The Standard for people-driven cyber and data security

The Cyber Primed Standard

1.1  Risk Register

The Risk Register must ideally be one document, but could comprise of several linked documents. Where there are multiple documents making up the risk register, the documents must clearly link or signpost to one another so that anyone who has access to the risk register shall have immediate access to all of the following information:

1.1-1  
Name of the Board member responsible for the maintenance of the register together with any other person who has day today/operational responsibility on behalf of the Board member.

1.1-2    
Date that the register was produced.

1.1-3     
Nature of each Risk: A brief description of the risk.

1.1-4  
Individual Risk Scores: The scores for likelihood and impact for each risk (‘1’ is low, ‘5’ is high).

1.1-5
The Individual overall Risk Score: Likelihood multiplied by impact = the Score.

1.1-6  
The Risk Level: For each risk; high, medium or low.

1.1-7  
Action Taken: For each risk; brief summary of the action taken to prevent / mitigate (this may include references to individual policies or procedures).

1.1-8
Person Responsible: The name and job title identity of the individual with particular responsibility for the preventive / mitigation actions for each of the risks.

1.1-9 
Review Dates: The date of last review of the Risk Register.

1.1-10  
Review Outcomes: The outcome of the last review together with any remedial action taken.

1.1-11  
Board Report Date: Date when the outcome of the review was reported in writing to the Board.

1.1-12
There must be a breach register: It must be available (as either an appendix to the risk register or linked to the risk register via clear signposting) visible to all members of the Board and all persons who are designated as having breach reporting or breach mitigating roles.

1.1-13   
The breach register must include the name of the Board member responsible for the maintenance of the register together with any other person who has day today/operational responsibility on behalf of the Board member.

1.1-14 
The breach register must include the date that the register was produced and the date of the last review.

1.1-15   
In respect of each breach recorded on the breach register, there must be recorded: The individual breach reference code/number.

1.1-16  
In respect of each breach recorded on the breach register, there must be recorded: Date of breach occurrence.

1.1-17     
In respect of each breach recorded on the breach register, there must be recorded:  Date breach reported to Data Protection Officer (or other appropriate person).

1.1-18  
In respect of each breach recorded on the breach register, there must be recorded:  Reported by (name).

1.1-19    
In respect of each breach recorded on the breach register, there must be recorded: Description of breach.

1.1-20   
In respect of each breach recorded on the breach register, there must be recorded:  Breach due to human error?

1.1-21   
In respect of each breach recorded on the breach register, there must be recorded: Description of breach impact including internal and external persons and entities affected, and score of impact (where 1 is low and 5 is high).

1.1-22
In respect of each breach recorded on the breach register, there must be recorded:  The areas of the organisation that were affected, with detail recorded as to the level of impact for each of the affected areas.

1.1-23    
In respect of each breach recorded on the breach register, there must be recorded: Mitigating action taken.

1.1-24    
In respect of each breach recorded on the breach register, there must be recorded: Date reported to regulator (if required).

1.1-25    
In respect of each breach recorded on the breach register, there must be recorded:  Date reported to insurer (if required).

1.1-26  
In respect of each breach recorded on the breach register, there must be recorded:  Date of review of the breach by the Board.

1.1 Business Continuity Plan
The organisation must have a Business Continuity Plan. The exact content of a Business Continuity Plan is for individual organisations to decide, but in order to obtain Cyber Primed, an organisation will meet at least the following requirements with regard to its Business Continuity Plan.
The Business Continuity Plan must be retained in a location where it can be accessed by, as a minimum, all of the people named in ‘1.2-3'.
1.2-1
Name of the Board member responsible together with any other person who has day today/operational responsibility on behalf of the Board member.
1.2-2
Date that the plan was produced.
1.2-3
The names of individuals with key roles in the implementation of the plan.
1.2-4
Details of any specific specialist training that is/may be required individuals with key roles in the implementation of the plan.
1.2-5
Details of each of the risks that would cause an interruption to the operation of the organisation.
1.2-6
Scoring of each risk (likelihood of occurrence X impact).
1.2-7
Details as to actions to be taken in the event of an interruption occurring.
1.2-8
A clear description as to how and when all members of the organisation will be made aware of the key elements of the plan including: the individuals with key roles in its implementation; the roles and responsibilities expected of each individual in the organisation must the plan be activated; ‘refresher’ updating and informing of organisational staff (which is to take place at least annually with a documented report on the outcome).
1.2-9
A clear description of the ‘communication tree’ (i.e., the routes through which all people within the organisation are informed of any incident that has caused an interruption to operations and through which all individuals will be informed when the interruption has ceased and its cause(s) resolved).
1.2-10
A clear description as to how communications will be maintained during the disruption, according to the type of disruption.
1.2-11
Details of prioritisation of recovery requirements; e.g., finding alternative premises; establishing a safe IT and telecommunications network; replacing key equipment that has been lost/stolen/damaged.
1.2-12
A list of organisations or individuals that need to be informed in the case of the disruption (e.g. indemnity insurers) including their names, telephone numbers, email addresses, website addresses (where applicable) and reference numbers.
1.2-13
Details as to how and when the plan will be tested on a regular basis (at least biannually in the case of aspects of the plan relating to cyber and IT security).
1.2-14
Procedures to ensure that the outcomes of the tests will be documented and reported to the Board.
1.2-15
Procedures to ensure that, any remedial or corrective actions that have been identified following a test of the plan, are implemented within a specified time frame (not more than one month) and a documented report provided to the Board.
1.2-16
Details as to how a disruption will be analysed by the Board and the outcomes documented.
1.2-17
Procedures to ensure that the plan is subjected to a documentary review by the Board must take place not less frequently than every 6 months (or sooner, on an ad hoc basis if the need arises) and records kept of the review and subsequent corrective actions that may be required.
1.2 Compliance Plan
The organisation must have a Compliance Plan. The exact content of a Compliance Plan is for individual organisations to decide, but in order to obtain Cyber Primed, an organisation will meet at least the following requirements with regard to its Compliance Plan.
 
 The Compliance Plan must be retained in a location where it can be accessed by, as a minimum, all members of the Board and any other persons who are responsible for monitoring or managing compliance activity.
 
1.3-1
Name of the Board member responsible together with any other person who has day today/operational responsibility on behalf of the Board member.
 
1.3-2
Date that the plan was produced.
 
1.3-3
Details of individual legislative and regulatory requirements with regard to data and cyber protection.
 
1.3-4
Details of policies and/or procedures that are related to each of the legislative and regulatory requirements, and any requirements imposed by insurers or contracts with third parties. This could be achieved by inserting hyperlinks from the Compliance Plan to the relevant policies and procedures, but in any case, these must be clearly signposted so that anybody with access to the Plan as access to all of the information in the plan.
 
1.3-5
Metrics by which the organisation will measure its compliance with the requirements set out in ‘d’ above; e.g. the number of data breaches that it has, and whether or not those that were caused by human error are being reduced.
 
1.3-6
Date of the last review of the Plan (this must be done at least annually and the outcomes documented).
 
