Some clients may try to obtain directly Cyber Essentials or Cyber Essentials Plus, in this guide we will cover some common questions clients may need to answer during this process.
Please note this over covers the essensys Connect network it doesn't cover the client's own security or network that they may have provisioned.
Q: Please Provide a list of network equipment in uses (include all equipment that controls the flow of data)
A: We use enterprise-grade switches and firewalls on site which are linked to our cores in world-class data centres.
We use a mixture of Juniper MX204 for our peer and core routers with Extreme Switches. In addition, we use both Juniper vSRX firewalls and SRX firewalls.
For a more specific answer to your site please speak with the management team who can raise a case for you.
Q: Provide details of the firewalls in place between our office network and the internet.
A: Within our Data Centres we use Juniper vSRX 3.0 firewalls.
Q: Do you have firewalls at the boundaries between your organisation’s internal networks, laptops, desktops, servers and the internet?
A: There are firewalls between the essensys internal network and the internet. Additionally, we have firewalls between the essensys network and the end location.
Q: When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?
A: Yes. We have a configuration template for all new sites where default passwords are deleted then relevant configuration security measures are implemented. All devices are rebuilt out of the box at site with our tested and working configuration before being shipped to the location.
Q: Is your new firewall password configured to meet the ‘Password-based authentication’ requirements?
A: Yes. Automatic blocking of common passwords, with a minimum password length 8 characters and no maximum length.
Q: Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?
A: All passwords on our internet routers or hardware firewall devices are above characters in length and difficult to guess we also use RADIUS authentication as well as LDAP via a secure VPN.
Q: Do you change the password when you believe it may have been compromised? How do you achieve this?
A: If any account or password is suspected of being compromised, we will change the password immediately or deactivate the account.
We will also arrange an urgent change control meeting to take place to understand how this might have happened, and what steps can be taken in future to stop this from happening again.
Q: Have you configured your boundary firewalls so that they block all other services from being advertised to the internet?
A: Our firewalls will only allow outbound traffic, and will block all incoming intrusive traffic on all ports. If a customer requires a specific configuration we request for them to install their own firewall and maintain their own configuration and updates.
Q: Are your boundary firewalls configured to allow access to their configuration settings over the internet?
Q: Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?
If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? A description of the process is required.