Guidance

DCPP: Cyber Risk Profile Control Guidance (archived 2 October 2017)

Updated 18 August 2016

This guidance was withdrawn on 2 October 2017

For the latest DCPP information please visit Defence cyber protection partnership.

The information is no longer current and has been archived

This guidance should not be followed for the latest DCPP information visit: Defence Cyber Protection Partnership

The guidance below is additional to the minimum requirements outlined in DEFSTAN 05-138. To demonstrate compliance you must be able to meet the minimum outlined answer on the Supplier Cyber Protection Service, not the ‘Important considerations’ or ‘Further guidance’ below.

Controls for cyber profile Very Low

VL01

Achieve Cyber Essentials Protection (VL01)

Actions:

MOD has mandated the adoption of Cyber Essentials. This provides basic cyber hygiene to protect against the majority of common phishing and hacking cyber attacks. It establishes a range of controls in 5 main areas:

• boundary firewalls and internet gateways
• secure configuration
• user access control
• malware protection
• patch management

Further guidance:

• Cyber Essentials
• DCPP control L08, achieve Cyber Essentials Plus Certification

Controls for cyber profile Low

L01

Determine and assign key information security roles and responsibilities (L01)

Important considerations:

• begin to establish a governance framework to enable and support risk management across the organisation
• identify a senior manager (preferably at board level) who has responsibility for managing information security risks in your organisation
• they should understand the strategic business goals of the organisation and how these may be affected by failure of information security, in order to ensure that information risks are weighed alongside other factors such as financial, legal and operational risks
• they should ensure compliance with the security requirements mandated by MOD, ensure that security policies are defined and subject to regular review and that the information security processes and procedures are defined, monitored and reviewed
• identify an individual with overall day to day responsibility for security; they will be responsible for the day-to-day effectiveness of information security protective measures
• they should determine where and what level of compliance is required of delivery partners and suppliers, where equivalent security policies are acceptable and the level of oversight needed to assure them that assets are appropriately protected
• establish a security incident contact for your organisation: ideally this should be available 24/7
• develop terms of reference for these important roles: ensuring people in roles understand what is expected of them and that they are accountable

Further guidance:

CESG 10 steps to cyber security, information risk management regime states:

Establish a governance framework: A governance framework needs to be established that enables and supports information risk management across the organisation, with ultimate responsibility for risk ownership residing at board level.

CESG guidance on risk management.

L02

Define and implement a policy that addresses security risks within supplier relationships (L02)

Important considerations:

• establish the policy, where applicable
• the policy should state how information security within supplier relationships will be managed in line with the organisation’s risk management processes and any contractual requirements set by MOD; it should state how the organisation will:
  • flow down original customer security requirements (including the 3 core security pillars set in the DEFSTAN) throughout the supply chain using DCPP processes (such as risk assessment, self-assessment questionnaire and right to audit)
  • gain assurance that suppliers meet the required level of protection to operate at a stated DCPP cyber profile
  • ensure that suppliers provide upward reporting of incidents involving customer data
  • additionally you may wish to consider how to extend supply chain assurance to any existing or new contracts that fall outside of MOD DCPP

Further guidance:

CESG 10 steps to cyber security, executive companion states:

Effectively managing the process of assessing risk and implementing controls is essential – both in the business, and in the supply chain.

ISO/IEC 27036-1:2014 information security for supplier relationships, part 1 overview and concepts states:

Acquirers and suppliers can cause information security risks to each other. These risks need to be assessed and treated both by acquirer and supplier organisations through appropriate management of information security and the implementation of relevant controls.

CESG guidance on risk management.

GovCert supply chain risks paper.

L03

Define and implement a policy that ensures all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security (L03)

Important considerations:

CESG 10 steps to cyber security, information risk management regime states:

the board will sponsor the production of and own an overarching corporate information risk management approach to help communicate and support risk management objectives, setting out the information risk management strategy for the organisation as a whole.

• in addition to the important information security leadership roles established at DCPP control L01, ensure that there are sufficient and appropriately qualified resources to manage the broader establishment, implementation and maintenance of information security within the organisation to match your information risk management approach
• these resources should at a minimum be sufficient to meet DCPP requirements; additional resources may be required to support board level roles, manage the delivery of repeatable risk assessments (DCPP control M03), and to perform a range of supporting risk management functions and activities

Further guidance:

CESG 10 steps to cyber security, information risk management regime.

CESG CCP and CCS schemes provide trained security professionals and organisations.

L04

Define employee (including contractor) responsibilities for information security (L04)

Important considerations:

• establish a policy that defines what employees and contractors can and cannot do in terms of information security
• establish an induction process for new staff, during which they are made aware of these responsibilities, the disciplinary consequences should they fail to follow them, and receive training on fundamental aspects of cyber security

Further guidance:

CESG 10 steps to cyber security, user education and awareness and malware prevention state:

The organisation should develop and produce a user security policy (as part of their overarching security policy) that covers acceptable use. Security procedures for all ICT system should be produced that are appropriate and relevant to all business roles and processes.

Establish an induction process: New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process (and the disciplinary consequences should they fail to follow them).

Users should understand the risks from malware and the day to day security processes they need to follow to prevent a malware infection occurring. This should include awareness training on the following topics to promote best practice behaviours to reduce the potential of malware being introduced:

• do not click on hyperlinks in unsolicited email
• do not open attachments in unsolicited email
• comply with removable media policy
• comply with policies on use of laptops and smart phones out of office
• do not connect unapproved removable media or personally owned devices to corporate networks
• know how to report security incidents
• report suspicious emails and unexpected or unusual system behaviour
• comply with policy on web browsing

The terms and conditions for their employment (contracts for contractors and third parties) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally the initial user registration process should also be aligned to the organisation’s technical access controls.

Get Safe On Line.

CESG ‘common cyber attacks: reducing the impact’ paper paper.

L05

Provide employees and contractors with information security training (L05)

Important considerations:

• produce a policy detailing how the organisation will undertake security training and an awareness programme to increase the level of security expertise and knowledge across the organisation
• to underpin the Acceptable Use Policy established at DCPP control L04, employees and contractors should be provided with general cyber threat awareness updates and training appropriate to their role
• maintain user awareness of the cyber risks faced by the organisation; all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals

Further guidance:

CESG 10 steps to cyber security, user education and awareness states:

It is critical for all staff to be aware of their personal security responsibilities and the requirement to comply with corporate security policies. This can be achieved through systematic delivery of a security training and awareness programme that actively seeks to increase levels of security expertise and knowledge across the organisation as well as a security-conscious culture.

CESG ‘common cyber attacks: reducing the impact’ paper states:

All should understand how published information about your systems and operations can reveal potential vulnerabilities. They should be aware of the risk of discussing work-related topics on social media, and the potential for them to be targeted in phishing attacks. They should additionally be aware of the risks to the business of releasing sensitive information in general conversation, unsolicited telephone calls or email recipients. All should be trained on the IT systems used in the organisation to reduce the potential for accidental compromise. Help-desk staff should be trained to handle any access escalation and password resets that might be part of an insider social engineering attack.

Get Safe On Line offers a range of general good practice guidance.