1.3-7
Procedure for conducting the regular reviews and providing documented reports on the outcomes of those reviews.
 
1.3-8
Procedure to ensure that the Board receives and reviews the documented reports on the outcomes of the Compliance Plan reviews.
1.3 Hardware/Software Purchase and Update Plan
The Hardware / Software Purchase and Update Plan must include:
 
1.4-1
Name of the Board member responsible for the implementation and maintenance of the plan together with any other person who has day to day operational responsibility on behalf of the Board member.
 
1.4-2
Date that the plan was produced.
 
1.4-3
Details of planned purchases of software and hardware together with budget allocation.
 
1.4-4
Details of purchases made, including the supplier, the specifications and the costs.
 
1.4-5
Date of last review.
 
1.4-6
Outcome of last review.
 
1.4-7
Date of written progress report to the Board.
1.4 Training Plan
The Training Plan must include:
 
1.5-1
Name of the Board member responsible together with any other person who has day today/operational responsibility on behalf of the Board member.
 
1.5-2
Date that the plan was produced.
 
1.5-3
Details of planned cyber security training including the method of delivery and the person/entity delivering it.
 
1.5-4
Budget allocated for individual training events.
 
1.5-5
Details as to when training is to be completed.
 
1.5-6
Date of last review of the Training Plan.
 
1.5-7
Outcome of last review of the Training Plan.
 
1.5-8
Date of written progress report to the Board.

2.1 Cyber and Information Risk Management Policy
This is the overarching policy that describes the organisation’s approach, strategy and procedures to protect it from cybercrime and cyber-attacks.

Cyber Primed requires documented policies to fully address and satisfy the following measures:

2.1-1
Managing and protecting all of its information assets.

2.1-2
Must be strictly implemented.

2.1-3
Must be regularly reviewed.

2.1-4
Must be updated as required in the light of changes to legislative and regulatory requirement and, ‘cyber attack’ trends.

2.1-5
The structure of the organisation’s Cyber and Information Risk Management Framework.

2.1-6
Individual responsibilities.

2.1-7
Reporting structures.

2.1-8
The policy must have links to the other mandatory policies required by Cyber Primed.

2.1-9
Explain the organisation’s approach to strategic risks including financial and reputational.

2.1-10
Explain the organisation’s approach to operational risks.

2.1-11
Explain the organisation’s approach to regulatory risks.

2.1-12
Explain the organisation’s approach to compliance risks, e.g. the Data Protection Act and any other legislative or regulatory requirements.

2.1-13
The approach must include a statement that defines the risks to the organisation’s information assets which, if they occurred, will be considered ‘acceptable’ in the light of the pursuit of business objectives, and whilst undesirable, are capable of management through insurance and the payment of claims excesses.

2.1-14
Develops, maintains, and reviews an Information Risk Register, which can be a stand-alone register or part of the organisation’s wider Risk Register.

2.1-15
Enters into and maintains knowledge sharing partnerships with other organisations and law enforcement agencies e.g. (not exhaustive) Action Fraud and NCSC.

2.1-16
The policy is linked to the risk register. Cyber attack must be documented in the corporate risk register and regularly reviewed.

2.1-17
The policy is linked to the compliance plan.

2.1-18
There must be regular staff training and updating sessions in relation to cyber issues.

2.1-19
The training will form part of a documented training plan, [which could be executed in various ways including (the list is not exhaustive): Formal large or small group training sessions, 1-2-1 coaching, webinars, team meetings.

2.1-20
Every procedure within the Cyber Risk Management Framework is subjected to a documented review at least biannually, and that each review will be presented to, and considered by, the Board. There will be documentary evidence that the Board has considered the reviews. Where it is felt appropriate by the organisation, some procedures may be reviewed with greater frequency, e.g., quarterly.

2.1-21
The policy must include a consideration by the Board at least annually, and more frequently if considered appropriate, of the organisation achieving recognised standards.

2.1-22
(Optional) - include as appendices all of the other relevant policies and required documented procedures.

2.2  Data Protection Policy

This policy describes the organisation’s approach to complying with data protection legislation, and in particular the General Data Protection Regulation (GDPR) and other related legislation.

Cyber Primed requires documented policies to fully address and satisfy the following measures:

2.2-1
Compile a detailed list of all of the organisation’s information assets (and, if the organisation is in possession of any information assets belonging to employees, job applicants, sub-contractors, customers or clients, these must be included in the list), including all electronic and ‘hard copy' assets.

2.2-2
A clear description of the risks to those assets e.g., theft, loss, damage through fire or flood, hacking, etc.

2.2-3
The likelihood of risks occurring.

2.2-4
The impact of any individual risk must it occur.

2.2-5
The steps taken by the organisation to protect all of its information assets.

2.2-6
Instructions for keeping passwords and password information, with reference to the Useer Identification Policy (2.9 of the Cyber Primed standard).

2.2-7
Computers will be set to automatically lock and log off when staff are away from their desks.

2.2-8
The staff member’s password will be required to unlock the computer.

2.2-9
Shred confidential paper waste.

2.2-10
Securely store hardcopy personal information when not being used.

2.2-11
Confidential information (including information written on Post-it notes) is not left unattended on desks or any other workspaces. And, all reasonable care is taken to prevent visibility of confidential information whilst the worker is at their workstation. This also applies to workspaces at the workers home, client’s offices, on trains and in any public environment.

2.2-12
Passwords and user account information must never be written down anywhere.

2.2-13
Visitors must sign in and out of the premises and must be accompanied at all times when in areas/rooms that contain information security assets.

2.2-14
Any breaches of security will be reported to the organisation’s Data Protection Officer or other appropriate person as soon as the breaches are discovered.

2.2-15
There will be training at least every 6 months for all staff to ensure that their knowledge of data protection and security is maintained.

2.2-16
Every induction will include detailed explanation of the Data Protection Policy.

2.2-17
Breaches of the policy may be dealt with under the organisation’s discipline procedures.

2.2-18
(Optional) All data and information about the organisation and its customers/clients will be treated as strictly confidential and will not be released to anyone outside of the organisation, and it may be felt that release of such information to people within the organisation will only be given on a ‘need to know’ basis.

2.2-19
(Optional) Explained to clients, customers and others about whom the organisation may retain confidential information the fact that the information is retained and the purpose of its retention.

2.2-20
(Optional) Notify people whose personal information is retained by the organisation when there is a change of business use for that information.

2.2-21
(Optional) Ensure that any new information is updated promptly.

2.2-22
(Optional) Personal information about anyone must not be disclosed over the telephone unless the identity of the person requesting the information has been thoroughly verified.

2.2-23
(Optional) To ensure that before providing personal information to anyone outside the organisation, the identity of the other person has been clearly established and that the reason for them requiring information is legitimate and in line with the organisation retention of the personal information.

2.2-24
(Optional) Limit the amount of personal information given over the telephone and follow up with written confirmation if required.

2.2-25
(Optional) People have a right to a copy of the personal information that an organisation holds about them.

2.2-26
(Optional) Customer and employee records must not be released without their consent.

