From 1 October 2014, the Government has required all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials Scheme. MOD Defence Contracts Bulletin features writer Paul Elliott takes a closer look at the Cyber Essentials Scheme and its Assurance Framework.
Most people today can name a high-profile cyber attack off the top of their head. It seems we are now never far away from the next headline-grabbing cyber attack, whether it’s targeting corporate or public sector organisations. The growing risk of this type of attack has of course not gone unnoticed by the Government, particularly in the realm of defence.
In 2012 the Government published 10 Steps to Cyber Security and subsequently Small Businesses: What you need to know about cyber security, to encourage organisations to consider whether they were managing their cyber risks effectively. From 1 October 2014, all suppliers bidding for sensitive and personal information handling contracts have been required by the Government to be certified against its Cyber Essentials Scheme.
The Cyber Essentials Scheme has been launched to perform two functions. The first is to provide a clear statement of the basic technical ‘controls’ all organisations should implement to mitigate the risk from common internet-based threats. The second, through the Assurance Framework, is a mechanism offered for organisations to demonstrate to customers, investors, insurers and others that they have taken the essential precautions in cyber security. It’s a kind of calling card of credibility for those dealing with businesses facing potential cyber threats.
Those contracts assessed as higher risk and requiring to be Cyber Essentials certified are likely to include ICT as well as personal and sensitive information handling contracts. Many defence contracts are highly likely to fall into this category.
The Government has worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials. The full scheme, launched on 5 June 2014, enables organisations to gain one of two Cyber Essentials badges. It is backed by industry, including the Federation of Small Businesses (FSB), the CBI and a number of insurance organisations which are offering incentives for businesses.
The Assurance Framework shows how the independent assurance process works and the different levels of assessment organisations can apply for to achieve the badges. It also contains guidance for security professionals carrying out the assessments.
Cyber Essentials concentrates on five key control themes. These are:
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good set-up of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
- Access control – ensuring that only those who should have access to systems do have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is up to date.
- Patch management – ensuring that the latest supported versions of applications are being used and all the necessary patches supplied by the vendor have been applied.
As stories of organisations exposing customers’ information to cyber threats continue to create headlines in the media, it is becoming increasingly important for organisations to not only maintain a robust cyber security stance but also demonstrate this to clients. A business is only as good as its reputation and cyber attacks can cause heavy reputational damage, as well as compromising the business’s finances and infrastructure. The Government says the Assurance Framework is designed to provide a simple means for third parties to distinguish between organisations that are implementing basic cyber security controls and those that are not.
There are two levels of certification – Cyber Essentials and Cyber Essentials Plus. The Cyber Essentials certification is awarded on the basis of a verified self-assessment. The process sees an organisation undertake their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. This questionnaire is then verified by an independent certification body to assess whether an appropriate standard has been achieved, and certification can be awarded.
Certification at this stage is intended to provide a basic level of confidence that the controls have been implemented correctly, and relies on the organisation having the skills to respond appropriately to the questionnaire.
Cyber Essentials Plus, however, offers a higher level of assurance through the external testing of the organisation’s cyber security approach. Tests of the systems are carried out by an external certifying body, using a range of tools and techniques. The assessment can either directly test that individual controls have been implemented correctly or recreate various attack scenarios. The testing covers all internet gateways, all servers providing services directly to unauthenticated internet-based users and user devices representative of ninety per cent of all user devices.
The Government is keen to stress that organisations that are good at cyber security can use this as a selling point – demonstrating to their customers through the Cyber Essentials badge that they take cyber security seriously.
Cyber Essentials is for all organisations, of all sizes, across all sectors – and all are encouraged to adopt the requirements as appropriate to their business. For organisations seeking to take part in Cyber Essentials the first step is to contact an accreditation body. The Government appoints accreditation bodies for both Cyber Essentials and Cyber Essentials Plus; these in turn appoint certification bodies who can certify organisations that comply with Cyber Essentials requirements. Costs for accreditation are set by the individual accreditation bodies who work in competition with each other. Organisations keen to retain their Cyber Essentials badge have to recertify at least once a year.
In the defence supply chain, good cyber security is now an essential component of success. The rigours of testing for Cyber Essentials Plus are certainly more likely to impress clients, and potential clients, than the self-assessment method of the simple Cyber Essentials badge. Nonetheless, taking cyber security seriously is the first step to ensuring that a company can be seen as one to do business with.
Cyber attacks are not going to go away, and in defence a business needs a reputation for cyber dependability to be successful.
For more information, visit: www.cyberessentials.org.uk