All CBs must, at minimum, meet the following 10 security principles which are directly linked to the NCSC 10 Steps to Cyber Security guidance. Achievement of the IASME Cyber Assurance level 2 standard or ISO27001 for the whole organisation will usually be sufficient to demonstrate achievement of these principles.
2.1. Risk Management
The CB must carry out regular, at least annually, risk assessments that are linked to the company’s information assets. The CB must embed a Risk Management Regime across their organisation, supported by the board and senior managers.
2.2 Secure Configuration
The CB shall install all high-risk and critical patches for application software and operations systems within 14 days of the patch being released.
The CB must keep an accurate record of business information assets, including ownership and disposal shall be maintained. Each information asset (hardware or data) shall have a named custodian who shall be responsible for the information security of that asset. When hardware is no longer required by the business, all data shall be securely wiped from it using an industry standard tool.
Where possible, the CB shall identify particularly valuable or sensitive information assets through the use of data classification.
In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards. Physical security accreditation should be applied if necessary.
Only authorised personnel who have a valid and approved business need shall be given access to areas containing information systems or stored data
2.3 Network Security
CBs shall have firewalls at the boundaries to all networks and shall ensure that firewalls are managed properly including ensuring that only necessary ports are opened and that firewall management interfaces are appropriately protected.
2.4 Managing user privileges
Access to information shall be based on the principle of “least privilege” and restricted to authorised users who have a business need to access the information.
2.5 User Education and Awareness
Information security awareness training shall be included in the staff induction process and shall be carried out on an ongoing basis for all staff.
An on-going awareness programme shall be carried out in order to ensure that staff awareness of information security is maintained and updated as necessary.
The CB shall maintain and regularly review (at least annually) a security policy which sets out the rules governing the secure management of CB information assets and, in particular, the Maritime Cyber Baseline data. This policy should apply to all information/data, information systems, networks, applications, locations and staff of the CB or supplied under contract to it.
2.6 Incident management
The CB shall establish an incident management capability including incident management plans.
If required as a result of an incident, data must be isolated to facilitate forensic examination. Information security incidents shall be recorded in a Security Incident Log and investigated to establish their cause and impact with a view to avoiding similar events. The organisation shall ensure that incident management plans are produced for all mission critical information, application, systems and networks.
IASME must be notified immediately about security incidents that affect (or are likely to affect) Maritime Cyber Baseline data. The CB shall in the first instance contact IASME’s CEO or CTO using the main telephone number (03300 882752) or using relevant mobile numbers. If the CB is unable to contact IASME via this method, then the CB must attempt to contact IASME using all other reasonable methods.
The CB must provide sufficient resource and cooperation to support IASME’s investigation of any security incidents relating to the CB.
2.7 Malware prevention
The CB shall have malware protection in place across all devices (servers, laptops, desktops, phones and tablets) in accordance with the Cyber Essentials anti-malware requirements.
2.8 Monitoring
The CB shall review regularly the access logs and alerting provided by all hardware firewalls, servers, anti-virus solutions and, where possible, all cloud-based services containing sensitive data
The CB shall have a yearly vulnerability scan carried out by an external body. The business shall act on the recommendations of the external company following the vulnerability scan in order to reduce the security risk presented by any significant vulnerabilities
2.9 Removable media controls
The CB shall control all access to removable media and limit media types and usage to only those required for the business.
2.10 Mobile and Home Working
The CB shall provide guidance and train staff on mobile working. All data must be protected at rest and in transit.
3.1 Supply Chain
All suppliers that handle Maritime Cyber Baseline Data and Sub-Contractors to the Certification Body should attain the Cyber Essentials certificate unless agreed with IASME.
3.2 Data Retention
The CB shall only retain data relating to the Maritime Cyber Baseline scheme for the following timeframes:
Data within the Rizikon Assessment platform will be subject to these timeframes automatically.
Data held by the CB outside the Rizikon Assessment Platform shall be securely deleted using an industry standard tool according to the timeframes above.
A set of anonymised data to assist with research and analysis of the scheme will be taken automatically from every assessment at the time of the final report and stored in a separate research database. The timeframes for retention of this data will be decided by IASME.
3.3 Social Media
The Certification Body shall have a social media policy which is shared with all staff. Through this policy the Certification Body must aim to prevent social media posts from staff or contractors which may bring the Maritime Cyber Baseline scheme or IASME into disrepute.
© The IASME Consortium Ltd 2022 All rights reserved