2.3 Acceptable Use Policy
This policy describes what is and what is not acceptable use of the organisation’s ICT facilities and devices.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.3-1
Clear outline of what is acceptable and unacceptable use.

2.3-2
Whether or when organisational Internet and network facilities may or may not be used for personal reasons.

2.3-3
If personal use is permitted, what limitations are imposed, e.g. only during lunch breaks and outside of business hours.

2.3-4
Whether or not the organisation provides separate and unconnected machines for personnel to have ‘out of hours’ Internet access.

2.3-5
The types of websites that are and are not permitted.

2.3-6
Procedures for monitoring use of ICT facilities and devices.

2.3-7
Actions to be taken by individuals who suspect misuse of organisational facilities.

2.3-8
The disciplinary consequences for misuse or unacceptable use.

2.4 E Mail Policy
This policy explains the organisation’s approach to the use of email.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.4-1
Outlaws the use of business email for staff to send or receive personal emails.

2.4-2
Email etiquette (e.g. using capital letters might appear as shouting).

2.4-3
Instruction as to how documents must be sent by email, such as PDF, encryption etc.

2.4-4
Instruction on opening attachments within emails; not to be opened unless the email is from a trusted source and is expected.

2.4-5
Instruction on opening emails from unknown sources; the default position must be that they are not opened and must be deleted, or as a minimum reported to the IT manager or a member of the IT team and their advice is sought before proceeding to open email.

2.4-6
Guidance on opening emails from known sources, but which are not expected and appear to contain unusual material or requests.

2.4-7
Rules on the storage of emails electronically and, where appropriate, hard copies of them.

2.4-8
Rules on the labelling of emails particularly when replying to someone. This is in order that the content of individual emails can be quickly ascertained must information be required in the future.

2.4-9
Instruction on the deletion of emails after specific times and the methodology for the deletion.

2.4-10
Email addresses not to be provided to others via social media; this is to assist in the prevention of ‘social engineering’.

2.4-11
When someone leaves the organisation for any reason, their email is immediately closed and all of the emails in the account (incoming, outgoing and deleted) will be checked.

2.4-12
That the organisation shall constantly monitor staff email activity and the organisation’s methodology for doing so.

2.4-13
The organisation reserves the right to invoke the discipline procedures to deal with any breaches of this policy.

2.5 Internet Use Policy

This policy describes the organisation’s approach to the use of the Internet for business purposes and on its premises. Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.5-1
Whether or not it is permitted for individuals to go on to the Internet for personal use using the organisation’s facilities and devices.

2.5-2
Whether or not the organisation provides separate Internet facilities for individuals to use for personal purposes.

2.5-3
If it is permitted for individuals to use the Internet for personal purposes using organisational facilities and devices, the times during which they may do so, e.g., lunchtimes or before/after office/business hours.

2.5-4
The types of content or types of website that are strictly prohibited.

2.5-5
The person to whom any reports of suspicious content must be made.

2.5-6
The fact that any individual connecting to the Internet for personal or private purposes that finds themselves connected to, or being contacted by, a website with actual or suspicious malicious or prohibited content must immediately disconnect and report the appropriate person.

2.5-7
That the organisation shall constantly monitor staff Internet activity and the organisation’s methodology for doing so.

2.5-8
The disciplinary consequences of not complying with this policy.

2.5 Internet Use Policy

This policy describes the organisation’s approach to the use of the Internet for business purposes and on its premises. Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.5-1
Whether or not it is permitted for individuals to go on to the Internet for personal use using the organisation’s facilities and devices.

2.5-2
Whether or not the organisation provides separate Internet facilities for individuals to use for personal purposes.

2.5-3
If it is permitted for individuals to use the Internet for personal purposes using organisational facilities and devices, the times during which they may do so, e.g., lunchtimes or before/after office/business hours.

2.5-4
The types of content or types of website that are strictly prohibited.

2.5-5
The person to whom any reports of suspicious content must be made.

2.5-6
The fact that any individual connecting to the Internet for personal or private purposes that finds themselves connected to, or being contacted by, a website with actual or suspicious malicious or prohibited content must immediately disconnect and report the appropriate person.

2.5-7
That the organisation shall constantly monitor staff Internet activity and the organisation’s methodology for doing so.

2.5-8
The disciplinary consequences of not complying with this policy.

2.6 Social Media Policy
This policy deals with the organisation’s approach to the use of social media for business purposes and also the use of such media privately by members of the organisation. Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.6-1
Only authorised staff or external agencies may use social media on behalf of the organisation and in compliance with the organisation’s templates for social media communications.

2.6-2
Staff use of personal social media is not allowed on any of the organisation’s devices.

2.6-3
The danger of informing others on social media about who an individual works for, their position, and other details regarding network. This form of information is valuable to, and sought by, scammers and other people seeking to steal from an organisation and/or breach its security in some way.

2.6-4
The organisation reserves the right to invoke the discipline procedures to deal with any breaches of this policy.

 2.6-5
(Optional) [Where applicable] any personal social media communication undertaken on the organisation’s premises can only take place on the separate devices provided by the organisation that are not connected to the organisation’s network in any way.

2.7 Internet Security Policy
This policy deals with the organisation’s approach to ensuring Internet security and protection, particularly focusing on prevention of malware infection and the use of antivirus protection.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.7-1
Make reference to the procedures relating to secure configuration.

2.7-2
Make reference to the procedures relating to patching.

2.7-3
List acceptable devices, applications, websites, and operating systems.

2.7-4
List and prohibiting known malicious or suspicious websites.

2.7-5
Describe how the organisation uses constant scanning to identify actual or potential malware.

2.7-6
Indicate the antivirus protection that is used by the organisation.

2.7-7
Describe the provision of stand-alone scanning devices.

2.7-8
Describe the approach to setting up Virtual Private Networks (VPN) for individuals working from home or away from the organisation’s premises. Or, if all staff activity is conducted via portals, the approach to this must be clearly set out.

2.7-9
Describe the fact that all electronic information in and out of the organisation goes through a single point that is constantly scanned.

2.8 Network Monitoring Policy
This policy deals with the organisation’s approach to monitoring of the network, its users, and devices.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.8-1
The organisation constantly monitors all users, ICT equipment, and the network.

2.8-2
Any information gathered as a result of monitoring is strictly confidential and where it involves personal information, there is a description of how that information will be used and stored.

2.8-3
Any misuse or abuse of the organisation’s ICT systems or devices will be considered in the light of the Disciplinary Procedures.

2.9 User Identification Policy
This policy deals with the allocation of various administrative and other privileges, and the allocation of passwords.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.9-1
All users and their accounts will be identified, recorded and retained.

2.9-2
Identify those who have privileged accounts.

2.9-3
User access and network traffic is under constant monitoring and review.

2.9-4
Passwords must either; be changed more frequently than every 90 days, or managed using a 'password vault' (or similar). But in any case, must be changed immediately if it believed that any have been compromised.

2.9-5
Individuals must never share their passwords with anyone.

2.9-6
Whether or not individuals can select their own passwords or whether they are allocated by the system. if individuals can select their own passwords, the minimum requirements for such passwords.

