So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.
People and Skills
- A responsible owner for attesting to the accuracy and completeness of the statements made by the organisation
- Have the CE compliance project team read and understood the CE standards and guidance?
Scoping CE for the org
Do you have the following?
- An up to date and accurate register of all physical locations where devices are leveraged (home locations can be grouped)
- An up-to-date asset inventory register which includes:
- Device Name, Serial Number, Owner, Assigned Person, Manufacturer, Model (this covers, routes, switches, firewalls, UPSs, Door Access Control Servers, CCTV Controllers, Network Connected Alarm Systems etc. PC Devices, Mobile Devices, Tablets, Firewalls and Servers. – essentially anything that can connect to the internet (e.g., not devices that are air gapped)
- Administrator or root credentials to the assets?
- A up to date and complete network topology diagram/matrix including:
- Layer 1, Layer 2, and Layer 3 information
- A list of all network subnets
- A list of all network assets including their MAC addresses and IP addresses
- A contact list of key contacts and personnel
- A list of all corporate cloud services in use for business purposes
- Security Auditor Access to any management systems e.g., Microsoft Endpoint Manager, Azure, Office 365, Active Directory, SCCM
- Security Auditor Access to cloud services for Line of Business services e.g., CRM, ERP, Finance, HR etc.
Endpoint Management & RMM Tools
- Gain access to endpoint management and remote management and monitoring capabilities (e.g., MEM, MDE, RMM)
EDR or similar vulnerability management system
- Access to vulnerability management tools e.g., NEXPOSE, Tenable IO, Qualys, MDE etc.
If using MDE ensure that the vulnerability scanning appliance has been deployed.
Independent Network Scanning
To ensure that the network environment connected devices and the management systems align in terms of “views” it’s important to run independent network scanning.
- Deployment of one or multiple network scanners to run Nessus Pro. This may be via VPN, physical device, or virtual machine
Key Areas to Audit
- Network Audit
- Corporate Network
- Customer Services Networks
- Remote Networks (e.g., Home/Remote Workers)
- Device Audit
- Remote/Bring Your Own
- Cloud Audit
- secure configuration
- user access control
- malware protection
- security update management
Example Project Schedule
- Stand Up Project Team
- Collect, curate, and audit the environment against the cyber essential’s standards using the CE workbook.
- Identify alignment and areas of noncompliance
- Identify effort for remediation per requirement
- Identify remedial action owners, timeframes, requirements, dependencies, and constraints
- Conduct remediation activities
- Audit and monitor for compliance
- Compete self-assessment
- Schedule CE+ (Optional)
This isn’t a detailed step by step guide for CE/CE+ but it does give you an idea of how to go about forming a project and understanding an environment at scale. It really does depend on your estate, current state maturity of processes and capabilities. Organisations with mature capabilities and processes will likely have an easier time, however getting “the whole” assessed let alone remediated can take considerable time, don’t underestimate this, but as I said your millage will vary (a lot!)