By Cyber Essentials (CE) is a government defined standard for cyber security, measured against a set of baseline controls. Certification demonstrates that the University meets (and in fact we actually exceed) those requirements.
CE is now a mandatory requirement for any organisation that has a contract with a UK Government department, and many grant awarding and research bodies are also now requesting it as part of the application process.
There are 5 control sets to implement:
- Firewall – a buffer between your computer and the internet, analysing incoming data to see if it should be allowed.
- Secure Settings – using strong passwords, turning off unused services, only installing applications when needed.
- Access Controls – Making sure all users have unique accounts, and are only able to access the areas they need to, restricting administrative privileges to those that need them.
- Protection – from virus and malware infection, by having up to date anti-virus software and only using software from reputable sources.
- Up to Date – applying software patches and updates to fix any known vulnerabilities, and only running licensed and supported versions of software. Hardware should also be supported for firmware updates, and replaced when these are no longer available from the manufacturer.
To achieve and maintain this certification we have to make sure all computers have the above controls implemented. It is a credit to IS staff and the teams who manage IT across Kent, including the School of Engineering and Digital Arts and School of Computing, that we have been able to achieve this.
It had originally been planned to achieve CE within the 2018 – 2019 academic year, but following the School of Economics’ successful bid to run an Apprenticeship scheme, working with the Civil Service, it was found necessary to seek accreditation sooner rather than later in the year.
The accreditation process consists of a questionnaire about implementation of the 5 control sets, and an external scan of the network to identify any vulnerabilities. A supplier was selected to carry out the assessment, and a date was booked for the scan.
The assessment questionnaire passed easily, but the scan reported multiple issues, and was scored as a “Fail”. This came as a surprise, given that we had recently (August) undergone a similar scan, and had mitigated any major vulnerabilities. Analysis of the scan report revealed that the majority of the “failures” were in fact “false positives”, due to the way RHEL applies updates without updating the version numbers.
The two actual failure items were due to the failure of an access control, which explains why they had not been picked up on the earlier scan – at that time those particular servers were not visible from outside Kent. It also helps to reinforce the case for annual testing – things can go wrong and we do not always notice!
Once the issues were resolved, a retest was booked. This confirmed that everything was as expected, and we were given a “Pass”.
How does this benefit Kent?
When applying for grant funding, or data sharing agreements with other organisations, we can prove that we take cyber security seriously and meet a nationally recognised standard.
The recent partnership between the School of Economics and the Civil Service for a degree-level Apprenticeship in economics is an example of where CE was stipulated as a requirement.
Researchers can be confident that we are taking care to protect their hard-earned, valuable research data.
Staff and students will know that their personal data is protected.
A Word of Caution!
Although we are CE certified, it does not mean that we can relax. Users should remain vigilant to attempts to compromise their accounts – phishing emails, suspicious websites, downloading “free” software or documents without verifying they are genuine and safe, etc. Despite all the security measures in place, which successfully block the majority of bad things, a few will still get through – no system is 100% secure.
What you can do to protect yourself:
- Be aware of phishing emails – if in doubt, contact the IT Service Desk or your local IT Technician, and do not click on links, open attachments or enter passwords.
- If you think you have fallen victim to phishing or malware, please let the Service Desk know immediately. They will help to manage the problem and limit any damage.
- Mobile devices should always be encrypted to an appropriate standard.
- USB sticks: you should only use a USB stick that has built-in (hardware) encryption.
- Passwords must not be shared.
- Sensitive data should be encrypted at all times, even when stored within the data centre.
- Keep your devices and software up to date – apply patches and updates when they are available. Enable automatic updates wherever possible.
- Use a good anti-virus product set to automatically update & scan at least once a day.