· Fortnightly patching
o It is imperative to ensure that all critical and high classified security patches are installed within 14 days of release. This is a key part of the certification and also key to a high level of security throughout an organisation. The reason for this is that it is possible that the vulnerability being patched could already be up to 3 months old when the patch is released.
· Remove unsupported software immediately
o Unsupported software is an automatic failure for both CE and CE+. When a manufacturer releases a new version of software or has ceased support for an existing package it will no longer receive any security patches. This means that any new vulnerabilities discovered will not be patched. As an example; Microsoft announced several years previously that support for Windows 7 will cease on 14th January 2020. Therefore, any instances of Windows 7 still running after this date and accessible to the internet will be vulnerable to new threats
· Ensure all hardware is supported
o Similar to unsupported software, unsupported hardware is an automatic failure for certification and a high security risk.
· Beware cheap imitations and used equipment
o Genuine hardware such as Cisco can be expensive. If offered equipment at a significantly lower cost, this could either be counterfeit or an old already out of support version. Both of which would invalidate certification and make the organisation vulnerable to attack and potential high fines from the ICO should a breach occur. Do not Gamble with your network investment.
· User permissions
o Ensure that any new users are only given the required permission appropriate to their role and ensure that all permissions for leavers are revoked immediately.
o The minimum password length for CE+ is 8 Characters, this includes PINs and Passwords for computers and mobile devices. A secure password is vital for basic security using a mixture of upper and lowercase letters, numbers and symbols at a minimum.
o The use of a passphrase is more secure to avoid brute force techniques. A passphrase should consist of at least 3 seemingly random words that only have meaning to the user. An example of this could be thinking of something memorable such as “when I was 9 in 1985 I was hit by a car and broke my leg”. To use this for a passphrase it could be 1985CarBrokeLeg! Or #9CarLeg which would meet the minimum for most password criteria.
Any breaches of the above could lead to certification being revoked, and cyber insurance being void. In the case of a breach of data or inspection by the ICO could also lead to high fines, and perhaps worst of all the public reputational damage to your organization of being fined by the ICO.