Open University: introduction to cyber security offers a structured course on cyber security that may be useful for staff.

CISP provides a feed of threat intelligence information for various business sectors across the UK.

As your approach to information security training matures, you may also wish to consider:

CESG 10 steps to cyber security, user education and awareness which states:

Support the formal assessment of IA skills: staff in security roles should be encouraged to develop and formally validate their IA skills through enrolment on a recognised certification scheme for IA roles. Some security related roles such as systems administrators, incident management teams and forensic investigation will require specialised training.

Monitor the effectiveness of security training: establish mechanisms to test the effectiveness and value of security training provided to all staff. This should be done through formal feedback and potentially by individual questionnaires in the staff survey and on training. Those areas that regularly feature in security reports, or achieve the lowest feedback ratings should be targeted for remedial training.

L06

Define and implement a policy for ensuring that sensitive information is clearly identified (L06)

Important considerations:

• set the criteria the organisation will use to identify how sensitive information will be labelled and handled to provide an appropriate degree of protection
• this is a critical first step to enable effective and proportionate defences to be built; this should be communicated to staff, so they understand the sensitivity of the material, and their role in protecting it
• in particular, ensure data and assets associated with the MOD contract are appropriately labelled and controlled (and only staff with an approved business need to access this material, have a clear understanding of the associated ‘handling requirements’ and their personal responsibility for ensuring these are met)

Further guidance:

Government security classifications, April 2014 states:

All information that HMG needs to collect, store, process, generate or share to deliver services and conduct business has intrinsic value and requires an appropriate degree of protection.

Security classifications indicate the sensitivity of information (in terms of the likely impact resulting from compromise, loss or misuse) and the need to defend against a broad profile of applicable threats. Each classification provides for a baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile. Risk owners should appreciate that information classified at 1 level cannot be assured to be protected against the typical threat profile associated with a higher level of classification.

Information at any level of classification should receive broadly consistent levels of protection across the Public Sector. This consistency is essential to establish trust between organisations and promote greater interoperability.

MOD DCPP states:

MOD has set a range of cyber profiles to protect contract information. These profiles are derived from a combination of factors including the contract deliverable, the sensitivity of data, and the typical threat actor the recommended controls are expected to provide protection against. Supporting processes ensure these requirements flow down to suppliers and ensure they too handle this contract information in line with the original contractor security requirements.

L07

Define and implement a policy to control access to information and information processing facilities (L07)

Important considerations:

• produce an Access Control Policy that sets out how access to information and information processing facilities will be managed. This should align with the Acceptable Use Policy established at DCPP control L04
• DCPP requires that only staff (and contractors) with a legitimate business need to do so may access contract information: and that these requirements should flow down throughout any subsequent sub-contracting
• it may be an advantage to protect the identity of MOD and the original customer in any contract information, and any associations that may be derived from this

Further guidance:

Government security classifications, April 2014 states:

Principle 3: access to sensitive information must only be granted on the basis of a genuine ‘need to know’ and an appropriate personnel security control.

The compromise, loss or misuse of sensitive information may have a significant impact on an individual, and organisation, or on government business more generally. Access to sensitive information must be no wider than necessary for the efficient conduct of an organisation’s business and limited to those with a business need and the appropriate personnel security control.

The more sensitive the material, the more important it is to fully understand (and ensure compliance with) the relevant security requirements.

Additional handling measures (typically physical or procedural) may be required to enforce ‘need to know’ for information at Official Sensitive.

CESG 10 steps to cyber security, managing user privileges:

Limit user privileges: uses should only be provided with the right and permissions to access systems, services, information and resources that they need to fulfil their business role.

Limit numbers and use of privileged accounts: strictly control the numbers of privileged accounts for roles such as systems or database administrators.

Cyber Essentials and DCPP controls VL01 and L08.

L08

Maintain Cyber Essentials Plus Scheme certification (L08)

Important considerations:

• building on the adoption of Cyber Essentials at V01, achieve Cyber Essentials Plus Scheme certification through annual, independent pen-testing by approved bodies

Further guidance:

• Cyber Essentials Plus Scheme
• DCPP control VL01

For organisations who wish to do more, the following publications offer further best practice guidance to build on Cyber Essentials Plus Scheme:

• CESG 10 steps to cyber security, secure configuration: see CESG recommended configuration (lockdown) guidance on a very wide range of most common IT products
• User Access Control: see CESG guidance on the use of passwords
• CESG 10 steps to cyber security, malware prevention: CISP offers updates on latest threats and provides forums where organisations working in specific business sectors can share information; MOD DCPP encourages suppliers to use CISP to better spot, anticipate and manage new and emerging threats

L09

Define and implement a policy to control the exchange of information by removable media (L09)

Important considerations:

• produce a corporate policy with supporting processes and procedures to control the use of removable media for the import and export of information. This should be based on the fundamental DPA principle that the amount of data held (on such media) should be the minimum necessary to meet the business requirement
• where removable media has to be used the information should be encrypted; the type of encryption should be proportionate to the value of the information and the risks posed to it

Further guidance:

Depending on the decisions you make on removable media use, you may wish to consider options from the following best practice approaches that best match your business context to manage the risks.

CESG 10 steps to cyber security, removable media controls states:

Removable media should only be used to store or transfer information as a last resort, under normal circumstances information should be stored on corporate systems and exchanged using appropriate protection and appropriate information exchange connections. (See control L10 for further details).

Limit the use of removable media: removable media should be used as a last resort only. Where its use is unavoidable, the business should limit the number of users who can use removable media, the types of media they can use, and the systems with which they can interface, and types of information that can be stored or transferred using removable media.

Scan all removable media: Protect all host systems (clients and servers) with an anti-virus solution that will actively scan for malware when any type of removable media is introduced. Any media brought into the organisation should be scanned for malicious content by a standalone media scanner before any data transfer takes place. (CSC 5-4 configure systems so that they automatically conduct an anti-malware scan of removable media when inserted).

Lock down access to media drives: the secure baseline build should deny access to media drives (including USB drives) by default and only allow access to appropriately authorised devices.

CSC 5-3 states:

Configure laptops, workstations and servers so they will not autorun content from removable media, like USB tokens (i.e. thumb drives), USB hard drives, CD / DVDs, FireWire devices, external serial advanced technology attachment devices, and mounted network shares).

Educate users and maintain their awareness of risks. Ensure that all users are aware of the risks posed to the organisation from the use of removable media and their personal responsibilities for following corporate removable media security policy.

As your control of removable media matures you may also consider:

Audit media holdings regularly: all removable media should be formally issued by the organisation to individuals who will be accountable for its secure use and return for destruction or reuse. Records of holdings and use should be made for audit purposes.

Actively manage the reuse and disposal of removable media: where removable media is to be reused or destroyed the appropriate steps should be taken to ensure previously stored information will not be accessible.

See DCPP controls L10 for related details on physical security, and M10 for details of remote access for staff working out of office.