2.10 Whistleblowing Policy
This policy describes how individuals can report actual or suspicious issues and/or persons without fear of recrimination or harassment.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.10a
The general circumstances that could give course for concern on the part of individual to the extent that they feel the organisation must be made aware of an issue, or issues or individual(s).

2.10b
The person with whom such concerns must be raised; there must be an alternative person to whom the concerns could be raised in case the normal person with whom must concerns must be raised is the person who is causing the concern.

2.10c
The procedure that an individual must follow when raising a concern.

2.10d
The process that is used after a concern has been raised.

2.10e
The actions that could be taken in relation to the concern.

2.10f
The feedback procedure.

2.11 Incident Response and Management Policy
This policy describes the organisation’s approach to dealing with, and managing, incidents such as, security breaches, infection with malware and/or ransomware, and denial of service attacks.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.11-1
A description of, or links to, the plans and procedures for dealing with incidents.

2.11-2
The organisation will take steps to ensure that incident management procedures follow recognised guidelines for example, ISO 22301.

2.11-3
The identification of the individuals with specific responsibilities for managing incidents.

2.11-4
Individuals with specific responsibility for managing any incident will receive appropriate training to enable them to fulfil those roles.

2.11-5
Where an individual has a ‘normal’ role within the organisation and also a specific responsibility within an incident management situation, they must ensure that the equipment used for the incident management is that which is authorised for such use.

2.11-6
Where an individual has a dual role, they must ensure that there incident management role takes priority when an incident occurs.

2.11-7
Where an incident occurs that requires reporting to a regulatory or other external body, this will be done as a priority, and will be done immediately if the incident could result in loss, damage or danger to an individual or to any other organisation.

2.11-8
Where an incident occurs, the head of the incident management team will liaise directly with the Chief Executive/Managing Director/Chairman, and it must be recognised that the instructions of the incident management team take priority over any other instruction during the course of an incident.

2.12 Home Working Policy
This policy deals with working at home and elsewhere away from the organisation’s premises together with the use of personal devices for business purposes.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.12-1
All devices must be password protected whether they belong to the organisation or to the individual employee.

2.12-2
[Where applicable] only devices supplied by the organisation may be used for home and/or mobile working. This is because these devices are specifically programmed to connect only to the organisation’s network.

2.12-3
[Where applicable] if it is vital that, where individuals use their own devices, these devices must be registered with the organisation’s IT department and recorded on the organisation's information asset register, and any home based or mobile working outputs must be immediately transferred to the individual’s electronic folders that are contained within the organisational network.

2.12-4
When working from home, using equipment supplied by the organisation, no other person, including family members, may use the equipment.

2.12-5
When working from home using the individual employee’s own equipment, all confidential information must be protected from all other persons, including the employee’s family. The employee must log out of any VPN or portal connection to the organisation’s network before allowing any other person in the household to use their equipment. Further, if the work has involved any Internet browsers, the temporary data/internet cache must be deleted before any other person in the household may use the equipment.

2.12-6
When working from home or in a mobile environment, individuals must ensure that this work is conducted in absolute privacy and secrecy and that no one else is allowed to, or is able to, read or hear any communication in relation to that work.

2.12-7
When working in public places (e.g. trains and planes) it is very difficult to ensure absolute privacy and secrecy and not be overlooked, but individuals must still ensure that this is achieved, even if it means not undertaking work that was intended during that period.

2.12-8
Access codes must never be revealed in a public place.

2.12-9
When working in public places, devices must not be left unattended, and if for any reason this is necessary, the device must be switched off.

2.12-10
When working remotely, if any work is printed out, the individual must ensure that the product is kept securely and out of sight of anyone else. Wherever possible individuals must not print out their work other than on the organisation’s premises.

2.12-11
[Where applicable to an individual organisation] only removable media issued by the organisation may be used for its business.

2.12-12
[Where applicable to an individual organisation] it is not permitted for any individual to use their own device for business use.

2.12-13
[Where applicable to an individual organisation] where an individual believes that it is necessary to have a data stick, they must obtain one belonging to the organisation from the IT department, and only these may be used. If there is a need to download data onto a data stick, then the stick must be presented to the IT department before it is inserted into any device within the organisation’s premises in order that it can be checked for any viruses or undesirable software etc... on a standalone scanning device.

2.12-14
Where an individual is authorised for home working and to use their own devices in doing so, they must ensure that their devices are protected by an approved security software and that their devices are up-to-date with the latest virus and malware prevention from such software (e.g. undertaking a ‘Live update’ scan).

2.12-15
[Where individuals are authorised to work from home] they must be aware of, and prevent, people listening to any business discussion or seeing any documentation relating to the business.

2.12-16
[Where individuals are allowed to use their own devices] can only connect to the organisation’s network through a designated and configured Virtual Private Network (VPN).

2.12-17
Where individuals are working from home, wherever possible they must not print any documentation at home, and must, whenever possible, send any document for printing through the VPN to a secretary or another colleague for printing.

2.12-18
When working from home, if it is absolutely necessary and unavoidable to print a document, it must not be printed on a printer connected to the computer via Wi-Fi; the printer must be ‘hardwired’ to the computer. The same principle applies to using ‘document scanners’.

2.12-19
When working from home, not to engage in any social media activity until business work has been completed and any connection to the VPN terminated.

2.12-20
Any use by any individual of removable media for business other than when authorised, or in such circumstances using a media that is not authorised, can result in serious disciplinary consequences.

2.12-21
Equipment that has been used for business purposes may not under any circumstances be loaned to, sold to, or in any other respect given to anyone else.

2.12-22
If there is a need to give any business ICT equipment to a colleague, this must be approved beforehand and centrally recorded.

2.13 Bring Your Own Device (BYOD) Policy
This policy deals with the approach taken to individual employees using their own devices and equipment for the organisation’s business.

2.13-1
In this mandatory document, it is required that organisations set out as to how they are following the guidance set out in the NCSC (GCHQ) BYOD guidance document. In addition to BYOD guidance, the NCSC can also be used for guidance with regard to some aspects of Home Working.

2.14 Removable Media Policy
This policy deals with the approach to the use of all forms of removable media for business purposes, and generally for such media within the organisation’s premises.  Cyber Primed requires  documented policies to fully address and satisfy the following measures.

2.14-1
Indicate whether or not the organisation permits individuals to use removable media for business purposes.

 2.14-2
Where removable media is used, the actual media and those who can use it are identified.

 2.14-3
If some removable media is authorised and other types not, make clear which is which, e.g., MP3 players and USB data sticks.

 2.14-4
Set out the disciplinary consequences for people who use unauthorised removable media or download an authorised information onto such media, or use removable media when they are not authorised to do so.

2.15 End User Policy
This policy explains the organisation’s approach to the use and protection of ‘end of system/connectivity’ equipment.

Cyber Primed requires documented policies to fully address and satisfy the following measures.

2.15-1
Any IT equipment that is used for the organisation’s business must have been registered by the organisation for that purpose.

