Cyber Essentials Certification

    Phillip Kynaston |
    17 November 2017

    This week, we are delighted to announce that we have passed our Cyber Essentials certification. We have been externally assessed across our entire organisation, including office locations, personal devices (including both laptops and mobile devices) and also for our hosting services.

    In association with our ISO9001 and ISO27001 certifications, this makes us one of only a few Drupal agencies within the UK (we’re only aware of one other agency with all three certifications) to be accredited to provide the very best level of security and processes for Drupal development and hosting: this ensures our whole organisation can securely handle our clients' data.

    Cyber Essentials is designed to help organisations implement adequate levels of protection against cyber attacks, and our compliance with this standard demonstrates that we take cyber security seriously.

    The five areas on which the assessment focuses are:

    1. Boundary firewalls and Internet Gateways
      “these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.”

      At Big Blue Door, we use cutting edge Cisco networking devices to manage our internal firewalls and VPNs. We have secure encrypted traffic between our devices and our routers, and secure communications between our routers and our servers, with additional VPNs to secure data in transit. We also use software firewalls to ensure individual machines are adequately protected, and we use industry-leading penetration tools to test our internal networks continuously.
       
    2. Secure configuration
      “ensuring that systems are configured in the most secure way for the needs of the organisation”

      All of our laptops (all Macs) and mobile devices are provisioned using the same set of scripts, ensuring a consistent secure configuration across the company. We use Mobile Device Management profiles to centrally control (and enforce) configurations across devices.
       
    3. Access control
      “ensuring only those who should have access to systems to have access and at the appropriate level.”

      As part of our ISO9001, we already had most of these process controls and policies in place, such as password complexity requirements, password rotation policies, and of course our Information Security Policy. We also ensure “brute force” protection against our servers and our laptops, and ensure that access levels to systems are approved properly, provisioned, and regularly audited.
       
    4. Malware protection
      ensuring that virus and malware protection is installed and is it up to date”

      For some companies, this might be a very straightforward measure to comprehend. There are lots of companies around who do not adequately protect PCs and servers though, particularly if using Apple machines (like we do) with servers on Linux (which most of ours are). We use centralised management portals (with McAfee) to constantly enforce Anti-virus compliance, and have full-system scans configured across all of our hosting platform with real-time alerting.
       
    5. Patch management
      “ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.”

      Finally, patch management is the last measure within the assessment, and this is a measure that has been very much in the media this year after the Equifax breach was caused by software packages not being updated regularly. At Big Blue Door we use centralised patch management tools (Ivanti) to ensure that all applications, such as Microsoft Office and Adobe Photoshop, are being updated to the latest security standards. Patches are auto-installed by Ivanti to ensure compliance with this point, and we use similar package management software across our fleet of servers to secure our clients’ hosting.

     

     

    The five basic controls within Cyber Essentials were chosen because, when properly implemented, they will help to protect against unskilled internet-based attackers using commodity capabilities – which are freely available on the internet.

    We are pleased to have been audited by an external certification body to confirm we meet the stringent standards of this security accreditation.