Answer Export

Question Answer

Acceptance I accept

Please read these terms and conditions carefully. Do

you agree to these terms?

NOTE: if you do not agree to these terms, your

answers will not be assessed or certified.

A1.1 Organisation Name STREAMLINED FORENSIC REPORTING LIMITED

What is your organisation's name?

The answer given in A1.1 is the name that will be

displayed on your certificate and has a character limit
of 150.

When an organisation wishes to certify subsidiary

companies on the same certificate, the organisation
can certify as a group and can include the subsidiaries'
name on the certificate as long as the board member
signing off the certificate has authority over all certified
organisations.
For example:
The Stationery Group, incorporating The Paper Mill and
The Pen House.
It is also possible to list on a certificate where
organisations are trading as other names.
For example:
The Paper Mill trading as The Pen House.

A1.2 Organisation Type LTD - Limited Company (Ltd or PLC)

What type of organisation are you?
Notes:
Applicant Notes: LTD - Limited Company (Ltd or PLC)

A1.3 Organisation Number 11401401

What is your organisation's registration number?

Please enter the registered number only with no

spaces or other punctuation.
Letters (a-z) are allowed, but you need at least one
digit (0-9).
There is a 20 character limit for your answer.
If you are applying for certification for more than one
registered company, please still enter only one
organisation number.
If you have answered A1.2 with Government Agency,
Sole Trader, Other Partnership, Other Club/Society or
Other Organisation please enter "none".
If you are registered in a country that does not issue a
company number, please enter a unique identifier like a
VAT or DUNS number.

A1.4 Organisation Address UK

What is your organisation's address?
 Answer Export

Notes:
Please provide the legal registered address for your Address Line 1: 124,
organisation, if different from the main operating Address Line 2: City Road
location. Town/City: London
County: United Kingdom
Postcode: EC1V 2NX
Country: United Kingdom

A1.5 Organisation Occupation Health

What is your main business?
Notes:
Please summarise the main occupation of your Applicant Notes: Our main business involves Human
organisation. Health and social work domain. Our goal is to reform
the complex and inefficient processes that exist in the
criminal justice system. We've developed a process to
produce medical evidence reports in a timelier and
more cost-efficient manner than how forces currently
acquire them. Through proprietary operational and
technological improvements, we supply these reports at
an affordable price, in an acceptable time frame, and
with the accuracy that is required. Our primary
customers are the UK Police Forces.

A1.6 Website Address https://sfrmedical.com

What is your website address?

Please provide your website address (if you have one).

This can be a Facebook/LinkedIn page if you prefer.

A1.7 Renewal or First Time Application Renewal

Is this application a renewal of an existing certification
or is it the first time you have applied for certification?

If you have previously achieved Cyber Essentials,

please select "Renewal". If you have not previously
achieved Cyber Essentials, please select "First Time
Application".

A1.8 Reason for Certification To Give Confidence to Our Customers

What are the two main reasons for applying for
certification? Notes:
Secondary Reason: To Generally Improve Our Security
Please let us know the two main reasons why you are
applying for certification. If there are multiple reasons,
please select the two that are most important to you.
This helps us to understand how people are using our
certifications.

A1.9 CE Requirements Document Yes

Have you read the 'Cyber Essentials Requirements for
IT Infrastructure' document? Notes:
Applicant Notes: Yes. We have read the Cyber
Document is available on the NCSC Cyber Essentials Essentials Requirements for IT Infrastructure document
website and should be read before completing this
question set.
https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf
 Answer Export

A1.10 Cyber Breach Yes

Can IASME and their expert partners contact you if you
experience a cyber breach?

We would like feedback on how well the controls are

protecting organisations. If you agree to this then
please email security@iasme.co.uk if you do
experience a cyber breach. IASME and expert partners
will then contact you to find out a little more but all
information will be kept confidential.

A2.1 Assessment Scope Yes

Does the scope of this assessment cover your whole
organisation?
Please note: Your organisation is only eligible for free
cyber insurance if your assessment covers your whole
company, if you answer "No" to this question you will
not be invited to apply for insurance.

Your whole organisation includes all divisions, people

and devices which access your organisation's data and
services.

A2.3 Geographical Location United Kingdom

Please describe the geographical locations of your
business which are in the scope of this assessment.

You should provide either a broad description (i.e. All

UK offices) or simply list the locations in scope (i.e.
Manchester and Glasgow retail stores).