2.15-2
All equipment will be regularly scanned to ensure that it has the up-to-date patches and amendments.

2.15-3
The term equipment applies to any that is connected to the organisation’s network, including printers, remote environmental controllers and anything else that is connected even though not used directly to develop and/or reproduce business documentation and information.

2.16 Cloud Access and Use Policy
Cyber Primed requires that organisations have in place written governance and procedures for the implementation, access, use and monitoring of cloud based resources. The policy must describe the fact that the organisation is keen to work with individuals and departments to assist them in the selection and use of apps which they feel will make their work more efficient.

This policy deals with the organisation’s approach to, and requirements for, the use of apps and software that is based in, and used from, ‘the cloud’. Throughout this document, any reference to ‘app or apps’ refers to ‘Cloud Applications and Apps’. The policy must include, or make reference to, documented procedures that are constantly in operation to ensure that, to the best of its ability, vulnerabilities created by the use of apps are identified and mitigated to the greatest possible extent.

2.16-1
The policy must describe whether or not it permits the use of unauthorised/unapproved resources by its employees in the conduct of its business.

2.16-2
The policy must describe a list of approved apps that individuals may use in the conduct of the organisation’s business.

2.16-3
The policy must indicate which devices may be used with approved apps (e.g., laptops, smart phones, tablets).

2.16-4
The policy must require that individuals or departments wishing to use an app consult with the organisation’s IT security (and record the outcome of such discussions) team in order that the app can be evaluated.

2.16-5
The policy must describe the organisation’s process for dealing with data breaches, leaks or losses that occur if and when individuals use unauthorised/unapproved apps (e.g., any implications for the Disciplinary Procedures).

2.16-6
All cloud apps being used within the organisation and its extended network are identified and evaluated. This includes apps that are being used on personal devices such as smart phones and tablets.

2.16-7
A register will be established and maintained of all approved apps, and where the organisation allows unauthorised/unapproved apps to be used, these will also be registered. An app will only be approved if it is managed and monitored by the IT department.

2.16-8
Maintenance of the register shall fall under the responsibility a named person on the Board and each review of the register shall be documented.

2.16-9
The organisation will conduct an audit of cloud apps in use within its business at least biannually. Where an individual or department begins to use a new app for the conduct of business, that fact will be reported to IT and the app will be evaluated in relation to its suitability; it will also be entered into the register.

2.16-10
All cloud apps that are identified will be assessed for their enterprise readiness including; The providers of those apps have business continuity plans to ensure that the organisation will be subjected to minimum disruption in its attempts to access its data that is being handled by the apps.

2.16-11
The organisation’s use of those apps can be audited by the organisation.

2.16-12
Those apps have recognised security accreditations.

2.16-13
Those apps comply with the organisation’s national regulations with regard to the residency of data – e.g., Data Protection Act and, as from 25 May 2018, the General Data Protection Regulations (GDPR).

2.16-14
The organisation will establish the nature of all information that is residing in, and travelling to or from, all apps. As a minimum, all data that is considered to be sensitive will be encrypted or tokenised.

2.16-15
Any information that is classed as being highly sensitive will only be held in, and transmitted to or from, the cloud with the authorisation of the Board. Under normal circumstances such information will not be found within the cloud.

2.16-16
The use of cloud apps will be constantly monitored to ascertain various information including; who is using the app.

2.16-17
The nature of the information that is being handled within the app.

2.16-18
The times that that information is being handled by the app.

2.16-19
The identity of individuals outside of the organisation with whom information is being shared via the app together with the nature of the information that is being shared.

2.16-20
Where any anomaly is identified through the monitoring of the use of an app, that use will immediately cease pending an enquiry to ascertain the reason for the anomaly. The continued use of the app will only occur when an anomaly has been thoroughly investigated by the organisation's IT team and no threat identified.

2.16-21
Any threat or data breach that is identified relating to the use of an app will be thoroughly investigated and a report submitted to the Board.

3.1 Information Security
Information Security can be a procedure in its own right or part of the Data Protection Policy. Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.1-1
Identify, group and isolate critical business information assets and services.

3.1-2
Limit the exposure of sensitive information to internal and external view.

3.1-3
Minimise the information that is stored on a mobile device so that it is only that needed to fulfil a business activity.

3.1-4
Ensure that all information supplied to or from the organisation is electronically scanned for malicious content.

3.1-5
Deploy content filtering capability on all external gateways.

3.1-6
Including a clear description as to how this will be monitored.

3.1-7
Ensure the ability to remotely disable a device.

3.1-8
Ensure the encryption of data at rest that is held on any local device or server.

3.1-9
For each of the assets and services identified 3.1-1 there must be a specific procedure for the destruction of the data and hardware.

3.1-10
There must be a procedure for the labelling/naming of all information so that it is applied uniformly across the organisation. The labelling must include specific reference to the type of information so that it is clear from the label on the information/file as to whether or not it is commercially sensitive.

3.1-11
(Optional) Ensure the encryption of data at rest on remote or cloud servers.

3.2 Employment
Organisations will have several policies and procedures relating to the employment of individuals. Unfortunately, many cyber security incidents relate to ‘crooked’ insiders and to well-meaning but careless employees.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.2-1
Ensure that pre-employment screening takes place on all users [employees and external contractors and consultants] as a mandatory part of the recruitment system.

3.2-2
This procedure must be followed in respect of any person who is offered an appointment for any position within the organisation, whether paid or unpaid. The term ‘any position’ relates to a position that is, part time, full time, permanent, temporary, zero hours contract, work placement or experience or part of a subcontracting or agency service.

3.2-3
Every person that is offered any position within the organisation must be subjected to a check with the Disclosure and Barring Service (DBS), formerly known as the Criminal Record Bureau (CRB). must the resultant information from the DBS indicate any aspect of unsuitability, the offer will be withdrawn. The reasons for the checks are to confirm the individual’s identity and that they are legally able to work in the UK and ascertain the nature of any previous convictions or cautions, the nature of which would render them actually or potentially unsuitable for working in the organisation.

3.2-4
When a person applies for any of the above mentioned positions within the organisation, they must be informed of the intention to carry out the DBS check, and that any position that is offered must be subject to a satisfactory outcome from that check. They must also be informed that their offered employment will not begin until the outcome of the check is received.

3.2-5
They must also be informed that the organisation recognises and subscribes to the requirements of the Rehabilitation of Offenders Act 1974 (and subsequent relevant primary and subordinate legislation), and that certain types of conviction may not mean an automatic withdrawal of an employment offer.

3.2-6
They must also be informed of the organisation’s Data Protection Policy, and that any information received as a result of the DBS check will be treated in accordance with that policy.

3.2-7
Ensure that all users are aware of the acceptable account usage policy and/or procedure(s) and potential disciplinary consequences.

3.2-8
Ensure that employment contracts are agreed with individuals and retained to support subsequent disciplinary action (for some organisations, this may need contract renegotiations with individuals).

3.2-9
Ensure that there is a safe environment for people to express concerns about security practices and incidents. (A Whistleblowing Policy is probably the most appropriate way of dealing with this requirement).

