October 01, 2019
Continuum-Cyber Essentials mapping
For a number of years, Astrix have been a close partner with Continuum:
We have worked closely with Phylip Morgan, Continuum EMEA’s Managing Director, as Phyl was Network Group’s MD for 9 years which we’ve been a member of for 9+ years and during that time Mostyn Thomas, Astrix’s MD, was NG’s Business to Business Executive Director for 3 years.
Mostyn was instrumental in setting up the relationship between Continuum and Network Group back in 2015/2016.
Mostyn has been a member of Continuum’s European Partner Advisory Council (EPAC) for 2 years and counting.
Originally, when we were an IT MSP, we used and contributed to their Command product (RMM, endpoint protection, NOC, etc) and Recover product (managed BDR) but, now that we work in cybersecurity, we’ve been doing so for their Fortify product (SOC, SIEM, dark web monitoring, etc).
As part of this, because we’re a Certification Body (CB) for Cyber Essentials and IASME Governance, Continuum asked us and some other partners to work with them on developing their Profile & Protect / Fortify for Protection product so that it can automatically report on and assist with an organisation’s Cyber Essentials compliance.
Through the Spring and early Summer, we collaborated with their team to:
Explain how the Cyber Essentials scheme works in terms of the NCSC-Accreditation Body-Certification Body-applicant structure, the two levels of assessments, the technical systems used for the assessments, etc.
Supply them with the assessor documents (with the AB’s signed consent, of course) so that they know what exactly is required for the answers to pass.
Assist them where required with the technical challenges of programmatically extracting the required information.
Advise on what type of functionality and formats will be required and useful for assessors.
In August 2019, the long-anticipated feature became generally available!
As of writing, it automatically uses the data from the RMM agents to generate a report in the format of a dynamic Microsoft Word document containing both a simple overview and detailed information for the following IASME Cyber Essentials questions:
Question Number | Question |
---|---|
A2.6 | Please list the quantities of laptops, computers and servers within the scope of this assessment. You must include model and operating system versions for all devices. |
A4.11 | Do you have software firewalls enabled on all of your computers and laptops? |
A5.2 | Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business? |
A5.3 | Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more? |
A5.4 | Do all your users and administrators use passwords of at least 8 characters? |
A5.6 | If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password? |
A5.8 | If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes? |
A5.10 | Is 'auto - run' or 'auto - play' disabled on all of your systems? |
A6.1 | Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems? |
A6.4 | Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this. |
A6.5 | Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this. |
A7.2 | Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password? |
A7.3 | How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? |
A8.1 | Are all of your computers, laptops, tablets and mobile phones protected from malware by either A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)? |
A8.2 | (A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access? |
We’ve included some screenshots of an example report below.
Undoubtedly, this will make life easier for MSPs, MSSPs, and their clients, especially ones looking to get Cyber Essentials-certified!
Due to a recent development which we covered in our blog post The Future of Cyber Essentials, this feature is now extra future-proof because, as we’ve mentioned, we tailored the feature to IASME’s Cyber Essentials question set and they have now been chosen to be the sole Accreditation Body (AB) from April 2020 going forward!
We’re continuing to work with Continuum to further refine and develop Fortify for Protection so we look forward to sharing news on this in the future!
Feel free to subscribe to our newsletter to be automatically notified of future posts. Until next time! 😊