A2.4 End User Devices We have 24 laptops: 2 MacBook Pros running MacOS
Please list the quantities and operating systems for version Sonoma 14.2.1 23E214 and 1 Dell, 2 Microsoft
your laptops, desktops and virtual desktops within the Surfaces, 23 Lenovo Thinkbooks and 1 ASUS ZenBook
scope of this assessment. running OS Builds 22621.3007 and 22631.3007. We
Please Note: You must include make and operating also access a secure VNET network using AWS
system versions for all devices. Workspaces and Azure Virtual Machines 21H2 having
All user devices declared within the scope of the OS Version Windows version OS Build
certification only require the make and operating 20348.2322(Windows Server 2022 Datacenter).
system to be listed.We have removed the requirement
for the applicant to list the model of the device.
Devices
that are connecting to cloud services must be
included.A scope that does not include end user
devices is not acceptable.

You need to provide a summary of all laptops,

computers, virtual desktops and their operating
systems that are used for accessing organisational
data or services and have access to the internet.For
example, “We have 25 DELL laptops running Windows
10 Professional version 20H2 and 10 MacBook laptops
running MacOS Ventura".Please note, the edition and
feature version of your Windows operating systems are
required.This applies to both your corporate and user
owned devices (BYOD). You do not need to provide
serial numbers, mac addresses or further technical
information.

A2.4.1 Thin Client Devices We do not have thin clients.

Please list the quantity of thin clients within scope of
 Answer Export

this assessment. Please include make and operating

systems.

Please provide a summary of all the thin clients in

scope that are connecting to organisational data or
services (Definitions of which are in the 'CE
Requirements for Infrastructure document' linked in
question A1.9).

Thin clients are commonly used to connect to a Virtual

Desktop Solution.
Thin clients are a type of very simple computer holding
only a base operating system which are often used to
connect to virtual desktops. Thin clients can connect to
the internet, and it is possible to modify some thin
clients to operate more like PCs, and this can create
security complications. Cyber Essentials requires thin
clients be supported and receiving security updates.
https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf

A2.5 Server Devices Azure Virtual Server and AWS server: 3 x 21H2 having
Please list the quantity of servers, virtual servers and OS Version Windows version OS Build
virtual server hosts (hypervisor). You must include the 20348.2322(Windows Server 2022 Datacenter).
operating system.

Please list the quantity of all servers within scope of

this assessment.
For example, 2 x VMware ESXI 6.7 hosting 8 virtual
windows 2016 servers; 1 x MS Server 2019; 1 x
Redhat Enterprise Linux 8.3

A2.6 Mobile Devices All mobile devices that are used for accessing business
Please list the quantities of tablets and mobile devices data and have access to the internet are listed below:
within the scope of this assessment. 1. Samsung Galaxy S24 Android V14, 2. OnePlus Nord
N30 SE Android 13, 3. iPhone 14, iOS 17.4, 4.
Samsung S21 Android V13, 5. iPhone 12 Pro iOS
Please Note: You must include make and operating 17.3.1 As part of IT Security policy, we restrict the use
system versions for all devices. All user devices of mobile by disabling access to business-critical
declared within the scope of the certification only systems outside Virtual Machines.
require the make and operating system to be listed. We
have removed the requirement for the applicant to list
the model of the device.
Devices that are connecting to cloud services must be
included.A scope that does not include end user
devices is not acceptable.
All tablets and mobile devices that are used for
accessing organisational data or services and have
access to the internet must be included in the scope of
the assessment. This applies to both corporate and
user owned devices (BYOD).You are not required to list
any serial numbers, mac addresses or other technical
information.

A2.7 Networks All employees access the office network via Azure
Please provide a list of your networks that will be in the Virtual Network and AWS Virtual Network. Virtual
scope for this assessment. desktops are the only option to access business data.
Systems and technical setups are in place to restrict
You should include details of each network used in access to business sensitive customer data outside the
your organisation including its name, location and its AWS & Azure virtual networks. All SFR Medical data is
purpose (i.e. Main Network at Head Office for stored in secure Microsoft UK data centers (UK West or
administrative use, Development Network at Malvern the UK South Microsoft). Homeworker networks are
Office for testing software, home workers network - untrusted and we rely on software firewalls when
 Answer Export

based in UK). working remotely.

You do not need to provide IP addresses or other

technical information.