3.2-10
Ensure, and make clear to every user [employees and external contractors and consultants] that any abuse of any security policies and procedures will result in disciplinary action (which could include the cancellation of contracts with external suppliers and consultants).

3.2-11
Ensure that the organisation has a policy covering the security of mobile data and/or procedures that determine: who can work off-site; device acquisition and support; the type of information to be stored on devices; and minimum procedural security controls.

3.3 Training and Awareness
The world of ‘cyber’ is fast-moving, as are cyber criminals. It is therefore essential to ensure that organisations are ‘fleet of foot’ in ensuring that their systems and people are kept up-to-date. With regard to people, the best way of doing this is through planned, regular training.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.3-1
Ensure the systematic delivery of a security training and awareness programme that is reviewed and updated at least annually.

3.3-2
Ensure that all users – including contractors and external parties – comply with corporate security policies and/or procedures, and that these are thoroughly explained as part of the induction process.

3.3-3
Ensure regular (at least biannual) refresher training on cyber risks.

3.3-4
Ensure that security staff members receive specialist training.

3.3-5
Have training in the deployment of the organisation’s monitoring capability.

3.3-6
Ensure that the incident response team receives specialist training.

3.3-7
Test the effectiveness of the security training for all staff.

3.3-8
Do not open attachments from unsolicited emails.

3.3-9
Do not click on hyperlinks in unsolicited emails.

3.3-10
Individuals must report any strange or any unexpected system behaviours.

3.3-11
Ensure that individuals maintain an awareness of how to report a security incident.

3.3-12
Ensure that all users are trained on the secure use of mobile devices including: secure storage and management of their user credentials; incident reporting; and environmental awareness (e.g. being overlooked).

3.3-13
(Optional) Ensure that security staff are encouraged to validate their IA skills through enrolment of recognised certification scheme for IA professionals.

3.4 Secure Baseline Build
In order to maintain consistency of operation and security, there is a need for all systems and devices connected with ICT are set up in exactly the same way; a ‘Secure Baseline’. It is important this baseline applies to removable devices and, where an organisation allows users to bring their own devices (BYOD), to those devices as well.

Cyber Primed requires documented procedures to fully address and satisfy the following measures so that the secure baseline build is applied to all of the following:

3.4-1
Ensure that the organisation follows recognised network design principles e.g. ISO/IEC 27033 –1– 2015.

3.4-2
Ensure the implementation of a secure baseline for all ICT systems including clients, mobile devices, servers, operating systems, applications and network devices such as firewalls, routers, and printers.

3.4-3
Every network device and mobile platform.

3.4-4
All devices including mobile devices.

3.4-5
All systems are configured to a secure baseline build, including mobile devices.

3.4-6
Remove or disable unnecessary functionality from ICT systems and keep them patched against known vulnerabilities.

3.4-7
Ensure that deviation from standard build must be documented and formally approved.

3.4-8
Ensure that applications can only access data and devices required for the users' specific functions and responsibilities. (Sandboxing) by removing services, functionality or applications not required for the business. Unnecessary software (including application, system utilities and network services) must be removed or disabled.

3.4-9
Use the latest versions of operating systems, web browsers and applications. Out-of-date software (i.e. software that is no longer supported) must be removed from computer and network devices that are connected to or capable of connecting to the internet.

3.4-10
Disable ports and system functionality not needed by the business; including USB ports, CD/DVD etc.

3.4-11
Define and support the configuration control and change management requirements for the IT systems including software.

3.4-12
Use automated tools to capture the physical location, business owner, and purpose of hardware together with the version and patching status of all software.

3.4-13
Prevent installation of unauthorised software and applications by employing process execution controls, software application arbiters and only accepting code signed by trusted suppliers.

3.4-14
Disable scripting languages such as Windows scripting, Active X, VB Script and JavaScript, unless these are specifically required for conducting activity on web based applications used by the organisation, in which case, they must be specifically named and listed as being approved by the organisation.

3.4-15
Disable the auto run function on machines; to prevent automatic import of code from removable media. The auto-run feature must be disabled (to prevent software programmes running automatically when removable storage media is connected to a computer or when network folders are accessed).

3.4-16
Have a secure baseline that denies access by default to removable media allowing access only to approved authorised devices.

3.5 Inventories
It is important that an organisation identifies and maintains a list of applications, software, and devices that are approved ‘white listed’ to be used in the conduct of its business. Conversely, it needs to identify ‘undesirable’ ‘blacklisted’ websites that contain either material not consistent with the organisation’s business, or of a malicious nature.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.5-1
Develop and maintain inventories of authorised hardware and software across the organisation. The inventories must be closely coupled and managed centrally.

 3.5-2
Identify any unauthorised hardware or software (which must be immediately removed).

 3.5-3
Maintain a white list of authorised applications and software.

 3.5-4
Ensure the perimeter gateway uses blacklisting to block access from known malicious websites. Malware protection software must be used to prevent connections to malicious websites on the internet (e.g. by using website blacklisting).

3.6 Monitoring
In view of the fact that cyber issues are constantly evolving, and also that humans have their frailties and may sometimes create problems of which they are not aware and which could seriously jeopardise organisational security and profitability. It is therefore vital that ICT systems are continuously monitored.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.6-1
Monitor network traffic to detect and react to attempted and actual network intrusions.

 3.6-2
Monitor user activity constantly; with the ability to identify the creation of new user accounts, changes to user passwords or the deletion of accounts and audit logs.

 3.6-3
Monitor all networks and host systems.

 3.6-4
Continuously monitor inbound and outbound network traffic boundaries – to identify ‘signatures’ and ‘experimental’ attacks, and to identify new or unusual system behaviour.

 3.6-5
Ensure that the transfer of sensitive information, particularly large data transfers or unauthorised encrypted traffic will automatically generate a security alert.

3.7 Audits, Logs & Record Keeping
Organisations need to have systems in place to conduct audits in order to ensure compliance with its procedures and to identify risks and threats that may be present. The auditing team and systems need to be separate from the remainder of the organisation as do any logs and records that they create, and that may be created automatically by monitoring (including 'user' monitoring) and scanning systems. In small organisations it may be difficult for the auditing team to be completely separate from business activities, but the logs and records that they develop and maintain must always be kept and stored separately.

It is also vital that equipment used for auditing (and scanning and monitoring purposes) is kept separate. Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.7-1
Ensure that activity logs go to a dedicated accounting and audit system separate from the core network.

3.7-2
Ensure that access to the audit system is strictly controlled.

3.7-3
Collect, preserve and analyse the causes of critical incidents together with remedies that have been used to deal with them. (This may be required to support any follow-on disciplinary or legal action).

3.7-4
Monitoring generates audit logs capable of identifying unauthorised or accidental input, misuse of technology or data, together with the user, the activity that prompted the alert and the information they were attempting to access.

3.7-5
Monitoring generates only audit logs that are relevant to the security of the organisation, its people and its business needs.

3.7-6
Monitoring complies with legal and/or regulatory constraints – inappropriate collection of monitoring information could breach data protection and privacy legislation.

