Following our explanation of the Cyber Essentials programme, we are going to go into more detail about the 80 question questionnaire and the type of information that is required.
A summary of the video is below
Business Structure and Devices
The first 25 questions are really just about your business: starting with the financials of your business, followed by the number of devices and machines in your business.
It then moves into questions about the structure of your company such as: How many premises do you have? Do you have anybody working from home?
That’s the one big change that a lot of people are going to find with the new questions. If you have employees who are working from home and especially if they're working from home very regularly, you're going to need to know what equipment they're using to connect to the Internet.
You will be asked about passwords, multi-factor authentication and device locking controls to make sure that these are in place and are sufficiently secure.
You will also be asked about malware protection on all devices to avoid the risk of viruses, worms and spyware causing damage to your systems and data.
Security updates are the other aspect to be aware of, making sure that software is kept up to date and fixes, patches and software updates are applied promptly.
Firewalls and Internet
After you've finished these 25 questions, the next five or six questions are focused around your firewall and your internet connection. Make sure that you have the means in place to keep your internet connection secure by preventing any dangerous or unnecessary network services being accessed from the Internet.
You can reduce the risk of cyber attacks by implementing restrictions that can block traffic from specified sources, destinations and types of communication protocol. You will need to ensure that you can apply the same restrictions to all members of staff regardless of their location. You also need to keep the firewall rules up to date and limit access to your firewall administration to essential staff only.
Processes and Policies
There is also a section about how you document all your processes as well. There's a lot of that throughout the questionnaire, where it asks, "have you thought about policies" or "do you document how you manage everything to do with your IT within your business". So, you need to be prepared to consider the way your processes are recorded and communicated with your team.
The final part of the questionnaire is really centered around IT processes in detail. This includes simple matters like having a policy in place when you come to off-boarding a person who leaves your business; do you have a document or a checklist for that?
There are also a lot of questions around applications including how you use them, how you distribute them, what applications you have, as well as questions around admin privileges: what and who in your organisation has administrative access to your system. It’s important to keep access to a minimum, giving each individual the permissions they need to do their job, but no more.
While these 80 questions may sound daunting, most of it is common sense and wise precautions. The implementation of most of the areas is not onerous, and if anything is proving difficult, there is plenty of help available to get you to the point where your business is secure and ready to pass the Cyber Essentials assessment.