For further guidance see the Home Working section in

the 'CE Requirements for Infrastructure
Document'. https://www.ncsc.gov.uk/files/Cyber-Essent
ials-Requirements-for-Infrastructure-
v3-1-January-2023.pdf

A2.7.1 Home Workers Our organization operates as a 100% work-from-home

How many staff are home workers? environment. There are 24 full-time employees who
work from home and there are no staff members
Any employee that has been given permission to work currently working from a physical office location.
at home for any period of time at the time of the Therefore, every employee is classified as a home
assessment, needs to be classed as working from worker for the purposes of this Cyber Essentials
home for Cyber Essentials. assessment.

For further guidance see the Home Working section in

the 'CE Requirements for Infrastructure
Document'. https://www.ncsc.gov.uk/files/Cyber-Essent
ials-Requirements-for-Infrastructure-
v3-1-January-2023.pdf

A2.8 Network Equipment All employees are working from home. Home user
Please provide a list of your network equipment that will networks have ISP provided devices which are out-of-
be in scope for this assessment (including firewalls and scope. All the employees login to the VNet virtual
routers). You must include make and model of each network configured on the Azure and AWS cloud
device listed. services. Azure Virtual Network (VNet) is the
fundamental building block for SFR Medical's private
You should include all equipment that controls the flow network in Azure. VNet enables many types of Azure
of data, this will be your routers and firewalls. resources, such as Azure Virtual Machines (VM), to
securely communicate with each other and with the
You do not need to include switches or wireless access internet. VNet is similar to a traditional network in that
points that do not contain a firewall or do not route you'd operate in a data center but brings with it
internet traffic. additional benefits of Azure's infrastructure such as
scale, availability, and isolation. Amazon Virtual Private
If you don't have an office and do not use network Cloud (Amazon VPC) is a service that lets SFR Medical
equipment, instead you are relying on software firewalls launch AWS resources in a logically isolated virtual
please describe in the notes field. network that is security complaint. Amazon VPC
provides advanced security features that allow us to
You are not required to list any IP addresses, MAC perform inbound and outbound filtering at the instance
addresses or serial numbers. and subnet level.

A2.9 Cloud Services AWS - IaaS Microsoft azure - App Service Microsoft
Please list all of your cloud services that are in use by Azure Virtual Machines - IaaS MicrosoftDynamics365 -
your organisation and provided by a third party. SaaS Microsoft Office365 -SaaS
Please note cloud services cannot be excluded from
the scope of CE.

You need to include details of all of your cloud services.

This includes all types of services - IaaS, PaaS and
SaaS. Definitions of the different types of Cloud
Services are provided in the 'CE Requirements for
Infrastructure Document'.
https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf

A2.10 Responsible Person Suyash Shrivastava

 Answer Export

Please provide the name and role of the person who is

responsible for managing your IT systems in the scope Notes:
of this assessment. Responsible Person Role: Chief Technology Officer

This person must be a member of your organisation

and cannot be a person employed by your outsourced
IT provider.

A3.1 Head Office Yes

Is your head office domiciled in the UK or Crown
Dependencies and is your gross annual turnover less
than £20m?

This question relates to the eligibility of your

organisation for the included cyber insurance.

A3.2 Cyber Insurance Opt-In

If you have answered "yes" to the last question then
your organisation is eligible for the included cyber
insurance if you gain certification. If you do not want
this insurance element please opt out here.

There is no additional cost for the insurance. You can

see more about it at https://iasme.co.uk/cyber-
essentials/cyber-liability-insurance/

A3.3 Total Gross Revenue £ 1.8 Million

What is your total gross revenue? Please provide figure
to the nearest £100K. You only need to answer this
question if you are taking the insurance.

The answer to this question will be passed to the

insurance broker in association with the cyber
insurance you will receive at certification. Please be as
accurate as possible - figure should be to the nearest
£100K.

A3.4 Insurance Email Contact Suyash.s@sfrmedical.com

What is the organisation email contact for the insurance
documents? You only need to answer this question if
you are taking the insurance.

The answer to this question will be passed to the

Insurance Broker in association with the Cyber
Insurance you will receive at certification and they will
use this to contact you with your insurance documents
and renewal information.

