Cyber Essentials

QG PDF Template

Organisation Details

Organisation Name (legal entity): McDoots
Sector: Food products, beverages and tobacco
Size of Organisation: Micro (<10 Employees)
point of Contact Name: dooty mcdoot
Position: Senior Dootymaster
Email Address: simonloughran@certificationeurope.com
Phone Number: 8900192098
Address

Big Pile

Certifying Body (CB): Certification Europe
CB Reference Number
Date of Application August 29, 2016 at 17:04
Date of Last Update August 30, 2016 at 13:00

Business Scope

All doot and other dootifool doots and subsidiary dooties

Conformance Statement

Do you wish to be included in the list of certified companies?

No

From time to time government departments and other interested bodies may wish to use your company for marketing/research purpose. If you do not wish to be promoted/utilised in this way please enter NO in the box. If this is left blank you imply your consent.

Yes

Password Based Authentication

2.1 If applicable describe the technical controls used to enforce the password policy.
2.2 If applicable describe paper based controls used to enforce the password policy.
2.3 Confirm that you have implemented a password policy which meets the requirements of the Password-based authentication requirements (above)

Firewalls

3.1 Describe how your firewalls are placed in your network

23542

3.2 Tick all that apply
3.3 All default administrative passwords must be changed to an alternative password that is difficult to guess in line with your password policy, is this the case?
3.4 How is each firewall administrative interface protected from direct access via the internet?
3.5 All unauthenticated inbound connections must be blocked by default, is this the case?
3.6 If inbound firewall rules are configured, they must be approved and documented, is this the case?
3.7 Are firewall rules no longer required removed quickly?

Secure Configuration

4.1 Do you have a ‘documented’ password policy that contains the requirements of section 2?
4.2 All unnecessary user accounts (eg guest accounts and unnecessary administrative accounts) must be removed or disabled on all devices. Is this the case?

21412

4.3 All default or guessable passwords for user accounts on all devices must be changed to an alternative password in line with your password policy. Is this the case?
4.4 Unnecessary software (including applications, system utilities and network services) must be removed or disabled, is this the case?

w4g34b

4.5 In order to prevent untrusted programs running automatically, (including those from the internet) either the auto-run feature must be disabled or user authorisation must be actioned before file execution. Describe how this has been achieved.
4.6 How is internet-based access controlled to any areas containing commercially, personally sensitive data or any data which is critical to the running of the organisation ?

User Access Control

5.1 It is a requirement that you have identified all locations where sensitive and businesses critical information is stored digitally. (email, web and application servers, data shares, end user devices etc) Has this been done?>
5.2 Does the organisation have a user account creation and approval process?
5.3 Does the organisation authenticate users before granting access in compliance with the defined password policy?
5.4 Has the organisation removed or disabled user accounts when no longer required?
5.5 Where available, has the organisation implemented two factor authentication?
5.6 Are administrative accounts used to perform administrative activities ONLY? (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
5.7 Does the organisation remove or disable special access privileges when no longer required?

Malware Protection

6.1.1 How is the daily update of the anti-malware software (and all associated malware signature files) managed?
6.1.2 Is the software configured to scan files automatically upon access (including when downloading and opening files, and accessing files on a network folder)?
6.1.3 Are web pages scanned automatically upon access either by the web browser itself, the anti-malware software or by a third party service?
6.1.4 Does the software prevent connections to malicious websites by means of blacklisting?
6.2.1 Are only approved applications, restricted by code signing, allowed to execute on devices?
6.2.2 Does the organisation actively approve such applications before deploying them to devices?
6.2.3 Does the organisation maintain a current list of approved applications?
6.2.4 Are users able to install any application that is unsigned or has an invalid signature?
Is all code of unknown origin run within a ‘sandbox’ that prevents access to other resources unless permission is granted by the user? (including other sandboxed applications, data stores, such as those holding documents and photos, sensitive peripherals, such as the camera, microphone and GPS or local network access

Patch Management

7.1 Is all software licensed and supported?
7.2 Is software patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity that the product vendor describes as ‘critical’ or ‘high risk’
7.3 Is all software removed from devices in scope when no longer supported?
© 2017 Certification Europe Ltd.