Grabbing my morning coffee, I log in to the Jisc Cyber Essentials Pervade portal and see I have 3 Cyber Essentials assessments to mark today https://www.jisc.ac.uk/cyber-essentials. That shouldn’t take me too long, if the applicants have been clear and detailed in their responses. I need to have a good understanding of their estate to award a pass. Not knowing their setup in advance, I’m wholly reliant on their answers to build up a picture. I have a good feeling about this first one; I know two of their staff have attended the Cyber Essentials clinics https://www.jisc.ac.uk/training/cyber-essentials-drop-in-clinic and one even joined the training course https://www.jisc.ac.uk/training/cyber-essentials-prepare-for-certification, so they should be a good starting point for my day. Here goes!
The scope is nice and clear: the whole institution is in scope, rather than a limited subset. Great, I prefer those – it means they’re considering security across the board, and marking it is less bitty. They’ve got a couple of geographically close campuses and a quick Google search tells me a bit more about their organisation in general.
Lots of devices—boy they are generous—all quite new, Macs too, and all in support! For a few of the older ones they even have Windows 7 Enterprise with extended security updates in place. Heavens, they are organised. Probably a reason they still need to run those. Interesting, for such a big estate they’ve not mentioned any mobile phones or tablets at all. Hmm, I find that hard to believe, not even their VC or CEO has a corporate mobile accessing business data? I might just make a note and go back and ask them about that.
They’ve got some beefy firewalls and subscribe to the Janet Managed Router Service https://www.jisc.ac.uk/managed-router-service, so we already know how they’re configured; that’s an easy tick! They have lots of processes involving Active Directory and group policy so that’s nice and automated, and their privileged accounts policy seems robust: it’s clear on usage and reviewed regularly by senior staff. Perfect, so far so good. 14 days patching of operating systems and software, including high and critical security updates, is done in their fortnightly maintenance window, so that takes care of that. That’s often a sticking point. They test new patches on a sample, then roll out the fixes more widely. Good idea. They explain anything not patchable in that window has been segregated into another VLAN, with limited internal access too from only specific devices, thus removing it from scope. Good information to have. There is only limited use of MFA, but it’s enabled for system administrators which is important and reduces the risk of a breach. They temporarily have some full-time remote workers, who have all read a thorough IT usage and security policy making recommendations around their home routers, keeping software firewalls enabled and always using their VPN, so that’s good stuff.
The only issue they have is sign off, in the form of an uploaded document at the end of the questionnaire, which isn’t signed by a senior staff member at Director or Board-level. It’s the IT Manager. That, coupled with the mobile phones, can probably be sorted in a quick chat, so I’ll ping the contact at the institution and run it by them. Hopefully that won’t be too much of a problem. I have a handy support document to help them get that senior management buy-in if needed, so I’ll ping that over to them too. Once they’ve made these alterations or clarified further, I shall be happy to approve their certification. Now, time for more coffee and assessment number two!