A4.1 Boundary Firewall Yes

Do you have firewalls at the boundaries between your
organisation’s internal networks, laptops, desktops, Notes:
servers and the internet? Applicant Notes: AWS Workspaces and AzureVMs are
firewall enabled. We also ensure that all users have
You must have firewalls in place between your office Firewalls enabled on their systems through
network and the internet. housekeeping and self- attestations
 Answer Export

A4.1.1 Off Network Firewalls We have Firewalls enabled, we also use encryption for
When your devices (including computers used by sensitive data, we have MFA enabled etc. Regular
homeworkers) are being used away from your cybersecurity awareness training is conducted for all
workplace (for example, when they are not connected employees, emphasising best practices for secure
to your internal network), how do you ensure they are remote working, recognizing phishing attempts, and
protected? reporting security incidents.

You should have firewalls in place for home-based

workers. If those users are not using a Corporate
Virtual Private Network (VPN) connected to your office
network, they will need to rely on the software firewall
included in the operating system of their device.

A4.2 Firewall Default Password Yes

When you first receive an internet router or hardware
firewall device, it may have had a default password on Notes:
it. Have you changed all the default passwords on your Applicant Notes: There are no internet routers provided
boundary firewall devices? by the company as all users work from home. Home
users utilise software firewalls as their boundary.
The default password must be changed on all routers
and firewalls, including those that come with a unique
password pre-configured (i.e. BT Business Hub,
Draytek Vigor 2865ac).
When relying on software firewalls included as part of
the operating system of your end user devices, the
password to access the device will need to be
changed.

A4.2.1 Firewall Password Change Process Windows devices have the admin password reset by
Please describe the process for changing your firewall logging on as the admin and using control+alt+del to
password? select change password. Mac users will go to the users
Home routers not supplied by your organisation are not and groups section and choose to change the user
included in this requirement. password for the admin account. AWS and Azure
security is managed by admin accounts that have been
You need to understand how the password on your added within those systems.
firewall(s) is changed.
Please provide a brief description of how this is
achieved.

A4.3 Firewall Password Configuration A. Multi-factor authentication with a minimum password

Is your new firewall password configured to meet the length of 8 characters and no maximum length,
‘Password-based authentication’ requirements? C. A password minimum length of 12 characters and no
maximum length
Please select the option being used.
Notes:
A. Multi-factor authentication, with a minimum Applicant Notes: We have 8+MFA for cloud and 12
password length of 8 characters and no maximum character minimum for local admin accounts
length

B. Automatic blocking of common passwords, with a

minimum password length of 8 characters and no
maximum length

C. A minimum password length of 12 characters and no

maximum length

D. None of the above, please describe

Acceptable technical controls that you can use to

manage the quality of your passwords are outlined in
the new section about password-based authentication
 Answer Export

in the ‘Cyber Essentials Requirements for IT

Infrastructure’
document.
https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf

A4.4 Firewall Password Issue Yes

Do you change your firewall password when you know
or suspect it has been compromised? Notes:
Applicant Notes: Yes we are aware how to change the
Passwords may be compromised if there has been a password when the system notifies for the security
virus on your system or if the manufacturer notifies you weakness or if there has been a virus.
of a security weakness in their product. You should be
aware of this and know how to change the password if
this occurs.

When relying on software firewalls included as part of

the operating system of your end user devices, the
password to access the device will need to be
changed.

A4.5 Firewall Services Yes

Do you have any services enabled that can be
accessed externally through your internet router, Notes:
hardware firewall or software firewall? Applicant Notes: Yes, our organization has strategically
configured our firewall to allow specific services to be
At times your firewall may be configured to allow a accessed externally through our internet router. We
system on the inside to become accessible from the leverage cloud services in AWS and Azure, where
internet (for example: a VPN server, a mail server, an certain applications and resources are hosted. We
FTP server or a service that is accessed by your have carefully considered and documented a business
customers). This is sometimes referred to as "opening case for enabling these services, taking into account
a port". You need to show a business case for doing the operational requirements and the necessary
this because it can present security risks. If you have security measures implemented to mitigate potential
not enabled any services, answer "No". By default, risks. Our firewall configurations are regularly reviewed
most firewalls block all services. and updated to adhere to industry best practices,
ensuring a robust defense against potential security
threats.

A4.5.1 Firewall Documented Business Case Yes

Do you have a documented business case for all of
these services? Notes:
Applicant Notes: Yes, our organization has a
The business case should be documented and comprehensive and documented business case for all
recorded. A business case must be signed off at board the services that are enabled and accessible externally
level and associated risks reviewed regularly. through our internet router, including the services
hosted in both AWS and Azure. The business case has
been meticulously developed, outlining the operational
necessities and strategic advantages of each service.
This business case has been formally reviewed and
signed off at the board level to ensure alignment with
organizational objectives and commitment to security
best practices.