L10

Define and implement an information security policy, related processes and procedures (L10)

Important considerations:

• produce an information security policy setting out the organisation’s important security objectives and approaches and demonstrating its commitment to information security
• it should be supported by an appropriate range of associated processes and procedures that ensure the overall policy is enacted
• this policy will also contain links to the earlier (and subsequent) policy documents required by DCPP
• in addition, the policy should also set out the organisation’s approach to:
  • physical security (for example, the adoption of an identify badge system differentiating staff and visitors, or staff with approval to access more sensitive areas; the adoption of basic good practice such as ‘clear desk’ and ‘clear screen’ policies; the provision of an entry/visitor reception arrangements, and measures to control access to the building’s perimeter, and/or sensitive areas within it)
  • network security (for example, how information will be securely stored and exchanged with partners)
  • it should also, if applicable, set the policy on the use of personally owned devices, the use of commercial (Cloud) services (such as remote storage or email services) – particularly in regard to meeting Data Protection Act stipulations and the off-shoring of personal or otherwise sensitive information, and the arrangements for the secure disposal of media and other technical systems (e.g. CDROMs, USB sticks, smart phones and PCs) that have stored sensitive information.
• also see DCPP control M04 policy on Storage, Access and Handling of sensitive information and information processing facilities
  • home and mobile working (how this will be securely enabled);
• see DCPP control M10 Remote Access
• see DCPP control L09 for related details on removable media
• MOD may set additional stipulations in contact artefacts that should also be followed

Further guidance:

The HMG security policy framework sets out security expectations for physical security. CPNI provides further detailed guidance in this regard.

Government security classifications, April 2014 sets out the minimum security expectations for the protection of electronic information in transit and also for the transfer of hard copy material, including the use of couriers.

Government security classifications, April 2014 also sets out requirements for the protection of data (at rest) held in data centres, stating that physical security measures may provide appropriate security. See also DCPP control H09 for options regarding encryption of such data.

CESG 10 steps to cyber security, home and mobile working states:

Protecting data in transit: if a user is working remotely the connectivity back to the corporate network will probably use an untrusted public network such as the internet. The device and the information exchange should be protected by an appropriately configured VPN.

The latest guidance on recommended standards for data in transit protection are set out in CESG ‘Enterprise IT: security considerations for common problems.

CESG end user device security principles and networking principles also provide a range of useful guidance in this regard.

CESG cloud security principles.

L11

Record and maintain the scope and configuration of the information technology estate (L11)

Important considerations:

• this control builds on measures implemented in Cyber Essentials (Secure Configuration), and DCPP controls VL01 and L08, L09 removable media and L10 information security policy (relating to personally owned devices)
• produce a policy and processes that define how the scope and configuration of your IT estate will be maintained, and which supports configuration control and change management requirements on all ICT systems including software

Further guidance:

Depending on the scope and configuration of your IT estate, and business context you may consider applying those of the following best practice options that best match your business needs and manage the risks.

CESG 10 steps to cyber security, secure configuration states:

Disable unnecessary input and output devices and removable media access: Assess the business requirements for user access to input/output devices and removable media (this includes MP3 and smart phones). Disable ports and system functionality that is not needed by the business (which may include USB ports, CD / DVD/card media drives).

Limit users ability to change configuration. Provide uses with the minimum system rights and permissions that they need to fulfil their business role. Users with normal privileges should be prevented from installing or disabling any software or services running on a system.

Implement whitelisting and execution controls: create and maintain a whitelist of authorised applications and software that can be executed on ICT systems. In addition, ICT systems need to be capable of preventing the installation and execution of unauthorised software and applications by employing process execution controls, software arbiters and only accepting code that is signed by trusted suppliers.

Create and maintain authorised hardware and software inventories. Ideally suitably configured customised tools should be used to capture the physical location, business owner, and purpose of hardware together with the version and patching status of all the hardware and software used on the system. The tools should also be able to identify any unauthorised hardware and software, which should be removed.

L12

Define and implement a policy to manage the access rights of user accounts (L12)

Important considerations:

This builds on a range of controls introduced by Cyber Essentials and DCPP controls VL01 and L08.

• produce a policy that sets out how your organisation will manage the access rights of user accounts
• establish supporting and effective account management processes: ensure the principle of accounts being allocated on a business need and ‘least privilege basis’ is followed
  • educate users and maintain their awareness: all users should be aware of the policy regarding acceptable account usage and their personal responsibilities to adhere to corporate security policies and the disciplinary measures that could be applied for failure to do so

Further guidance:

The above quotes are taken from CESG 10 steps to cyber security, managing user privileges.

The critical security controls for effective cyber defence, Version 5.0 CSC16: account monitoring and control:

CSC16-10: require that managers match active employees and contractors with each account belonging to their managed staff. Security of system administrators should then disable accounts that are not assigned to active employees or contractors.

CSC16-11: monitor attempts to access deactivated accounts through audit logging.

Cyber Essentials and Cyber Essentials Plus Schemes.

L13

Define and implement a policy for verifying an individual’s credentials prior to employment (L13)

Important considerations:

• define and implement a policy that defines how and when personnel security controls (such as recruitment checks or NSV) will be applied
• these measures are an essential step to support broader access control policies/approaches in your organisation

CESG 10 steps to cyber security, managing user privileges states:

Set up a personnel screening process: all users need to undergo some form of pre-employment screening to a level commensurate with the sensitivity of information they will have access to.

Further guidance:

HMG security policy framework states:

The purpose of personnel security controls (such as recruitment checks or national security vetting) is to confirm the identity of individuals (employees and contractors) and provide a level of assurance as to their trustworthiness, integrity and reliability. Whilst personnel security controls cannot provide guarantees, they are sensible precautions that provide for the identity of individuals to be properly established. In circumstances where risk assessments indicate that the necessary thresholds are met, they provide for checks to be made of official and other data sources that can indicate whether individuals may be susceptible to influence or pressure which might cause them to abuse their position or whether there are any other reasons whey individuals should not have access to sensitive assets.

Government security classifications, April 2014 states:

Sets out minimum personnel security controls expected at each classification level. For example, for Official appropriate recruitment checks are (BPSS or equivalent). This includes verification of the right to work in the UK, employment history, qualifications and criminal records.

Other schemes such as BS7858:2006, CPNI pre-employment screening, or EBS may offer similar assurance.

L14

Define and implement a process for employees and contractors to report violations of information security policies and procedures without fear of recrimination (L14)

Important considerations:

CESG 10 steps to cyber security, user education and awareness states:

Produce a policy with supporting processes that defines how employees and contractors can report violations of security policies and procedures in a fair, proportionate and consistent manner, without fear of recrimination.

Educate users and maintain their awareness on these processes, so that they know when and how to report issues that are security related.

Document, and analyse any such reporting to spot any particular trends to inform information security improvement plans

Where such incidents result from poor user understanding of procedures, provide refresher training.

Where such incidents occur due to unworkable or difficult procedures for users to follow, consider revising the existing approaches.

Further guidance:

Educate users to maintain their awareness: all users should be made aware of their responsibilities and the processes they should follow to report and respond to an incident. Equally, all users should be encouraged to report any security weaknesses or incidents as soon as possible, without fear of recrimination.

L15

Define and implement a disciplinary process to take action against employees who violate information security policies or procedures (L15)

Important considerations:

CESG 10 steps to cyber security, user education and awareness states:

Establish a formal disciplinary process: all staff should be made aware that any abuse of the organisations security policies will result in disciplinary action being taken against them.

