Some clients may try to obtain directly Cyber Essentials or Cyber Essentials Plus, in this guide we will cover some common questions clients may need to answer during this process.
Please note this over covers the essensys Connect network it doesn't cover the client's own security or network that they may have provisioned.
Q: Please Provide a list of network equipment in uses (include all equipment that controls the flow of data)
A: We use enterprise-grade switches and firewalls on site which are linked to our cores in world-class data centres.
We use a mixture of Juniper MX204 for our peer and core routers with Extreme Switches. In addition, we use both Juniper vSRX firewalls and SRX firewalls.
Q: Provide details of the firewalls in place between our office network and the internet.
A: Within our Data Centres we use Juniper SRX firewalls.
Q: When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?
A: Yes. We have a configuration template for all new sites where default passwords are deleted then relevant configuration security measures are implemented. All devices are rebuilt out of the box at site with our tested and working configuration before being shipped to the location.
Q: Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?
A: All passwords on our internet routers or hardware firewall devices are above characters in length and difficult to guess we also use RADIUS authentication as well as LDAP via a secure VPN.
Q: Do you change the password when you believe it may have been compromised? How do you achieve this?
A: If a password has been compromised a change control meeting will take place and the relevant course of action will be agreed namely changing of password immediately in an agreed window. No essensys password have been compromised.
Q: If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.
A: Our firewalls will allow outbound traffic, but will block all incoming intrusive traffic on all ports. If a customer requires a specific configuration we request them to install their own firewall and maintain their own configuration and updates.
More info here.
Q: Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?
A: As the above answer - our firewalls will allow outbound traffic, but will block all incoming intrusive traffic on all ports.
Q: Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?
Q: Is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.
A: The authentication methods we use are Radius via a secure VPN as well as LDAP. All passwords have a minimum number of characters including special characters.