A4.6 Firewall Service Process We review which services are active and if the CTO
If you do have services enabled on your firewall, do you approves any change due to a service no longer being
have a process to ensure they are disabled in a timely required, we would remove that access and test to
manner when they are no longer required? A confirm it is no longer available.
description of the process is required.

If you no longer need a service to be enabled on your

firewall, you must remove it to reduce the risk of
 Answer Export

compromise. You should have a process that you

follow to do this (i.e. when are services reviewed, who
decides to remove the services, who checks that it has
been done?).

A4.7 Firewall Service Block Yes

Have you configured your boundary firewalls so that
they block all other services from being advertised to Notes:
the internet? Applicant Notes: Our firewall is set to block all inside
services from being accessed from the internet.
By default, most firewalls block all services from inside
the network from being accessed from the internet, but
you need to check your firewall settings.

A4.8 Firewall Remote Configuration Yes

Are your boundary firewalls configured to allow access
to their configuration settings over the internet? Notes:
Applicant Notes: Yes, we have remote access to AWS
Sometimes organisations configure their firewall to and Azure firewalls/security groups. However, it's
allow other people (such as an IT support company) to important to note that we do not have external access
change the settings via the internet. to device-based firewalls. All access to our device
configuration settings is restricted and can only be
If you have not set up your firewalls to be accessible to achieved through secure VPN connections. This
people outside your organisations or your device ensures that only authorized personnel within our
configuration settings are only accessible via a VPN organization can make changes to firewall settings,
connection, then answer "no" to this question. maintaining a robust security posture. We prioritize the
protection of our network infrastructure and regularly
review access controls to align with best practices and
cybersecurity standards.

A4.9 Documented Admin Access Yes

If you answered yes in question A4.8, is there a
documented business requirement for this access?

When you have made a decision to provide external

access to your routers and firewalls, this decision must
be documented (for example, written down).

A4.10 Admin Access Method All admin access is MFA-enabled

If you answered yes in question A4.8, is the access to
your firewall settings protected by either multi-factor
authentication or by only allowing trusted IP addresses
combined with managed authentication to access the
settings?

If you allow direct access to configuration settings via

your router or firewall's external interface, this must be
protected by one of the two options.

Please explain which option is used.

A4.11 Software Firewalls Yes

Do you have software firewalls enabled on all of your
computers, laptops and servers? Notes:
Applicant Notes: All laptops have been checked for
Your software firewall must be configured and enabled software firewalls regularly. We have Microsoft forms
at all times, even when sitting behind a physical/virtual which users have to use to confirm their Firewall
 Answer Export

boundary firewall in an office location. You can check settings for their computers every quarter. This is
this setting on Macs in the Security & Privacy section of validated by IT admins. IT admins also audit this
System Preferences. On Windows laptops you can information by remotely checking the laptops for these
check this by going to Settings and searching for settings on a Zoom call or by physically taking the
"Windows firewall". On Linux try "ufw status". laptops. Also, every time a laptop is assigned to a new
user, the admin checks all these settings and ensures
all security settings of the laptop are enabled and no
confidential data is stored on the laptop.

A5.1 Removed Unused Software SFR Medical virtual machines (VM) and laptops only
Where you are able to do so, have you removed or have limited applications which are required for
disabled all the software and services that you do not organizational duties by the employees. Since all the
use on your laptops, desktop computers, thin clients, users access all SFR Medical data from virtual
servers, tablets, mobile phones and cloud services? machines, only SFR Medical admin has access to
Describe how you achieved this. install/uninstall any software on the VM. The admin
ensures that only the necessary software is present on
You must remove or disable all applications, system VMs intended for different users. Admin team monthly
utilities and network services that are not needed in day- reviews all the software and uninstalls obsolete
to-day use. You need to check your cloud services and applications via c-panel (or Finder for MAC) for both
disable any services that are not required for day-to- VMs as well as for the laptops. Additionally, the admins
day use. team monitors applications that are not in use and
To view your installed applications: uninstall them as well.

1. Windows by right clicking on Start ? Apps and

Features
2. macOS open Finder -> Applications
3. Linux open your software package manager (apt,
rpm, yum).