• this should be communicated in induction training and also detailed in the Acceptable Use Policy established in DCPP control L04
• develop and implement the policy that defines how the organisation will act on security violations

Further guidance:

CESG 10 steps to cyber security, user education and awareness.

See the government classification scheme reference provided at DCPP Control L07.

L16

Define and implement an incident management policy, which must include detection, resolution and recovery (L16)

Important considerations:

CESG 10 steps to cyber security states:

Establish an incident response capability: the organisation should identify the funding and resources to develop, deliver and maintain an organisation-wide incident management capability that can address the full range of incidents that could occur.

The supporting policy, processes and plans should be risk based and cover any legal and regulatory reporting or data accountability requirements.

• produce a policy (or procedure) that defines how security incidents are managed. This must include how incidents are detected, reported, resolved and recovered

• defined roles and responsibilities should be established and staff formally trained and qualified to perform these roles. (See DCPP controls L01 and L05 for further details)

CESG 10 steps to cyber security also states:

Report criminal incidents to Law Enforcement: it is important that on-line crimes are reported to Action Fraud or the relevant Law Enforcement Agency to build a clearer view of the national threat picture and deliver an appropriate response

Further guidance:

CESG 10 steps to cyber security, incident management states:

Obtain senior management approval and backing: The organisation’s board needs to understand the risks and benefits of incident management and provide appropriate funding to resource it and lead delivery.

CESG 10 steps to cyber security, executive companion:

Have robust, regularly tested incident management processes and contingency planning in place to recover from and reduce the impact of any compromises to the business. Understanding why an attack occurred and what was compromised is critical to recovering successfully and protecting the business in the future.

Provide specialist training: The incident response team may need specialist knowledge and experience across a number of technical (including forensics) and non-technical areas. The organisation should identify sources of specialist incident management training and maintain the organisation’s skills base.

10 steps to cyber security also proposes additional steps in the following areas that you may also wish to consider (user education, deciding on what information may or may not be shared, conduct lessons learned, and finally collect and analyse evidence.

CESG GPG 24: incident management planning guidance.

The policy should include post-incident review and reporting obligations e.g. to customer and/or national authorities.

Controls for cyber profile Moderate

M01

Define and implement a policy that provides for regular, formal information security related reporting (M01)

Important considerations:

• the Information Risk Management approach established under DCPP control L03 should be strengthened with the provision of regular, formal information security related reporting that should be matched to the organisation’s business needs
• this may include: reviews of the performance of security arrangements in the supply chain, response to any incidents, the effectiveness of current security controls, particularly in light of any emerging attack trends in your sector, as well as other issues of importance to the business
• the board should remain engaged with information risk and should ensure that the risks to the organisation’s assets from cyber attack are a regular agenda item for board discussion
• the board should seek assurance that vital information risks are both assessed and prioritised, and that there is regular monitoring where threats and vulnerabilities are constantly changing
• ultimate responsibility for cyber security rests at board level, with correct governance, management and culture throughout the business

Further guidance:

CESG 10 steps to cyber security, executive companion and information risk management regime states:

Risks to all forms of information should be treated in the same way as other financial or business risks, especially where threats and vulnerabilities are constantly changing.

CESG guidance on risk management.

M02

Define and implement a policy to detail specific employee and contractor responsibilities for information security before granting access to sensitive assets (M02)

Important considerations:

• building on DCPP control L04, the Acceptable Use Policy should be enhanced to set out the handling requirements for sensitive assets ensuring that ‘need to know’ needs are met
• these, at Official Sensitive should be largely based on physical and procedural controls
• it should reinforce vital Data Protection Act concepts: that the amount of data to be accessed, stored or transferred should be the minimum necessary to achieve the business need
• the policy should also outline the procedures to follow to seek approval for the bulk transfer of any such data
• the policy, and its supporting processes and procedures, should be communicated to all staff to embed these behaviours

Further guidance:

CESG 10 steps to cyber security, user education and awareness. Retain the existing references.

See the references to the government security classifications, April 2014 provided in DCPP controls L06 and L07, for further details on the handling of personal information and sensitive information marked Official Sensitive.

M03

Define and implement a policy that provides for repeatable information security risk assessments (M03)

Important considerations:

• this builds on DCPP controls L02 and L03 and informs M01; you should establish a policy that provides a process to perform risk assessments
• this should be used in accordance with schedules/criteria established in your information risk approach at DCPP control L03
• you should choose a risk management approach that meets your business needs
• you should use the DCPP approved risk assessment approach for any related subcontracting to suppliers
• the board will clarify with data owners the criteria that may allow the delegation of approval for the management of risk decisions, ensuring appropriate oversight and reporting of these decisions

Further guidance:

CESG 10 steps to cyber security, executive companion states:

Identify the risks to information assets. Assess who has access to those assets and who may wish to target the company. Consider the circumstances in which the risks or could become a reality. Quantify the level of risk to those assets that the business is willing to accept and communicate your risk appetite across the business, especially to those who implement and manage the company’s security. Ensure your assessments keep pace with technological advances, such as Cloud Computing, which may affect the balance of risk over time.

Implement security controls and supporting policies that are commensurate with the level of risk that the business is willing to tolerate. Regularly review and test the effectiveness of, and adherence to, current controls and investigate any anomalies.

CESG 10 steps to cyber security, information risk management regime states:

The components of risk can change over time, so a continuous through-life process needs to be adopted to ensure security controls remains appropriate to the risk.

See CESG risk guidance which provides an analysis of some of the most commonly used approaches.

M04

Define and implement a policy for storing, accessing, and handling sensitive information securely (M04)

Important considerations:

• this builds on DCPP control L07, and requires enhancement of this policy providing additional clarification of measures to be taken to protect any personal information or information marked Official Sensitive; tt should:
  • ensure this information is handled in accordance with contracted obligations set by MOD
  • compliance with Data Protection Act is required where the contract involves information that is personal or personally sensitive
  • state the organisation’s approach to the use of commodity (Cloud) services (such as remote storage or email services): ensuring that MOD requirements and broader HMG obligations on off-shoring of information are met. MOD mandates that personal information will not be off-shored
  • it may also detail the physical and procedural controls that will be implemented to control access to this material and potentially the business areas where this material is handled and stored
  • it may set out procedures required to approve the bulk transfer of such data

Further guidance:

DCPP control L07.

Government security classifications, April 2014. Remove and replace the existing reference with:

A limited subset of information could have more damaging consequences for individuals, and organisation, or government generally if it were lost, stolen or published in the media. This subset of information should still be managed at Official, but may attract additional measures (generally procedural or physical) to reinforce ‘need to know’. Organisations may wish to adopt a more directive approach to control access to Official Sensitive or personally sensitive information.

The handling of personal data must be in compliance with the DPA 1988. It also contains information on the off-shoring of information.

The Information Commissioners Office also provides guidance on off-shoring.

HMG Cloud Store (now known as the Digital Marketplace) and CESG cloud security principles.