3.7-7
Develop and maintain a centralised capability to collect and analyse accounting logs and security alerts across the organisation; this includes user systems, servers, network devices, security appliances, systems and applications.

3.7-8
Vulnerability risk scoring is conducted, centrally measured and managed, and integrated into action planning.

3.7-9
Require the use of a centralised and synchronised timing source used for the monitoring and analysis and time stamping of audit logs.

3.7-10
Ensure that there is sufficient ‘storage space’ for the information generated by audits and the logs created by scanning and monitoring operations.

3.7-11
Ensure the conduct of audits of all removable media at least quarterly.

3.8 Scanning
Scanning is closely aligned with monitoring and it is vital for organisations to ensure that they have systems and tools so that their ICT framework and perimeters are constantly being scanned.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.8-1
Ensure that security scanning tools are able to detect and locate unauthorised wireless access points, including that anti-malware software performs scanning function whenever a user accesses the system.

3.8-2
Ensure that automated vulnerability scanning tools are used on all networked devices and remedy any identified vulnerabilities within a specified time frame.

3.8-3
(Optional) Remedial action to take place immediately or at the most within 12 hours from discovery.

3.8-4
Actively scan for malware across the whole organisation.

3.8-5
Ensure that all workstations are capable of scanning content of any type of media.

3.8-6
(Optional) Every scan is traceable to an individual.

3.8-7
Continuously scan inbound and outbound objects at the perimeter with antivirus and malicious code identification capabilities. Malware protection software must be configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when being accessed (via a web browser).

3.8-8
Scan internal networks and host systems using different products to the perimeter scanning.

3.8-9
Ensure that, when removable media is introduced, the system automatically scans for malicious content.

3.8-10
Regularly scan every network component and apply security patches in line with the corporate Patching and Updating Vulnerability Management Policy and/or procedures.

3.8-11
Ensure that any removable media (regardless of its source) brought into the organisation is scanned for malicious content by a standalone media scanner.

3.9 Patching and Updating
It is long been recognised that one of the biggest vulnerabilities for any organisation is an application or component that has not been patched or updated as required by its manufacturer; and yet this is one of the easier to use in cyber protection.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.9-1
Ensure the use of automated patch management and software update tools.

3.9-2
Ensure that security patches are applied in a timeframe commensurate with the organisation’s overall cyber and information risk management approach.

3.9-3
(Optional) Patches are applied within 12 hours.

3.9-4
Updates to software (including operating system software and firmware) running on computers and network devices that are connected to or capable of connecting to the internet will be installed in a timely manner (e.g. within 30 days of release or automatically when they become available from vendors) subject to the consideration of the potential risk of proceeding with the updates.

3.9-5
The outcome of the evaluation of these risks must be recorded on the risk register.

3.9-6
Ensure the application of security patches in line with the corporate Patching and Updating Management Policy and/or procedures on network components the regular scanning of which has highlighted a patching requirement or other vulnerability.

3.9-7
Ensure that software running on computers and network devices that are connected to or capable of connecting to the Internet are licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available.

3.9-8
Ensure that all security patches for software running on computers and network devices that are connected to or capable of connecting to the internet are installed in a timely manner (e.g. within 14 days of release or automatically when they become available from vendors).

3.9-9
Ensure that malware protection software (including programme code and malware signature files) is kept up-to-date (e.g. at least daily, either by configuring it to update automatically or through the use of centrally managed deployment).

3.10 Malware and Anti Virus Protection
Like patching and updating, the application of malware and anti-virus protection is perhaps one of the easier that an organisation can use in its cyber protection.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.10-1
Ensure that firewalls are deployed between the trusted external network and the internal network.

3.10-2
Install firewalls on the host and gateway devices.

3.10-3
There must be application firewalls in front of any critical servers to verify and validate traffic going to the server. Any unauthorised services or traffic must be blocked and an alert generated.

3.10-4
The default administrative password for any firewall (or equivalent network device) must be changed to an alternative, strong password.

3.10-5
Protect all host and client machines with antivirus solutions. Malware protection software will be installed on all computers that are connected to or capable of connecting to the internet and updating is performed as soon as a user accesses the system and continues throughout their use each time they have access to the system.

3.10-6
Deploy antivirus and malware checking on both inbound and outbound data at the network perimeter.

3.10-7
Deploy antivirus and malware protection on internal networks.

3.10-8
Deploy an antivirus solution that will actively scan for malware when any removable media is introduced.

3.10-9
Ensure that there are different protection solutions (e.g. antivirus and malware) at the perimeter to those used on internal networks and systems.

3.10-10
Set the firewall to deny traffic by default and create a white list that only allows authorised protocols, ports and applications to communicate with authorised networks and network addresses.

3.10-11
A personal firewall (or equivalent) must be enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default.

3.10-12
Malware protection software must be configured to perform regular scans of all files (e.g. daily) and must provide warnings where appropriate when new webpages are accessed.

3.10-13
Ensure that stand-alone workstations (used for scanning purposes and not connected to the network) are provided and equipped with two antivirus products.

3.11 Access and Connectivity
It is also important to deploy system that requires all connection to and from outside of the organisation pass through a single ‘gateway’ that is heavily protected and continuously scanned and monitored. Different systems by the nature of their design may need to pass through multiple gateways, but they all need to be secured to the same consistent standard.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.11-1
Ensure that there is limited access to network ports, protocols, network perimeters and applications and that for remote access, potential users will be locked out after 10 unsuccessful login attempts or there will be imposed a limit of 10 login attempts within five minutes.

3.11-2
Only allow traffic that is required to support the business to be exchanged.

3.11-3
Ensure that there is no direct network connectivity between internal systems and those hosted on trusted networks e.g. the Internet.

3.11-4
Block access to known file transfer and e-mail exfiltration websites other than such websites that are specifically named and listed by the organisation as been approved resources.

3.11-5
Ensure that wireless devices are only allowed to connect to trusted wireless networks.

3.11-6
Prevent internal IP addresses from being exposed to external networks.

3.11-7
Prevent network traffic directly from untrusted networks to internal networks.

3.11-8
Ensure that, where someone is working remotely, connection to the corporate network is achieved via VPN (Virtual Private Network) unless a direct cloud-based portal system is being used.

3.11-9
Each rule that allows network traffic to pass through the firewall (e.g. each service on a computer that is accessible through the boundary firewall) must be subject to approval by an authorised individual and documented (including an explanation of business need).

3.11-10
Unapproved services, or services that are typically vulnerable to attack (such as Server Message Block (SMB), NetBIOS, tftp, RPC, rlogin, rsh or rexec), must be disabled (blocked) at the boundary firewall by default.

3.11-11
Firewall rules that are no longer required (e.g. because a service is no longer required) must be removed or disabled in a timely manner.

3.11-12
The administrative interface used to manage boundary firewall configuration must not be accessible from the internet, other than by access via dedicated VPN.

3.12 User Privileges and Rights
Although not necessarily popular with all directors and senior managers within an organisation, it is necessary to ensure that access to certain parts of the network and/or information within the network is restricted on a ‘need to know’ basis, otherwise known as ‘Least Privilege’.