A5.2 Remove Unrequired User Accounts Yes

Have you ensured that all your laptops, computers,
servers, tablets, mobile devices and cloud services only Notes:
contain necessary user accounts that are regularly Applicant Notes: This is ensured on the Virtual
used in the course of your business? machines which are the primary source to access all
SFR Medical data. User Accounts are created by the
You must remove or disable any user accounts that are System Admins who are assigned privileges by the
not needed in day-to-day use on all devices and cloud CTO. No additional Accounts can be added by Staff
services. Members. End user devices have only the required
You can view your user accounts account(s) for the user(s) of the device(s).

1. Windows by righting-click on Start -> Computer

Management -> Users,
2. macOS in System Preferences -> Users & Groups
3. Linux using ""cat /etc/passwd""

A5.3 Change Default Password Yes

Have you changed the default password for all user
and administrator accounts on all your desktop Notes:
computers, laptops, thin clients, servers, tablets and Applicant Notes: The default passwords for all devices
mobile phones that follow the Password-based and applications (virtual or physical) are reset on the
authentication requirements of Cyber Essentials? first login by the users as per the company password
policy. For applications, they are required to change the
A password that is difficult to guess will be unique and password every 3 or 6 months. There are prompts that
not be made up of common or predictable words such remind users to update their passwords.
as "password" or "admin” or include predictable
number sequences such as "12345".

A5.4 Internally Hosted External Services Yes

Do you run external services that provides access to
 Answer Export

data (that shouldn't be made public) to users across the Notes:

internet? Applicant Notes: We provide access to the portal to our
customers to provide service requests. This application
Your business might run software that allows staff or is developed using the Microsoft Dynamics CRM portal
customers to access information across the internet to SaaS solution within Azure and VMs in AWS. Access to
an external service hosted on the internal network, this portal is limited to only customers (only specific
cloud data centre or IaaS cloud service. This could be a email extensions are whitelisted using AzureAD B2C
VPN server, a mail server, or an internally hosted and allowed access to our Portal) and it is validated
internet application(SaaS or PaaS) that you provide to with customers email via multifactor authentication
your customers as a product. In all cases, these (OTP sent to their company email ids). AWS VM
applications provide information that is confidential to access for staff.
your business and your customers and that you would
not want to be publicly accessible.

A5.5 External Service Password Configuration A. Multi-factor authentication with a minimum password
If yes to question A5.4, which option of password- length of 8 characters and no maximum length,
based authentication do you use? C. A password minimum length of 12 characters and no
maximum length
A. Multi-factor authentication, with a minimum
password length of 8 characters and no maximum
length
B. Automatic blocking of common passwords, with a
minimum password length of 8 characters and no
maximum length
C. A minimum password length of 12 characters and no
maximum length
D. None of the above, please describe

Acceptable technical controls that you can use to

manage the quality of your passwords are outlined in
the section about ‘Password-based authentication’ in
the ‘Cyber Essentials Requirements for IT
Infrastructure’ document.
https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf

A5.6 Compromised Password on External Service An auto password change prompt is scheduled after 3
Describe the process in place for changing passwords months. If we feel any passwords are compromised
on your external services when you believe they have then an admin promptly changes all the associated
been compromised. passwords OR requests the users to change them. We
get alerts on our Microsoft security center and Amazon
Passwords may be compromised if there has been a console about any such passwords being compromised
virus on your system or if the manufacturer notifies you
of a security weakness in their product. You should
know how to change the password if this occurs.

A5.7 External Service Brute Force B. Locking accounts after 10 unsuccessful attempts
When not using multi-factor authentication, which
option are you using to protect your external service Notes:
from brute force attacks? Applicant Notes: The system is set to lock the users
after five invalid attempts. Once the user is logged out
A. Throttling the rate of attempts then either system administrators can reset the
B. Locking accounts after 10 unsuccessful attempts password or the user need to validate via an otp sent to
C. None of the above, please describe a registered email ID to reset the password.

The external service that you provide must be set to

slow down or stop attempts to log in if the wrong
username and password have been tried a number of
times. This reduces the opportunity for cyber criminals
to keep trying different passwords (brute-forcing) in the
hope of gaining access.
 Answer Export

A5.8 Auto-Run Disabled Yes

Is "auto-run" or "auto-play" disabled on all of your
systems? Notes:
Applicant Notes: Auto run is disabled on the devices
This is a setting on your device which automatically and on the Virtual Networks (AmazonWorkspace and
runs software on external media or downloaded from Azure VM).
the internet.

