Cyber Essentials (CE) is a UK Government defined baseline that shows we meet a minimum standard for cyber security. It is an essential requirement for many contracts, including Higher Degree Apprenticeships and supports funding applications. At present, these are estimated to generate >£10m p.a. in income for University of Kent.
This year was more challenging due to changes in the requirements introduced in January. All hardware and software now must be listed and checked that it is still under support, and the way users authenticate has been strengthened. This has meant changing many computers and laptops over the last 6 months and updating a lot of software. The hard work and commitment of all IT support staff across all Academic divisions and Professional Service Departments to achieve this is very much appreciated.
There are 5 core elements to Cyber Essentials, summarised as:
- Firewalls
- Must be in place at the network boundary and configured for necessary services only.
- Must be enabled on every device and configured for necessary services only.
- Secure Configuration
- All unnecessary software removed
- Personal devices (Bring Your Own Device) now in scope
- User Access Control
- Minimum password strength increased
- MFA enabled for remote access and all cloud-based services
- Principles of “least privilege” and “need to know” enforced
- Malware Protection
- Installed and running on all devices
- Updated daily
- Scans daily
- Scans files on access
- Security Update Management
- Critical updates applied within 14 days of release
- All software must have active support – updates and patches
- Firmware and BIOS must be under active support
The full controls can be found by searching for “NCSC Cyber Essentials Requirements”
In the Cyber Compliance space, we are actively working towards Payment Card Industry Data Security Standard (PCI DSS) compliance and investigating CE Plus and the NCSC approved Cyber Assessment Framework.