M05

Define and implement a policy for data loss prevention (M05)

Important considerations:

• produce a policy that defines how the loss of sensitive data will be prevented
• this addresses the issue in 3 main areas: how such loss will be prevented; what monitoring activities are required to support this outcome and finally what data back-up arrangements are required to recover from any data loss

Further guidance:

DCPP controls M12 controlling information flows, H07 control and police information flows and H10 data loss prevention on network egress, M08 network monitoring and L16 on data recovery all provide further, related guidance in this area.

Use host based data loss prevention to enforce access control lists (ACLs) even when data is copied off a server. In most organisations, access to the data is controlled by ACLs that are implemented on the server. Once the data has been copied to a desktop system, the ACLs are no longer enforced and the users can send the data to whomever they want. (CSC 15-1)

Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them. (CSC 17-9)

CESG 10 steps to cyber security, secure configuration states:

Establish a data recovery capability: data losses occur and so a systemic approach to the back-up of the corporate information asset base should be implemented. Back up media should be held in a physically secure location on-site and off-site where at all possible and the ability to recover archived data for operational use should be regularly tested.

CESG 10 steps to cyber security, network security states:

Configure the exception handling processes: ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers.

M06

Ensure that the organisation has identified asset owners and that asset owners control access to their assets (M06)

Important considerations:

This relates closely to, and should align with, DCPP control M04.

Further information:

Government security classifications, April 2014 states:

IAOs must be senior/responsible individuals involved in the running of the relevant business. Their role is to understand what information is held, what is added and remove, and why has access and why. As a result they are able to understand and address the risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset to support the audit process.

Retain existing reference.

M07

Define and implement a policy to assess vulnerabilities identified for which there are no countermeasures (e.g. patch) available, undertake risk assessment and management (M07)

Important considerations:

• this builds on DCPP control L08, Cyber Essentials Plus. Establish a policy that sets out how you will manage risks that cannot be mitigated (this relates to new, evolving attacks including zero-days)
• CESG 10 steps to cyber security, secure configuration
• conduct regular vulnerability scans: Organisations should run automated vulnerability scanning tools for all networked devices regularly and remedy any identified vulnerabilities within an agreed time frame
• organisations should also maintain an awareness of the threats and vulnerabilities they face
• you should subscribe to a vulnerability alerting service (DCPP recommends CISP), formally review alerts and mitigate as a matter of priority
• alternative countermeasures should be considered if patches are not available (CSC 4-8)

Further guidance:

ISO/IEC 27002:2013, information technology security techniques code of practice for information security controls states:

Address the situation where a vulnerability has been identified, but where there is no suitable countermeasure. In this situation, … evaluate risks, … define appropriate detective and corrective actions.

Critical security controls for effective cyber defence, Version 5.0, CSC4: continuous vulnerability assessment and remediation and CSC4-7 and CSC 4-8 state:

Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk. Such acceptance of business risks for existing vulnerabilities should be periodically reviewed to determine if new compensating controls can address vulnerabilities that were previously accepted, or if conditions have changed, increasing the risk.

CESG 10 steps to cyber security, secure configuration states:

Lockdown operating systems and software: consider the balance between system usability and security and then document and implement a secure baseline build for all ICT systems covering clients, mobile devices, servers, operating systems and network devices. Essentially, any services, functionality or applications that are not required to support the business should be removed or disabled. The secure build profile should be managed by the configuration control and management process and any deviation from the standard build should be documented and formally approved.

CESG also provides configuration (or lockdown) guidance on a wide range of the most commonly used IT systems.

See also DCPP control M08 on protective monitoring.

M08

Define and implement a policy to monitor network behaviour and review computer security event logs for indications of potential incidents (M08)

Important considerations:

• this supports measures introduced at DCPP control M05
• CESG 10 steps to cyber security, monitoring states:
  • the organisation should establish a monitoring strategy and supporting policies
  • develop and implement an organisational monitoring strategy and policy based on an assessment of the risks
  • the strategy should take into account any previous security incidents and attacks and align with the organisations incident management policies’
  • this should be matched to your specific business context, but should at a minimum monitor for:
  • the transfer of sensitive information, particularly bulk data transfers or unauthorised encryption which should generate a security alert and prompt follow on investigation
  • the use of unauthorised removable media, or connections of removable media to unauthorised systems, by unauthorised employees or contractors
  • test legal compliance: ensure that the monitoring complies with legal and regulatory constraints on the monitoring of user activity
• any specific requirements set out in DCPP controls

Further guidance:

CESG 10 steps to cyber security, monitoring provides further useful guidance:

• monitor all ICT systems: ensure that the solution monitors all networks and host systems (such as clients and servers)
• monitor network traffic: the inbound and outbound traffic traversing network boundaries should be continuously monitored to identify unusual activity or trends that could indicate attacks and the compromise of data
• monitor all user activity: the monitoring capability should have the ability to generate audit logs that are capable of identifying unauthorised or accidental input, misuse of technology or data; it should be backed up with resilient timing and ensure sufficient storage capacity assigned for record retention
  • for investigative and legal reasons the time that something happened must be provable
  • timestamps on logs therefore should be from a system wide, consistent and reliable time source

CESG security monitoring guidance.

M09

Define and implement a policy to monitor user account usage and to manage changes of access (M09)

Important Considerations:

• this builds on user access control measures introduced in DCPP control L08 (Cyber Essentials), which verifies active access control for administrators
• produce a policy with supporting processes to monitor account usage and to manage any changes of access permissions

Further guidance:

CESG 10 steps to cyber security, managing user privileges states:

Limit access to the audit system and system activity logs: activity logs from network devices should be sent to a dedicated accounting and audit system that is separate from the core network. Access to the audit system and logs should be strictly controlled to preserve the integrity and availability of content and all privileged user access should be recorded.

Critical security controls for effective cyber defence, Version 5.0 CSC 16: account monitoring and control states:

Managers should ensure that active employees and contractors should be matched with each account belonging to their staff. Security or system administrators should then disable accounts that are not assigned to active employees or contractors. (CSC 16-10)

Monitor attempts to access deactivated accounts through audit logging. (CSC 16-11)

CESG security monitoring guidance.

Cyber Essentials and Cyber Essentials Plus.

M10

Define and implement a policy to control remote access to networks and systems (M10)

Important considerations:

• this control covers 2 separate issues: managing the general risks posed by remote working, and secondly managing the specific risks associated with the remote management of network devices by administrators (see H08 for further details in this regard)
• establish the policy that defines how remote access to your network and systems will be managed
• additionally, and building on DCPP control L08, Cyber Essentials, all remote administration of servers, workstations, network devices and similar equipment over secure channels
  • protocols such as telnet, VNC, RDP or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL or IPSEC (CSC 13-7)
• these policies and procedures should be incorporated with the Information Security Policy established at DCPP control L10

Further guidance:

CESG 10 steps to cyber security, home and mobile working states:

Assess the risks to all types of mobile working (including remote working where the device connects to the corporate network infrastructure). The resulting mobile security policy should determine aspects such as the processes for authorising users to work off-site, device acquisition and support, the type of information that can be stored on devices and the minimum procedural security controls. The risks to the corporate network from mobile devices should be assessed and consideration given to an increased level of monitoring on all remote connections and the corporate systems being accessed.

