By Natasja Bolton, Acquirer Support Manager
Although PCI DSS is a prescriptive set of requirements focussed on payment card data and most cyber-security guides do not go to the same level of detail, being high-level recommendations and advice without specific measures of the achievement of the risk reduction objective, the Cyber Essentials Scheme does cover a range of good IT and information security practice that aligns well with many of the control requirements of PCI DSS – helping a merchant to understand the requirement of and move towards PCI DSS compliance.
Cyber Essentials – a practical guide to protecting businesses across the globe from Internet-based threats
Unlike some of the other guidance and toolkits out there, Cyber Essentials encompasses a set of practical, well-explained, cyber security practices that a merchant can assess themselves against and take action on.
Guidance such as the ‘Stay Smart Online Small Business Guide’ or the Department of Homeland Security Small Business Tip Card contain succinct, high-level advice while other self-assessment tools such as the US-CERT Cyber Resilience Review are esoteric, almost theoretical, focused on management structures, goals and maturity levels rather than guiding SMBs on the practical actions they can take to protect their business and customers.
Although Cyber Essentials is a scheme developed by UK industry and backed by the UK Government it is not reserved for use exclusively in the UK, indeed companies from Hong Kong, Poland, Trinidad and the US have been assessed for Cyber Essentials through the IASME portal.
Cyber Essentials covers the following topics:
Boundary firewalls and internet gateways
- Ensure that the organisation’s network is protected from the Internet.
- Default firewall passwords should be changed and administrative access to the firewall not available from the Internet.
- Firewall rules should be justified and enabled on the basis of business need and insecure services (such as r services) blocked.
- Secure the configuration of computers and network devices (including wireless access points) by removing/disabling unnecessary software (including applications, utilities and services) and unnecessary accounts.
- Change default passwords to an alternative, strong password and disable auto-run features.
- Enable personal firewall software and configure to block unapproved connections by default.
User access control
- Ensure each user is authenticated by unique username and strong password.
- Manage user accounts by establishing processes for the provisioning and approval of user accounts, ensure that user access and special access privileges are removed/disabled when no longer required.
- Restrict those with special access privileges, ensure that records of the name and purpose of those granted special access privileges are kept and regularly reviewed.
- Restrict the use of administrative accounts to admin purposes, do not allow them to be used for email or Internet access and ensure the password is changed regularly.
- Ensure malware protection software is installed on all computers connecting to the Internet.
- Keep malware protection up-to-date and configured to scan files and web pages ‘on-access’.
- Configure malware protection to perform regular scans and to prevent connections to malicious websites.
- Protect computers and network devices that are connected to or capable of connecting to the internet by keeping software up-to-date.
- Ensure software is licensed and supported to ensure patches for software vulnerabilities are available for installation. Remove out of date software.
- Install software updates and security patches in a timely manner (security patches: within 14 days of release or automatically).
Alignment of cyber security guidance with PCI DSS
Like PCI DSS, Cyber Essentials also expects organisations to perform technical vulnerability scans – of their external (Internet) IP addresses. As can be seen therefore, there is alignment of the Cyber Essentials controls with PCI DSS:
|PCI DSS Requirement||Cyber Essentials|
|1. Install and maintain a firewall configuration to protect cardholder data||1. Boundary firewalls and internet gateways|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters||1. Boundary firewalls and internet gateways
2. Secure configuration
3. User access control
|3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|5. Protect all systems against malware and regularly update anti-virus software or programs||4. Malware protection|
|6. Develop and maintain secure systems and applications||5. Patch management|
|7. Restrict access to cardholder data by business need to know||3. User access control|
|8. Identify and authenticate access to system components||3. User access control|
|9. Restrict physical access to cardholder data|
|10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes||2. Secure configuration
5. Patch management
Technical Vulnerability Scans
|12. Maintain a policy that addresses information security for all personnel|
Much like PCI DSS and its option to allow for compensating controls to be used to meet requirements where a constraint is present, the Cyber Essentials also addresses the fact that a business may be constrained or prevented from implementing the recommendations:
“Where a particular control cannot be implemented for a sound business reason (e.g. is not practical or possible) alternative controls should be identified and implemented” and provides guidance on alternative controls that could be used.
It should be noted that there are differences in assessment scope between Cyber Essentials and the PCI DSS. Cyber Essentials focuses on the protection of the merchant’s computers, IT systems and network devices from the most common Internet-based threats, emphasising the need to protect computers and IT systems that have access to or are accessible from the internet.
