Achieving HM Cyber Essentials through Self-Assessment – Part 3

If you missed part 1 & 2 on our series about HM Cyber Essentials, you can read those here and here.

 

Part 3 – The 10 Steps to Cyber Security

cyber essentials part 3

Step 1

explains why an information risk management regime is central to an organisation’s overall cyber security strategy as organisations continue to rely on technology, systems and Information. Information security risks need to be assessed just as any other risks would be when they can have a material impact on a business.

 

Step 2

explains why an approach to identify baseline technologies ensures that management can improve the security of a company’s systems. Strategies need to be developed to remove or disable unnecessary functionalities from systems, and repair known vulnerabilities. Failing to do this can likely result in increased risk and compromise of a company’s systems and information.

 

Step 3

addresses the connections from a company’s networks to the Internet, and other networks which expose systems and technologies to attack. The process of creating and implementing basic policies and the appropriate architectural and technical responses, a company can reduce the chances of such attacks being successful, or causing harm, to the organisation.

 

Step 4

suggests that when users are provided with unnecessary system privileges or access to important data, that the impact of misuse or compromise will be more severe. At the minimum, users need to be provided with a reasonable level of system rights and privileges needed for them to accomplish their role. Also, it is important that highly elevated system privileges should be controlled and managed carefully.

 

Step 5

explains that users play a critical role in their organisation’s security and therefore it is important that security rules and the technology they are provided enables everyone to do their job properly and to help keep the organisation secure. This can be accomplished by a systematic delivery of awareness programmes and specific training to deliver security expertise and help establish a security-conscious culture.

 

Step 6

requires that even though all organisations will occasionally experience security incidents, investment in establishing effective incident management policies and processes. This will help improve resilience, support business continuity, improve customer and stakeholder confidence.

 

Step 7

defines malicious software, or malware as an umbrella term that covers any code or content that might have a malicious, undesirable impact on a company’s systems. As every exchange of information will carry with it some degree of risk that malware could be exchanged, the risk can be reduced by implementing the appropriate security controls. This should be part of an overall ‘defence in depth’ approach which should keep systems and services from being seriously impacted.

 

Step 8

involves system monitoring which provides the capability to detect actual or attempted attacks. It states that good monitoring is essential to effectively respond to these attacks. Also, system monitoring allows a business to ensure that systems are being used appropriately and in accordance with organisational policies. Monitoring can often also be a key capability to indicate compliance with legal or regulatory requirements.

 

Step 9

addresses removable media which can provide a common route for introducing malware and the potential for accidental or deliberate export of sensitive company data. Appropriate security controls should be applied regarding all removable media.

 

Step 10

involves the use of mobile working and remote system access. Even though these offer great business benefits, they can expose new risks which need to be managed. Companies need to establish risk-based policies and procedures which support mobile working or remote access to company systems.

Morris - Morris Treger

Great service!

Jane - Blackjack's Mill Ltd

Problem sorted thanks to Mohammad :)

Laurence - Silva Timber Products Ltd

Quick and easy as everything was done for me.

Petra - Chelsea Psychology Clinic

The guy who helped me was very polite and patient. Also helped me resolve my issue quickly.

Sangita - Banana Tree

Excellent service - Thank You!

Tony - Minerva MC

I was contacted within a few minutes of reporting the issue and within 30 minutes all was sorted. I\'m not totally IT literate but Mohammad was patient and explained everything simply.

Fran - FMC Ltd

I had an issue with Spam email that Mohammed dealt with speedily and efficiently.

Paul - Silva Timber Ltd

Quick service, e-mailed and someone phoned me back within 15 minutes.

Andy - Adams Mitchell

Very quick response, cleared issue very quickly.