scan any infrastructure that is owned by you?
   Yes/No
   
   
4. Can you provide a list of all of laptops, computers and virtual desktops that you manage for us and include the details of their Operating Systems including editions and versions?
   Yes/No.
   If yes, please provide list.
   
   
5. Can you provide a list of servers that you manage for us including all virtual servers and their hosts (Hypervisors)? Please include their model and Operating Systems.
   Yes/No.
   If yes, please provide list.
   
   
6. Can you provide a list of all tablets, mobile phones and other mobile devices that you manage for us? This list must include Operating System versions and model details for each device.
   Yes/No.
   If yes, please provide list.
   
   
7. Please could you provide a description of any networks that you provide to us eg Office LAN at head office at Birmingham head office.
   
   
8. Can you confirm that this/these networks are segregated through network segregation from other clients that you provide services for?
   Yes/No.
   
   
9. Can you provide a list of make and model of any network equipment that contain a firewall including all routers that you manage for us?
   Yes/No.
   If yes, please provide list.
   
   
10. Do you provide a firewall between the internal networks and the boundary?
    Yes/No.
    
    
11. Have the default passwords been changed on these firewalls?
    Yes/No.
    
    
12. Are all firewall passwords that you manage for us at least 8 characters in length and difficult to guess?
    Yes/No.
    
    
13. What is the process you take if you believe a password has been compromised on a firewall?
    
    
14. Can you confirm that all services are disabled on the firewall that prevent access from external devices on the internet?
    Yes/No.
    
    
15. If services are enabled, can you confirm which ports and services are open and provide any details of why they need to be open to support our business case.
    
    
16. Are firewalls configured to block all other services from being advertised to the internet?
    Yes/No.
    
    
17. Can you make changes to the firewall settings remotely over the internet?
    Yes/No.
    
    
18. If you can make remote changes over the internet, it this protected by 2FA or IP allow listing? Please provide details how this is protected.
    
    
19. Are all software firewalls enabled on desktop computers, laptops and servers if they are available? Please provide a list of OS that does not have software firewalls.
    Yes/No.
    
    
20. When setting up our servers, computers, laptops and phones, did you disable or remove any software that came as standard from the vendor. If you did, how did you achieve this?
    
    
21. If you provide domain access, can you provide us a list of user accounts that are currently active.
    Yes/No.
    If yes, please provide list.
    
    
22. Have you changed all default passwords on all devices to a non-guessable password of 8 characters or more? Who is control of these passwords (You or have you handed details to us).
    
    
23. Do all of your employees associated with our infrastructure have their own user and administrator accounts all with passwords of at least 8 characters and difficult to guess?
    Yes/No.
    
    
24. Do you access any software over the internet that has any of our data stored on?
    Yes/No.
    
    
25. If you access software over the internet, do you change passwords if you believe they have been compromised? Please explain the process.
    
    
26. If you access software over the internet do your systems lock accounts after 10 or fewer unsuccessful accounts or throttle login attempts to no more than 10 within 5 minutes.
    Yes/No.
    
    
27. Do you have a password policy that tells your employees how to choose unguessable passwords, not to use the same password for multiple accounts and how they can record passwords? For example using a password manager.
    Yes/No.
    
    
28. When you provided our devices did you ensure “auto-run” or “auto-play” was disabled?
    Yes/No.
    
    
29. Are all of the Operating Systems you provide licensed, supported by the vendor and still receiving regular security updates?
    Yes/No.
    
    
30. Are all of the installed applications that you provide, licensed, still supported and receiving regular security fixes?
    Yes/No.
    
    
31. Please can you list the Internet Browsers, Malware Protection Software, Email Applications and Office Applications that you have provided including current version numbers installed on all devices.
    
    
32. All high-risk or security updates should be applied within 14 days of release.
    This includes:
    
    Firmware on the following devices - Servers, Computers, Laptops, Tablets, Mobile Phones, Routers and Firewalls.
    
    Software updates including all Operating Systems and applications.
    
    If you are responsible for this, how do you ensure this is achieved?
    
    
33. Auto Update should be used where possible. If this is not being used, please list the Operating Systems that that you are updating through other processes.
    
    
34. Do you removed any applications that are no longer supported or no longer receive regular fixes for security updates?
    Yes/No.
    
    
35. If you don’t remove applications, can you provide a list of all installed applications that are on our devices?
    Yes/No.
    If yes, please provide list.
    
    
36. What is your process for account provision of all accounts that access our network? Who authorises these accounts?
    
    
37. Can you confirm that your employees do not use shared credentials access our infrastructure?
    Yes/No.
    
    
38. How do you ensure you have deleted or disabled any accounts for staff that are no longer in your organisation?
    
    
39. How do you control that staff working on our network, only have the account privileges required to perform their tasks?
    
    
40. What is the process for ensuring that all administrators are correctly trained and who authorises this level of access to our network?
    
    
41. How do you ensure that your staff do not use their administrator accounts to carry out everyday tasks like email and web browsing; and only use elevated privileges to carry out admin specific tasks whilst operating on our network?
    
    
42. Do you formally track and review who has administrator accounts on our network?
    Yes/No.
    
    
43. Do all of your accounts have 2FA enabled?
    Yes/No.
    
44. If no is this because 2FA is not available as standard?
    Notes if no.
    
    
45. Please list the devices or systems it is not available for. Please list all devices that are protected by anti-malware software.
    
    
46. Is the anti-malware software set to update at least daily, scan files automatically on access and scan web pages you visit and warn of accessing malicious sites?
    Yes/No.
    
    
47. Please list all devices that are protected using application allow listing.
    
    
48. If using allow listing now is this enforced? For example Is there a technical solution like MDM where you set the approved list of applications that is provided by your company?
    
    
49. Please list all devices that are protected by sandboxing.
    
    
50. How do you ensure that sandboxed applications are unable to access data stores, peripherals and the local network?

Take a look at our Cyber Essentials page to understand how Superfast IT provide Cyber Essentials consultation and our IASME Cyber Essentials FAQ to find out more about the certification. We can also help with small business cybersecurity in Birmingham.

CYBER ESSENTIALS CONSULTATION

Get in touch