Educate users and maintain their awareness: without exception, all users should be trained on the secure use of their mobile device for the locations they will be working in. Users should be capable of using the device securely by following their user specific security procedures at all times, which should as a minimum include direction on:

• secure storage and management of their user credentials
• incident reporting
• environmental awareness (the risks of being overlooked)

Cyber Essentials Plus Scheme.

Critical security controls for effective cyber defence, Version 5.0 CSC3: secure configuration for hardware and software on mobile devices, laptops, workstations and servers and CSC13: boundary defence require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use 2-factor authentication. (CSC 13-7)

All enterprise devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels for third party devices (e.g. sub-contractors/vendors), publish minimum security standards for access to the enterprise network and perform a security scan before allowing access. (CSC 13-8)

CESG guidance, enterprise IT: security considerations for Official provides guidance on the use of 2FA and VPNs.

You should use a VPN for users working away from the office. A device wide VPN will provide the best level of protection for information as it travels over an untrusted network. It also ensures that all communications benefit from the protections provided within the enterprise, such as web content filtering. We recommend you use a VPN product or component which you are confident in the design and use of. One way of getting that confidence is to use 1 of the VPN products that have been assessed through Commercial Product Assurance to have the characteristics of a well designed VPN Gateway or VPN client. Both IPSEC and TLS can be configured to protect the integrity and confidentiality of data: the choice is predominantly an architectural decision.

See also DCPP control H02 for considerations about VPN usage on wifi networks.

CESG architectural patterns ‘walled gardens’, which sets out how to establish a secure remote working solution, and ‘internet gateways’, which sets out approaches to serving web content to the internet.

CESG enterprise IT: common decisions provides details on VPN use.

CESG EUD security principles.

M11

Define and implement a policy to control the use of authorised software (M11)

Important considerations:

• this builds on measures introduced in DCPP controls (VL01 and L08 – Cyber Essentials) and L11
• produce a policy that defines how the use of authorised software will be controlled
  • the policy should address: access to, licensing, patching and maintaining an inventory of authorised software
  • it should also detail how unauthorised software will be handled

Further guidance:

CESG 10 steps to cyber security, secure configuration states:

Develop corporate policies to update and patch systems: Use the latest versions of operating systems, web browsers and applications. Develop and implement corporate policies to ensure that security patches are applied in a timeframe that is commensurate with the organisation’s overall risk management approach. Organisations should use automatic patch management and software update tools.

Devise a list of authorised software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitor by file integrity checking tools to validate that the authorised software has not been modified (Critical security controls for effective cyber defence, Version 5.0, CSC2: inventory of authorised and unauthorised software).

Deploy software inventory tools throughout the organisation covering each of the operating system types in use, including servers, workstations and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. Furthermore, the tool should record not only the type of software installed on each system, but also its version number and patch level (Critical security controls for effective cyber defence, Version 5.0,CSC 2-4).

See also DCPP controls M05 and M08.

M12

Define and implement a policy to control the flow of information through network borders (M12)

Important considerations:

• produce the policy that defines how the flow of information through network borders will be controlled
• this should build on controls established under DCPP control L08, Cyber Essentials Plus

Further guidance:

You may wish to consider the following best practice guidance and select those approaches that best meet your business needs and manage the associated risks.

CESG 10 steps to cyber security, network security states:

Police the network perimeter: Limit access to network ports, protocols and applications filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malware and other malicious content.

Install firewalls: Firewalls should be deployed to form a buffer zone between the external untrusted network and the internal network used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows for authorised protocols, ports and applications to communicate with authorised networks and network addresses. This will reduce the exposure of ICT systems to network based attacks.

Protect internal IP addresses: Implement capabilities (such as NAT) to prevent internal IP addresses from being exposed to external networks and attackers and ensure that it is not possible to route traffic directly from untrusted networks to the internal network.

CESG 10 steps to cyber security, malware prevention states:

Blacklist malicious websites; ensure that the perimeter gateway uses blacklisting to block access to known malicious websites.

Cyber Essentials Plus Scheme.

CESG architectural patterns ‘walled gardens’ and ‘internet gateways’.

Critical security controls for effective cyber defence, Version 5.0.

CSC13 boundary defence states:

• deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists) – (CSC 13.1)
• design and implement network perimeters so that all outgoing web, file transfer protocol (FTP), and secure shell traffic to the internet must pass through at least 1 proxy on a DMZ networks; organisations should force outbound traffic to the internet through an authenticated proxy sever on the enterprise perimeter; proxies can also be used to encrypt all traffic leaving an organisation (CSC 13.6)

CSC 17 data protection states:

• block access to know file transfer and e-mail exfiltration websites (CSC 17.13)

M13

Define and implement a policy to maintain the confidentiality of passwords (M13)

Actions:

• this builds on measures introduced in DCPP control L08, Cyber Essentials
• produce a policy with supporting processes that defines how password confidentiality is maintained, including how those held on networks and systems are protected
• passwords should not be stored in clear, and should be salted and hashed to prevent the password being recovered from the stored hash

Further guidance:

Cyber Essentials Plus Scheme.

Critical security controls for effective cyber defence, Version 5.0 CSC 16: account monitoring and control.

• configure all systems to use encrypted channels for the transmission of passwords over a network (CSC 16:16)
• verify that all password files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges.; audit all access to password files in the system (CSC 16:17)

CESG guidance on passwords.

CESG GPG44 details approaches for the secure storage of authentication credentials.

M14

Define and implement a policy for applying security vetting checks to employees (M14)

Important considerations:

• produce a policy defining how and when security vetting checks are applied

Further guidance:

See guidance under DCPP control L15 (implement pre-employment screening).

HMG Personnel Security Controls, Version 2.0, April 2014 states:

National security vetting comprises a range of additional checks and may be applied where a risk assessment indicates that it is proportionate to do so. The risk assessment process takes account of the access an individual may have to sensitive assets (physical, personnel or information) at risks from a wider range of threats.

Government security classifications, April 2014states:

Personnel security: At Official, appropriate recruitment checks (e.g. BPSS or equivalent), reinforcement of personal responsibilities and duty of care through training, and ‘need to know’ is required for access to sensitive assets. At Secret always enforce ‘need to know’, SC is required for regular access, and special handling requirements apply.

Retain the existing HMG web site link.

M15

Undertake personnel risk assessments for all employees and contractors and ensure those with specific responsibilities for information security have sufficient qualifications and appropriate levels of experience (M15)

Important considerations:

• produce a policy that defines when risk assessments are undertaken and specifically how the organisation will ensure those with specific information security responsibilities (see DCPP control L01) have sufficient qualifications and experience for these roles

Further guidance:

Retain the existing CPNI reference in its entirety here.

M16

Define and implement a policy to secure organisation assets when individuals cease to be employed (M16)

Important considerations:

• produce the policy that defines how the information security risks associated with leavers will be assessed and what actions will be taken
  • implement necessary processes and procedures to ensure this is enacted

Further guidance:

Retain the existing NIST reference in its entirety here.

