Measuring Cyber Essentials: Windows Security Configuration

Measuring Compliance with standards is easy right?

Checking an environment configuration is one of those things where it’s easy to say and harder to do. If we take the cyber essentials standard and look at the requirements, they are quite different from say the CIS baselines. This alone makes for some fun, let’s investigate this further:

CIS baselines are based on a specific component e.g., Windows Server or Windows client and is contextually aware of roles: e.g., Domain Controller vs Member Server.

Is this registry key set?

Education

Creating a tracker and dashboard for Cyber Essentials

I was talking to a friend about a requirement to “measure” cyber essentials compliance. Now if you know a thing or two about standards and applying standards to complex technology environments you might come up with:

Can’t we just script a checker?
Don’t we have all the audit data in the *checks notes* 1000 inventory systems we have?

Well sure, you could write a massive set of rules which ignore any context and try and cater for a huge number of different scenarios. You could use the Q&A approach as well (which is how the standard workbook works anyway so that already exists). But let’s say you are an IT manager, and you want to KNOW how your environment stacks up!

The question is simple, it’s easy to ask, look:

“How compliant are we against Cyber Essentials?”

Guides

Cyber Essentials Readiness

So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.

Guides

Cyber Essentials – Out of the Box

New machines means it’s easy right?

Ok, another post on cyber essentials! I talk about this quite a lot (mainly driven by procurement requirements rather than orgs expressing a deep desire to “have better security” (which is a shame)) however, I want to show people what the real world is like and that meeting cyber essentials is a good thing, but also to look at real world challenges of meeting the standards. In this post we look at some thought provoking questions, then we look at an out of the box Windows and MAC device to see if they meet the standard!