Measure your information/data security controls: The CyberChecked report
An expert report that covers much more
You get an expert report that covers all of the requirements of Cyber Essentials, plus 10 other key factors that are proven information/cyber security safeguards.
This is applicable to all sectors, including the legal sector.
Lexcel accredited organisations will find this especially helpful.
Regulation necessitates security. The introduction of the GDPR and then the Data Protection Act 2018, means that every organisation must have effective controls for personal data; by default therefore, in our modern, electronically connected environment, that requires a healthy approach to information security.
We’re not here to compete with Cyber Essentials. PDA CyberChecked is a report not a 'Standard'.
Cyber Essentials, in its own description, is a scheme of ‘hygiene’ measures; nothing more. It promotes a healthy ‘baseline build’; we think that’s good, but it’s not nearly enough.
Much more often than not, the cause isn’t a fault of the technology; it’s the fault of the people who control or use it. (Read more about this below.)
What are we looking for and reporting on?
1. Risk management planning
That your organisation has a risk register that takes into account information security and data protection risk, with regular reviews taking place.
Effective training is a key factor in safeguarding your organisation's information and data. We are looking for regular training for all of the people in your organisation. Ithe training must be appropriate to their roles and evaluated.
3. Firewalls and boundary controls
All of the devices that use your network must be protected by a suitably established firewall (or other/equivalent network control). This must include blocking inbound connections where appropriate and the names of the persons in your organisation who are responsible for overseeing the controls.
4. Secure configuration of the network
Computers and network devices. The Organisation must be active in its management of computers and network devices. It must routinely; (In addition the organisation must have a procedure for removable media. As a minimum, it must be prohibited unless authorised on a case-by-case basis by named senior personnel or unless a quarantined device is in place to receive and test the media, and to extract the content.
5. Safeguarding against malware
Your Organisation must ensure that up-to-date malware protection is in place on all devices that use its network or conduct work for the Organisation. This includes anti-malware software and white-listing applications. It might also include 'sand-boxing' where applications are prevented from accessing other resources without approval.
6. Managing software patching
The devices used to conduct the work of your Organisation must be kept up to date with the latest software patches. Updates must be applied promptly and completion of updates reported to the Board.
7. Map of personal data
To be able to establish appropriate systems/controls to manage the risk, it is essential that you are clear as to the personal data that your Organisation processes, including; why it is processed, under what basis, who has access to it, where it is kept the format(s) in which is kept and for how long it will be retained.
8. File sharing
Your Organisation must have working controls for the application of encryption, document vaults or other systems for the secure transfer of files and information. This includes controls for use on your network of removable media, such as USB devices and DVDs.
9. Control of user access
Your Organisation must have in place procedures that clearly describe the controls for setting up and managing/changing/closing user accounts. These must also include use of Administrative accounts that have special privileges.
10. Use of Internet, Email and messaging
Your Organisation must make clear the acceptable use of email and of the Internet, as well as rules for labelling emails and length of email threads, and for the duration that emails can 'sit' in Inboxes, 'Sent boxes and Deleted boxes. Your Organisation must also monitor for spam/junk email.
11. Homeworking and remote working
Your Organisation must set out the controls in place for recording which people and devices are permitted to remotely, including at home. Training must be provide to all affected persons who conduct the day-to-day work of the Organisation (even if only rarely), with evidence that they have understood the Organisations expectations.
12. BYOD (Bring Your Own Device)
Your Organisation must set out the controls in place for recording which devices and software are permitted to be used on the Organisation's network to conduct the day-to-day work of the Organisation (even if only rarely) or for personal or other purposes. Also prohibiting the unauthorised retention of documents on such devices Training must be provide to all persons who use devices in this manner with evidence in writing that they have understood the Organisation's expectations.
13. Business continuity for information security
Your Organisation must maintain a Business Continuity Plan that recognises the different kinds of threat where information/data security is affected, including; 'network/device failure/loss' is different to 'software failure' and is different to 'malicious attack or loss'. The Business Continuity Plan must describe separately for each, as to their; likelihood, impact, whether they have regulatory, operational or strategic implications, and means of avoidance, means of mitigate and means of (at least annual) testing. This document must be reviewed at least every 6 months.
14. Dealing with threats (during and post-event)
Your Organisation must have in place a documented mechanism or system for reporting on threats and attacks that are currently threatening the network, including a description of the threat, its cause, the level of its penetration and means of determining and limiting the further spread/impact of the threat/attack.
15. Breaches and breach registers
There must be a register for recording information security breaches and near misses in your Organisation. It must be the subject of a documented review by the Board at least every month.
How do we do it?
We are experts in information security controls and we speak in plain language that every organisation will understand.
So, we review your documents that are relevant to information/cyber security in your organisation and we provide you with a confidential report that is sent only to you.
Our expert reports provide insight and remarks that you will find most useful (and we can’t rule out that they might also be a little ‘scary’).
This isn't intended to be a 'Standard' and so it’s entirely up to you to decide what to do with the outcome.
- You can simply treat our report as very useful piece of consulting.
- Or, you might show it to your insurer by way of an independent review of your safeguards.
- Or, you might be keen to pursue Cyber Essentials, but would like to know first as to how you would get on.
- Or you might be concerned about your data protection controls, such as mapping personal data in your organisation. We support that too; Cyber Checked sets out the aspects of data mapping that every organisation must have in place (in fact it’s stipulated by Article 30 of the GDPR!).
There is no pressure whatsoever for your organisation to comply with the controls that we propose in our report. But, a little bit like an MOT for your car, if you decide to resolve all of the controls we will be proud to send you the CyberChecked logo and window stickers to show your clients, customers, suppliers and staff that you have taken some small-but-giant steps to protect their information.
- Provide you with a secure document vault to send us the documents.
- Write a report in clear, plain language.
- Send you a copy of the logo and window sticker (subject to completion).
- Give you access to our knowledge base and keep you posted with updates and best practice on DP and C/IS.
With all of the expertise and insight driving CyberChecked and positioning with data protection regulation and comprehensive Cyber Essentials alignment, you would assume that CyberChecked is a ‘big ticket’ item.
The cost for our preparing our reviewing your documents and preparing your report is £195.00 (plus VAT).
The harsh reality
Ransomware usually only gets into a network because someone clicked a ‘seemingly safe’ link in an email or webpage, or because someone connected to an unsecure network.
Wannacry was 100% avoidable, but it got into many systems because the Boards and General Mangers responsible for their organisations’ networks had not properly monitored their devices and software, or had not been stringent enough in their staff training programmes.