It is acceptable to choose the option where a user is

prompted to make a choice about what action will occur
each time they insert a memory stick. If you have
chosen this option, you can answer yes to this
question.

A5.9 Device Locking Yes

When a device requires a user to be present, do you
set a locking mechanism on your devices to access the Notes:
software and services installed? Applicant Notes: All devices and virtual networks are
secured via access control (user ID, password,
Device locking mechanisms such as biometric, multifactor authentication,and time-out functionality to
password or PIN, need to be enabled to prevent auto-lock).
unauthorised access to devices accessing
organisational data or services.

A5.10 Device Locking Method The user themselves sets a password for the local
Which method do you use to unlock the devices? device that has to meet complexity rules (i.e., a
minimum password length of 8, which is solely to
Please refer to Device Unlocking Credentials unlock the local device, and the use of special
paragraph found under Secure Configuration in the characters and different cases within the password).
Cyber Essentials Requirements for IT Infrastructure AWS and Azure VM also require MFA with a minimum
document for further information. of 12 characters using an authenticator app for users to
https://www.ncsc.gov.uk/files/Cyber-Essentials- login. Mobile devices require a minimum of a 6-digit
Requirements-for-Infrastructure-v3-1-January-2023.pdf PIN to unlock.
The use of a PIN with a length of at least six characters
can only be used where the credentials are just to
unlock a device and does not provide access to
organisational data and services without further
authentication.

A6.1 Supported Operating System Yes

Are all operating systems on your devices supported by
a vendor that produces regular security updates? Notes:
Applicant Notes: 1. Windows 11: OS Builds
If you have included firewall or router devices in your 22621.3007 and 22631.3007. 2. MacOS version
scope, the firmware of these devices is considered to Sonoma 14.2.1 23E214 3. Azure Virtual Machines
be an operating system and needs to meet this (remote desktop): 21H2 having OS Version Windows
requirement. version OS Build 20348.2322(Windows Server 2022
Datacenter). 4. AWS Workspaces OS (remote
Older operating systems that are out of regular support desktop): 21H2 having OS Version Windows version
include Windows 7/XP/Vista/ Server 2003, mac OS OS Build 20348.2322(Windows Server 2022
Mojave, iOS 12, iOS 13, Android 8 and Ubuntu Linux Datacenter).
17.10.
It is important you keep track of your operating systems
and understand when they have gone end of life (EOL).
Most major vendors will have published EOL dates for
their operating systems and firmware.
 Answer Export

A6.2 Supported Software Yes

Is all the software on your devices supported by a
supplier that produces regular fixes for any security Notes:
problems? Applicant Notes: All the software that is installed is
regularly supported by the vendors.
All software used by your organisation must be
supported by a supplier who provides regular security
updates. Unsupported software must be removed from
your devices. This includes frameworks and plugins
such as Java, Adobe Reader and .NET.

A6.2.1 Internet Browsers Google Chrome 122.0.6261.118 Edge on Windows

Please list your internet browser(s). 122.0.2365.80 Edge on macOS 122.0.2365.80 Safari
The version is required. Version 17.3.1

Please list all internet browsers installed on your

devices, so that the Assessor can understand your
setup and verify that they are in support.

For example: Chrome Version 102, Safari Version 15.

A6.2.2 Malware Protection SFR Medical has implemented the following malware
Please list your Malware Protection software. protection systems: Azure Security Azure Cloud
The version is required. Security Sophos Antivirus (10.8.14.1 VE3.87.0)
Windows Defender.
Please list all malware protection and versions you use
so that the Assessor can understand your setup and
verify that they are in support.

For example: Sophos Endpoint Protection V10,

Windows Defender, Bitdefender Internet Security
2020.

A6.2.3 Email Application Microsoft Outlook 365

Please list your email applications installed on end user
devices and server.
The version is required.

Please list all email applications and versions you use

so that the Assessor can understand your setup and
verify that they are in support.

For example: MS Exchange 2016, Outlook 2019.

A6.2.4 Office Applications Microsoft Outlook 365 applications, including Teams,

Please list all office applications that are used to create MS Dynamics 365 Online, Outlook.com, MS Word, MS
organisational data. Excel, MS PowerPoint, and Adobe.
The version is required.

Please list all office applications and versions you use

so that the Assessor can understand your setup and
verify that they are in support.