User accounts that allow changes to be made to software and applications must be allocated on a strict ‘need to have’ and ‘need to know’ basis. These accounts are often known as Administrator and/or Privileged accounts.

Cyber Primed requires documented procedures to fully address and satisfy the following measures

3.12-1
Ensure that all user account creation is subject to a provisioning and approval process.

3.12-2
Ensure that each user must authenticate using a unique username and strong password before being granted access to applications, computers and network devices. Administrative account users must be required to implement two factor authentication.

3.12-3
Ensure that any default password for a user account is changed to an alternative, strong password.

3.12-4
Ensure that users only receive rights of access relevant to their job.

3.12-5
Ensure that ‘normal’ privileges may not install or disable software or services on the system.

3.12-6
Secure all wireless access points.

3.12-7
Ensure that access control is allocated on the basis of ‘Least Privilege’.

3.12-8
Ensure that rights and permissions to systems etc. are only given on the need to fulfil individuals’ business roles.

3.12-9
Ensure that users only have the privileges that they need for their job; ‘Least Privilege’.

3.12-10
Manage and review user accounts from creation through to eventual deletion.

3.12-11
Ensure that unused or dormant accounts are removed or suspended.

3.12-12
Ensure that unnecessary user accounts (e.g. Guest accounts and unnecessary administrative accounts) are removed or disabled.

3.12-13
Ensure that user accounts and special access privileges are removed or disabled when no longer required (e.g. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (e.g. three months).

3.12-14
(Optional) Ensure that the organisation determines the nature of user passwords; preferably randomised passwords. If this is not possible, develop and implement password complexity rules.

3.12-15
Strictly control the number of privileged accounts – these accounts are not to be used for high risk or day-to-day user activities.

3.12-16
Ensure that special access privileges are restricted to a limited number of authorised individuals.

3.12-17
Ensure that details about special access privileges (e.g. the individual and purpose) are documented, kept in a secure location and reviewed on a regular basis.

3.12-18
Ensure that administrative accounts can only be used to perform legitimate administrative activities, and must be prevented from having access to email and Web browsing.

3.12-19
Ensure that administrative accounts are configured to require a password change on a regular basis (e.g. at least every 60 days) or are managed using a 'password vault' (or similar). But in any case, must be changed immediately if it believed that any have been compromised.

3.12-20
Frequently review the needs of individuals to have ‘privileged accounts’.

3.13 Penetration Testing and Simulation
It is relatively common for large organisations to employ hackers with a brief for them to try and establish weaknesses and vulnerabilities within an organisation’s systems. All organisations need to have some method whereby they can try and penetrate their systems in order to identify actual or potential weaknesses.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.13-1
Ensure that the conduct of regular penetration tests of the network infrastructure take place.

3.13-2
Ensure that simulated cyber-attack exercises are undertaken.

3.13-3
Regularly test incident management procedures and business continuity plans – the outcomes of which to be used in the further development of cyber security policies and procedures.

3.14 Incident Management
Incident Management is closely related to Business Continuity Planning/Disaster Recovery Planning. It is almost certain that any organisation will be subjected to an actual or attempted cyber-attack at some stage, and the outcome of such an attack could result in the system closing down (denial of service), being locked pending ransom payments (Ransomware), or infected with some other undesirable properties. Consequently, organisations must have plans and systems to deal with such occurrences so that they can either maintain operations or resume them as soon as possible. Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.14-1
Maintain an organisation–wide incident management capability.

3.14-2
Ensure that internal and external reporting requirements are clearly identified in the incident management plans.

3.14-3
Ensure that incident management plans are sufficiently flexible to deal with a range of security incidents involving mobile working that could occur e.g. compromise in international locations, physical attack of someone with one of the organisation’s mobile devices.

3.14-4
Ensure that any incident management policy and procedure sets out guidelines that comply with a recognised code of practice (e.g. ISO 22301).

3.14-5
Review the performance of the incident management system.

3.14-6
Review the organisational response to an incident management activity.

3.14-7
Ensure that online crimes are reported to Action Fraud and/or relevant law enforcement agencies.

3.14-8
Ensure that procedures are in place to respond to incidents detected by monitoring solutions.

3.14-9
Require learning from security incidents.

3.14-10
Ensure that the Business Continuity Plan will be tested on a regular basis (at least every 6 months in the case of aspects of the plan relating to cyber and IT security).

3.14-11
Ensure that the outcomes of the tests will be documented and reported to the Board.

3.14-12
Ensure that, any remedial or corrective actions that have been identified following a test of the plan, are implemented within a specified time frame (not more than one month).

3.14-13
Ensure that the information security part of the Business Continuity Plan is subjected to a documentary review by the Board at least every 6 months and records kept of the review and subsequent corrective actions that may be required.

3.15 Back Up
Ensuring that systems and information are backed up and stored off-site is relatively straightforward for an organisation to complete.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.15-1
If you use on-site back-up and storage media, there must be documented physical measures in place to ensure its safety (including data in transmission and at rest).

3.15-2
Regularly test backup facilities including test restores and refresh cycle when using physical media. As a minimum, the organisation's information asset base and work files are backed up and held in such a way that it is able to overcome any form of Ransomware. This must include back up in 3 separate formats, and located in two different locations, one of which is off site.

3.15-3
Ensure a systematic approach to the backup of the corporate information asset base.

3.16 Removable Media
Removable Media is an increasing problem for organisations to manage their cyber protection. It is strongly related to off-site/mobile working and home working. A common emerging problem is the wish for employees to be able to use some of their own devices for business work, known as Bring Your Own Device (BYOD). Recent research projects have indicated that people using their own devices for work creates enormous risks. It is not unusual for an organisation to ban all removable media other than that which has provided itself for employees to use. It is therefore vital for any organisation to keep itself as secure as possible from any infections or loss of data/information from removable media, including employees’ own devices.

Cyber Primed requires documented procedures to fully address and satisfy the following measures.

3.16-1
Ensure that when removable media is introduced, the system automatically scans for malicious content.

3.16-2
Ensure that individuals comply with the removable media policy, procedure and restrictions at all times.

3.16-3
Ensure that individuals do not connect any unapproved removable media or any unapproved personally owned device to the corporate network.

3.16-4
Ensure that removable media is only used as a last resort.

3.16-5
Ensure that appropriate policies, procedures and solutions control the use of removable media and the information that is imported and exported through it.

3.16-6
Limit the media types that can be used together with the users, systems and types of information that can be stored or transferred on removable media.

3.16-7
Ensure that removable media is formally issued by the organisation to individuals who will be accountable for their secure use, return and where necessary, destruction.

3.16-8
Ensure that records of holdings and use are maintained and made available for audit.

3.16-9
Ensure that information is encrypted on removable media.

3.16-10
Ensure that, when removable media is to be reused or destroyed, all previously stored information is not accessible.

3.16-11
Minimise the information that is stored on a mobile device so that it is only that needed to fulfil a business activity.

Cyber Primed could be your most comprehensive form of defence.