Institutional Assurance Survey 2019
Introduction
CSCS provides answers / guidance to assist customers complete the Deloitte Annual Survey.
The IT section of this year's survey focuses on risk controls. As CSCS services are opt-in, we cannot provide a one-size-fits-all answer and you will need to make a determination based on the guidance below. If your institution uses CSCS supported computers and data services then your risks are well-managed and the answers are simpler. If some members or groups opt-out and provide and configure their own computers, or store data outside of University-provided services then you may need to make additional considerations.
If this audit raises questions that you would like to discuss with CSCS, then please email the Service Desk Team, who will pass your question to the relevant person.
16.1 - Do the computing resources in your institution meet the five technical controls of Cyber Essentials?
Answer
For CSCS managed computers - 4 of 5 controls are met - No
For Personal devices (BYOD) or institutional computers not managed by CSCS - inherently unknown, but likely 2 of 5 controls are met - must be assumed to be - No.
Background
Cyber Security Essentials is a government sponsored security certification that institutions can choose to complete. It applies to any device that accesses the internet as well as Institutional data, and defines 5 themes of control:
| Control Theme | CSCS Managed Computers** | Personal Devices or Institutional Devices not managed by CSCS |
|---|---|---|
Use a firewall to secure your Internet connection | Yes; CSCS provides multiple layers of security for the Clinical School network, including a network firewall and software firewalls on managed computers. | Yes; CSCS provides multiple layers of security for the Clinical School network, including a network firewall. |
| Choose the most secure settings for your devices and software | Yes; CSCS configures computers securely prior to delivery, and applies security policies to ensure they remain so. | Unknown, likely No; Personal computers typically come supplied with software and / or configuration inappropriate for a workplace. |
| Control who has access to your data and services | Yes; access to CSCS devices, storage and services is via named accounts only, with permissions granted only where authorised by an nominated individual in the institution. Security policies ensure accounts are secure. Compromised accounts are disabled. | Unknown, likely No; Personal devices can be configured with local or generic accounts or using shared passwords. Passwords may be weak, and compromised accounts may remain active with no central means of detection or control. |
| Protect yourself from viruses and other malware | Yes; CSCS provides Sophos on all managed computers. Sophos is leading Anti-Virus product and protects against malware, including ransomware attacks. Malware infections are reported to CSCS and we can respond appropriately. CSCS also applies additional layers of security to incoming mail to @medschl.cam.ac.uk mailboxes. | Unknown, but likely Yes; The latest versions of Windows 10 and MacOS include antivirus, however these protect against a smaller scope of viruses, and there is no central alerting to outbreaks. |
| Keep your devices and software up to date | Partial*; CSCS provides centralised automatic updates for a majority of Operating Systems and applications which are installed at shutdown, and can identify computers that have not been updated. | Unknown, likely No; Each application must have its own update mechanism and typically requires manual intervention to install. |
* Although CSCS meets the majority of technical controls set out by the 5 themes of Cyber Essentials, we do not (currently) meet the following controls set out in theme #5 Keep your devices and software up to date:
- Remove software programs which are no longer supported. CSCS does not actively remove retail software packages that reach end of life (e.g. Endnote X6) from customer computers. It is anticipated that users uninstall software they do not use, or purchase new versions of software that they actively use.
- Patch within 14 days. CSCS tests Microsoft patches prior to release, and patches that are not found to be stable are held back until they are. This sometimes results in longer than 14 days until release.
** "CSCS managed computers" refers to any computer subscribed our Computer Support Service
16.1 - 16.4 - Your Information Assets
Answer
These questions can only be answered completely by the institution.
Background
CSCS provides several services for the secure storage of institutional data:
- Medschl email
- Home drives
- Group drives
- Managed virtual servers
- Secure Data Hosting Service
- Web-hosting service
You will be able to see these on your monthly CSCS billing statement. Our Service Desk Team can advise in case you are unsure of the services you use.
An institution may also also have information assets outside of CSCS services, e.g. High Performance Computing, NHS systems, external hard drives, collaborations with other institutions, which CSCS is unable to identify on your behalf.
16.5 - Are the computing resources in your institution fully supported and managed by someone in the University or by contracted external suppliers
Answer
If all computers that access institutional data within the institution are managed by CSCS - Yes
If people bring and use personal devices, or devices from another organisation, to access your institutional data - No
16.6 - Do you maintain logs/records of access to data and systems in your institution, showing who accessed what and when, that would be available if needed to investigate an incident?
For institutional data held on CSCS services (Medschl email, home drives, group drives, managed virtual servers, Secure Data Hosting Service) or access to CSCS systems - Yes.
If data is held on other managed professional services, e.g. UIS Storage, OneDrive, Gsuite - Yes
If data is held or redirected to non-professional services such as personal Gmail, personal OneDrive, where you are unlikely to be able to request access records - No
If data is held on unmanaged systems, such as external hard drives or USB drives - No
16.7 - Please use the box below to enter any comments relating to the IT Controls questions, including any issues or control weaknesses in this area. Please also document any areas where other mitigating controls are in place and operating effectively, where appropriate.
If you have any local IT polices, for instance relating to acceptable use of personal devices, or storage of data then you may wish to mention them here.
16.8 - If some or all of your IT is managed by UIS, CSCS, the Faculty, or someone else, then enter in this field: ‘All/Some of our IT is fully supported and managed by UIS/CSCS/Faculty/Other Department/Other’ (delete as appropriate) and list who supports your computing facilities for ‘Other’. If you manage all your IT yourself, please enter ‘Not Applicable’ in this field.
Depending on your departmental policies, one of the statements below is applicable and can be used as a full or partial response. If you have staff providing local IT services in addition to CSCS, you may wish to mention them here.
All of our Institutional IT is supported and managed by the Clinical School Computing Service, and these computers meet 4 of the 5 Cyber Security Essentials controls. As is common practice across the University, staff and students are allowed to use personal devices for work purposes; these are not managed or supported and their compliance status is unknown.
or
Some of our Institutional IT is supported and managed by the Clinical School Computing Service, and these computers meet 4 of the 5 Cyber Security Essentials controls. Some individuals / groups choose to manage their own devices. As is common practice across the University, staff and students are allowed to use personal devices for work purposes; these are not managed or supported and their compliance status is unknown.