PCI DSS focusses on payment card data rather than the protection of all information assets that may be important to an organisation and their customers.
However, Sysnet believe that the major advantage of Cyber Essentials, over the other cyber security guidance out there, is that of raising merchant awareness of the value to be gained from the security controls it recommends for the protection of their organisation, its information and the information of its customers.
The objective and benefit of those security controls are well-explained and clear minimum control measures set out.
PCI DSS encompasses not only technical controls but also those relating to protection against physical, procedural or people related threats and vulnerabilities, concentrating only on ensuring the confidentiality of cardholder data.
Cyber Essentials does not address aspects beyond those technical controls highlighted above but the IASME (Information Assurance for Small and Medium sized Enterprises) standard does.
The next step – Information Assurance for Small and Medium sized Enterprises
The IASME standard is an information security standard, conforming with the international standard for information security management best practice, ISO/IEC 27001:2013 , written specifically for small businesses.
The Cyber Essentials requirements are encapsulated within IASME such that fulfilment of the IASME standard can be seen as the natural next step for small and medium-sized businesses wishing to further improve their security posture and protection measures.
The scope of IASME is broader than Cyber Essentials, including considerations such as removable storage devices and cloud services, encompassing information security management best practices (many of which are also included in PCI DSS) such as allocation of information security roles and responsibilities, risk assessment, information security policies and standards, as well as covering physical, operational and people related control measures.
|PCI DSS Requirement||IASME||ISO/IEC 27001:2013|
|1. Install and maintain a firewall configuration to protect cardholder data||4.9 Malware and technical Intrusion
4.7. Operations and Management
|A.12 Operations security
A.13 Communications security
|2. Do not use vendor-supplied defaults for system passwords and other security parameters||4.8 Access Control||A.8 Asset management
A.13 Communications security
|3. Protect stored cardholder data||4.4. Assets||A.10 Cryptography|
|4. Encrypt transmission of cardholder data across open, public networks||4.4. Assets||A.13 Communications security
A.14 System acquisition, development and maintenance
|5. Protect all systems against malware and regularly update anti-virus software or programs||4.9. Malware and technical intrusion
4.7. Operations and Management
|A.12 Operations security|
|6. Develop and maintain secure systems and applications||4.7. Operations and Management||A.12 Operations security
A.14 System acquisition, development and maintenance
|7. Restrict access to cardholder data by business need to know||4.8 Access Control||A.9 Access control|
|8. Identify and authenticate access to system components||4.8 Access Control||A.9 Access control|
|9. Restrict physical access to cardholder data||4.4. Assets
4.6. Physical and Environmental Protection
|A.8 Asset management
A.11 Physical and environmental security
|10. Track and monitor all access to network resources and cardholder data||4.10. Monitoring||A.12 Operations security|
|11. Regularly test security systems and processes||4.7. Operations and Management
4.9. Malware and technical intrusion
|A.13 Communications security
|12. Maintain a policy that addresses information security for all personnel||4.1. Organisation
4.2. Assessing the risk
4.3. Policy and Compliance
4.11. Backup and Restore
4.12. Incident management
4.13. Disaster Recovery/Business Continuity
|A.5 Information security Policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
Although developed in the UK IASME’s principles reflect international security best practice, having been developed from existing government guidance, established international standards and best practice from both the EU and US, and are applicable to and can be applied by any company in the world.
Indeed, achievement of the Gold Standard of IASME (the highest level of independently audited assessment) demonstrates that the organisation has achieved baseline compliance with ISO/IEC 27001:2013.
Improved cyber security helps to protect cardholder data
Cyber Essentials and IASME are focussed on reducing a business’ vulnerability to data breaches from the most common vector of attack, the Internet, and on protecting a business’ most valuable asset: their information.
These cyber security standards are not specifically designed to address cardholder data security; nevertheless, by considering the vulnerability of their computers and IT systems (including those used to process card payments), by including cardholder data as a valuable asset to protected and by implementing the recommendations to reduce their exposure and protect themselves from the most frequently occurring threats, small businesses will also reduce risk to their cardholder data environment.
Those actions may not lead them to compliance with all aspects of the PCI DSS but they will help to protect cardholder data from compromise.
Sysnet is an IASME Cyber Essentials Certification Body and can help your organisation gain certification with Cyber Essentials. For further information about our Cyber Essentials services, talk to us today.
If you are a merchant that requires technical or PCI DSS help, please click here