Controls for cyber profile High

H01

Maintain patching metrics and assess patching performance against policy (H01)

Important considerations:

• this builds on the patching policy established under control L08, Cyber Essentials Plus
• performance against the policy should be measured, particularly the time to patching new vulnerabilities

Further guidance:

Critical security controls for effective cyber defence, Version 5.0 CSC4-9 and 4-10.

Evaluate critical patches in a test environment before pushing them into production on enterprise systems. If such patches break critical business applications on test machines, the organisation must devise other mitigating controls that block exploitation on systems where the patch cannot be deployed because of its impact on business functionality. (CSC 4-9)

Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (for example DMZ servers, internal network servers, desktops, laptops). Apply patches for the riskiest vulnerabilities first. A phased rollout can be used to minimise the impact to the organisation. Establish expected patching timelines based on the risk rating level. (CSC 4-10)

CESG 10 steps to cyber security, secure configuration states:

Develop corporate policies to update and patch systems: develop and implement corporate policies to ensure security patches are applied in a time-frame that is commensurate with the organisation’s overall risk management approach.

H02

Ensure that wireless connections are authenticated (H02)

Important considerations:

• this builds on measures introduced at DCPP controls VL01 and L08
• to control access to your network, you need to authenticate before allowing to join
• WPA2 is the best available standard for authenticating devices to wifi networks
• when deploying WPA2 it is best practice to configure it in enterprise mode (also known as 802.1x)
• in this mode, individual clients should be issued with a certificate for authorisation, meaning that no client should be able to decrypt the connections sent to the authorised device.

Further guidance:

The above quotes are taken from CESG enterprise IT: common decisions. It also provides details on how to securely operate a guest wifi network in addition to an enterprise wifi network using a single set of Wireless Access Points and, recommends the use of VPNs to ensure confidentiality and integrity protection of traffic passed over wifi networks.

Examples of good practice include:

CESG 10 steps to cyber security, network security states:

Wireless devices should only be allowed to connect to trusted wireless networks. All Wireless Access Points (WAP) should be secured and additional security scanning tools should have the ability to detect WAPs.

Critical security controls for effective cyber defence, Version 5.0 CSC 7 wireless access control states:

Configure networks with scanning tools to detect wireless access points connecting to your wired network. Identified devices should be reconciled against a list of authorised WAPs. Any unauthorised (i.e. rogue) access points should be deactivated. (CSC 7-2)

Disable peer to peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need. (CSC 7-8)

Disable wireless peripheral access of devices (e.g. bluetooth), unless such access is required for a documented business need. Note: if there is a business need this should be risk assessed and approved. (CSC 7-9)

H03

Deploy network monitoring techniques that complement traditional signature-based detection (H03)

Important considerations:

CESG 10 steps to cyber security, monitoring:

• monitor all ICT systems: Ensure that the solution monitors all networks and host systems (such as clients and servers) potentially through the uses of Network and Host intrusion Detection Systems (NIDS/HIDS) and Prevention Solutions (NIPS/HIPS), supplemented as required by Wireless Intrusion Detection Systems (WIDS) that work in harmony with the wired IDS
  • these solutions should provide both signature based capabilities to detect known attacks and heuristic capabilities to detect potentially unknown attacks through new or unusual system behaviour
• alerts generated by the system should be promptly managed by appropriately trained staff

H04

Place application firewalls in front of critical servers to verify and validate the traffic going to the server (H04)

Important Considerations:

• this builds on measures established at DCPP control L08
• critical servers should be identified with application firewalls appropriately placed and configured

Further guidance:

Critical security controls for effective cyber defence, Version 5.0 CSC 11.7 states:

Any unauthorised services or traffic should be blocked and an alert generated.

Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorised services or traffic should be blocked and an alert generated. (CSC 11-7)

CESG 10 steps to cyber security, network security states:

Segment networks as sets: Identify, group and isolate critical business information assets and services and apply appropriate network security controls to them.

See DCPP control M12 reference on ’network security and Install firewalls….’

H05

Deploy network-based Intrusion Detection Systems (IDS) sensors on ingress and egress points within the network and update regularly with vendor signatures (H05)

Important considerations:

• these sensors should be appropriately placed and configured
• this action should be reflected in the overall policy you established at DCPP control M08

Further guidance:

Critical security controls for effective cyber defence, Version 5.0 states:

Ensure that automated monitoring tools use behaviour-based anomaly detection to complement traditional signature-based detection. (CSC 5-8)

Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature- based detection to identify and filter out malicious content before it arrives at the end point. (CSC 5-9)

Configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time. To help identify covert channels exfiltrating data through a firewall. Alert personnel about the source and destination addresses associated with these long sessions. (CSC 13-3)

Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device. (CSC 14-6)

For all servers, ensure that logs ate written to write-only devices or to dedicated logging servers running on separate machines from the hosts generating the event logs, lowering the chance that an attacker can manipulate logs stored locally on compromised machines. (CSC 14-7)

Deploy a Security Incident and Event Management (SIEM) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, and avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. (CSC 14-8)

Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking/flow control. (CSC 14-10)

Enforce detailed audit logging for access to non-public data and special authentication for sensitive data. (CSC 15-3)

The IDS should be monitored for alerts. IPS mode should be enabled once normal traffic patterns are understood.

CESG 10 steps to cyber security, monitoring states:

Monitor network traffic: the inbound and outbound traffic traversing network boundaries should be continuously monitored to identify unusual activity or trends that could indicate attacks and the compromise of data. The transfer of sensitive information, particularly large data transfers or unauthorised encrypted traffic should automatically generate a security alert and prompt a follow up investigation. The analysis of network traffic can be a key tool in preventing the loss of data.

See also the ‘Police the network perimeter’ reference detailed in DCPP control H07.

CESG security monitoring guidance.

H06

Define and implement a policy to control installations of and changes to software on any systems on the network (H06)

Important considerations:

• this builds on measures established at L08, Cyber Essentials and is associated with DCPP control M11
• establish and implement a policy that defines how you will control installations of and changes to software on any systems on your network

Further guidance:

Examples of software controls include:

CESG 10 steps to cyber security, monitoring, which states:

Limit user ability to change configuration: provide users with the minimum systems rights and permission that they need to fulfil their business role. Users with normal permissions should be prevented from installing or disabling any software or services running in the system.

Implement whitelists and execution control: Create and maintain a white list of authorised applications and software that can be executed on ICT systems. In addition ICT systems need to be capable of preventing the installation and execution of unauthorised software and applications by employing process execution controls, software application arbiters and only accepting code that is signed by trusted suppliers.

Produce policies and procedures that define and support the configuration control and change management requirements for all ICT systems, including software.

Critical security controls for effective cyber defence, Version 5.0. Perform regular scanning for unauthorised software and generate alerts when it if discovered on a system. This includes alerting when unrecognised binaries (executable files, DLLs, and other libraries etc) are found on a system, even inside of compressed archives. This includes checking for unrecognised or altered versions of known software to perpetrate attacks, and file hash comparisons will reveal the compromised software components).

Deploy software inventory tools throughout the organisation covering each of the operating systems types in use, including servers, workstations and laptops.

The software inventory system should track the version of the underlying operating system as well as the application installed on it. Furthermore, the tool should not only record the type of software installed on each system, but also its version number and patch level. (CSC 2-4)

Utilise file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries and configurations) have not been altered. All alterations to such files should be automatically reported to security personnel. The reporting system should have the ability to account for routine and expected changes, highlighting unusual or unexpected alterations. (CSC 3-8)

Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing and alerts when unauthorised changes occur. Use features such as those included with tools compliant with Security Content Automation Protocol (SCAP). This includes detecting new listening ports, new administrative users, changes to group and local policy objects, (where applicable), and new services running on a system. (CSC 3-9)

Deploy system configuration management tools that will automatically enforce and re-deploy configuration settings to systems at regularly scheduled intervals. Such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems. They should be capable of triggering redeployment of configuration settings on a scheduled, manual or event-driven basis. (CSC 3-10)

Use automated tools to verify standard device configurations and detect changes. All alterations to files should be automatically reported to security personnel. (CSC 10-3)

H07

Control the flow of traffic through network boundaries and police content by looking for attacks and evidence of compromised machines (H07)

Important considerations:

• this builds on measures to implement boundary firewalls and internet gateways established at DCPP control L08
• Cyber Essentials

Further guidance:

Boundary controls could include:

• periodically scan for back-channel connections to the internet that bypass the DMZ, including unauthorised VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems or other mechanisms (CSC 13-9)
• only allow DMZ systems to communicate with private network systems via application proxies or application-aware firewalls over approved channels; to minimise the impact of an attacker pivoting between compromised systems (CSC 13-12, CSC 17-9)
• monitor all traffic leaving the organisation and detect any unauthorised use of encryption; attackers often use an encrypted channel to bypass network security devices, therefore it is essential that organisations be able to detect rogue connections, terminate the connection, and remediate the infected systems (CSC 17-12)
• where applicable, implement Hardware Security Modules (HSMs) for protection of private keys or key encryption keys (CSC 17-15)

Policing options include:

Deploy network-based IDS sensors in internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based ISDS sensors may detect attacks through the use of signatures, network behaviour analysis, or other mechanisms to analyse traffic. (CSC 13-4)

Network-based IPS devices should be deployed to complement IDS by blocking known bad signature or behaviour of attacks. Network-based IPS devices should be deployed to complement IDS by blocking known bad signature or behaviour of attacks. As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic. When evaluating network-based IPS products, including those using techniques other than signature-based detection (such as virtual matching or sandbox-based approaches) for consideration.

Critical security controls for effective cyber defence, Version 5.0.

CESG 10 steps to cyber security, network security states:

Monitor the network: Tools such as NIDs and NIPs should be placed on the network and configured by qualified staff to monitor traffic for unusual or malicious incoming or outgoing traffic that could be indicative of an attack, or an attempt. Alerts generated by the system should be promptly managed by appropriately trained staff.

Monitor network traffic: The inbound and outbound traffic traversing network boundaries should be continuously monitored to identify unusual activity or trends that could indicate attacks and the compromise of data. The transfer of sensitive information, particularly large data transfers or unauthorised encryption should automatically generate a security alert and prompt a follow-up investigation. The analysis of network traffic is an important tool in preventing the loss of data.

Police the network perimeter. Limit access to network ports, protocols and applications filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malware and other malicious content.

H08

Undertake administrative access over secure protocols, using multi-factor authentication (H08)

Important considerations:

• this builds on User Access Controls introduced in DCPP control L08 and Cyber Essentials, and is associated with control M10

Further guidance:

Controls on administrative access could include:

Retain the existing CSC references.

CESG 10 steps to cyber security, network security states:

Enable secure administration: Admin access to any network component should only be carried out over dedicated network infrastructure and secure channels using communication protocols that support encryption.

CESG 10 steps to cyber security states:

Limit the number and use of privileged accounts. Strictly control the number of privileged accounts for roles such as systems or database administrators. Ensure this type of account is not used for high risk, day-to-day user activity. Provide administrators with normal accounts for business use. The requirement to hold a privileged account should be reviewed more frequently than ‘standard user’ accounts.

CESG guidance, enterprise IT: security considerations for Official states:

Use 2FA to protect access to sensitive data or privileged functions. When used well 2FA can enhance the user experience of your service, i.e. by allowing shorter and more memorable passwords. It can also be used as part of a chain of trust or single sign-on mechanisms.

H09

Design networks incorporating security countermeasures, such as segmenting or zoning (H09)

Important considerations:

Design your network with security in mind, so that sensitive or business critical network accessible resources are protected.

General guidance:

Countermeasures could include: (retain all existing CSC references). In addition add:

CESG 10 steps to cyber security, network security which states:

Install firewalls: firewalls should be deployed to form a buffer zone between the untrusted external network and the internal network used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to communicated with authorised networks and network addresses. This will reduce the exposure of ICT systems to network based attacks.

Segregate networks as sets: Identify, group and isolate critical business assets and services and apply appropriate network security controls to them.

Protect the internal network: Ensure that there is no direct network connectivity between internal systems and systems hosted on untrusted networks (such as the internet), limit the exposure of sensitive information and monitor network traffic to detect and react to attempted and actual network intrusions.

Depending on decisions you made about the physical protection of your data centre (see DCPP control L10), you may wish to consider encryption of data (at rest) held. The use of CPA products is recommended where greater assurance is required.

See also related DCPP controls: M10, M12, H04, H07 and H08.

For further guidance, you may wish to consult:

CESG architectural patterns (walled gardens) – which details how to establish secure remote access solutions and (internet gateways), which details how to secure these assets.

H10

Ensure DLP at network egress points to inspect the contents of and, where necessary, block information being transmitted outside of the network boundary (H10)

Important considerations:

• this builds on DCPP controls established at M05 and relates closely with controls H04 and H07

Deploy a correctly placed and configured DLP tool on network egress points which inspects contents of, and, where necessary, blocks information being transmitted outside of network boundaries.

General guidance:

Retain all existing CSC references.

H11

Proactively verify that the security controls are providing the intended level of security (H11)

Important considerations:

• this builds on all DCPP controls, is specifically supported by L08 Cyber Essentials Plus certification
• it should also be included in and relates specifically to the M01 Policy on Information Security Reporting to the board

General guidance:

CESG 10 steps to cyber security, network security:

Conduct regular penetration tests of the network infrastructure and undertake simulated cyber attack exercises to ensure that all security controls have been implemented correctly and are providing the necessary level of security.

Retain all CSC references and the links to CHECK and CREST.

H12

Establish policy to ensure the continued availability of critical assets/information during any crisis (H12)

Important considerations:

• this control builds on the back-up arrangements established at DCPP control M05
• you should set out your policy to ensure the continued availability of critical assets/information during a crisis or outage (this may result from a natural disaster such as a flood, or as the result of an incident such as a fire)
• this should also set out the measures you will take to ensure the confidentiality of any contract information or assets is maintained throughout such a crisis, and any plans to recover operations in line with agreements reached with the customer
• these should form part of your wider business continuity and disaster recovery plans
• these arrangements should be approved and supported by the board, and subject to review and testing

Further guidance:

See ISO 22301 for further details.