For example: MS 365; Libre office, Google workspace,

Office 2016.
 Answer Export

A6.3 Software Licensing Yes

Is all software licensed in accordance with the
publisher’s recommendations? Notes:
Applicant Notes: All the currently used software is
All software must be licensed. It is acceptable to use licensed and audited by the vendors during service
free and open source software as long as you comply calls.
with any licensing requirements.

Please be aware that for some operating systems,

firmware and applications, if annual licensing is not
purchased, they will not be receiving regular security
updates.

A6.4 Security Updates - Operating System Yes

Are all high-risk or critical security updates for operating
systems and router and firewall firmware installed Notes:
within 14 days of release? Applicant Notes: We apply critical security updates to
our systems within 7 days of the release. All the
You must install all high and critical security updates Windows systems are up-to-date with the latest
within 14 days in all circumstances. If you cannot security patches. SFRM Admin is responsible for
achieve this requirement at all times, you will not installing, uninstalling, and updating OS and software
achieve compliance to this question. You are not on the virtual machines and laptops used by all SFRM
required to install feature updates or optional updates employees. VMs are managed via the Azure portal
in order to meet this requirement. (Azure Security Center) and the AWS instance
manager (for Workspaces). Both platforms notify users
This requirement includes the firmware on your about new security patches and the latest releases,
firewalls and routers. which are reviewed and applied regularly. If we notice
any security risks, then we consult with the supplier
support team. All high-risk and critical updates for AWS
and Azure VM are received by SFR Medical system
administrators, who then apply the patches within 7
days. The CTO assures that these changes are made
within the approved timeline and that an appropriate
logging system is maintained. Amazon WorkSpaces
running Amazon Linux are updated via pre-configured
Amazon Linuxyum repositories hosted in each
WorkSpaces region, and the updates are automatically
installed. Patches and updates requiring a reboot are
installed during our weekly maintenance window. With
automatic VM guest patching enabled, AzureVM is
assessed periodically to determine the applicable
patches. Updates classified as critical or security are
automatically downloaded and applied to the VM. Patch
orchestration is managed by Azure, and patches are
applied following availability-first principles.

A6.4.1 Auto Updates - Operating System Yes

Are all updates applied for operating systems by
enabling auto updates? Notes:
Applicant Notes: All auto-updates for the operating
Most devices have the option to enable auto updates. system are enabled on all devices and VMs. Amazon
This must be enabled on any device where possible. WorkSpaces running Amazon Linux are updated via
pre-configured Amazon Linuxyum repositories hosted
in each WorkSpaces region, and the updates are
automatically installed. Patches and updates requiring
a reboot are installed during our weekly maintenance
window. With automatic VM guest patching enabled,
AzureVM is assessed periodically to determine the
applicable patches. Updates classified as critical or
security are automatically downloaded and applied to
the VM. Patch orchestration is managed by Azure, and
patches are applied following availability-first principles.
 Answer Export

A6.4.2 Manual Updates - Operating System OS auto-updates are enabled.

Where auto updates are not being used, how do you
ensure all high-risk or critical security updates of all
operating systems and firmware on firewalls and
routers are applied within 14 days of release?

It is not always possible to apply auto updates, this is

often the case when you have critical systems or
servers and you need to be in control of the updating
process.
Please describe how any updates are applied when
auto updates are not configured.
If you only use auto updates, please confirm this in the
notes field for this question.

A6.5 Security Updates - Applications Yes

Are all high-risk or critical security updates for
applications (including any associated files and any Notes:
plugins such as Java, Adobe Reader and .Net.) Applicant Notes: We apply critical updates to our
installed within 14 days of release? systems within 14 days of the release. Since most of
the applications are SaaS solutions, patching
You must install any such updates within 14 days in all compliance is offered as a service by the SaaS solution
circumstances. provider. For non-SaaS solutions, an admin is
If you cannot achieve this requirement at all times, you responsible for monitoring the latest patch release,
will not achieve compliance to this question. downloading it, and installing it from the official product
You are not required to install feature updates or website. For example, if there are new patches
optional updates in order to meet this requirement, just released on Google Chrome, then they are visible via
high-risk or critical security updates. the browser itself and can be applied from the
download location. This is also done by SFRM Admin,
who is responsible for installing, uninstalling, and
updating OS and software (such as Adobe, Power BI,
etc.) on the virtual machines used by all SFRM
employees.

A6.5.1 Auto-Updates - Applications Yes

Are all updates applied on your applications by
enabling auto updates? Notes:
Applicant Notes: This has been checked, and yes, the
Most devices have the option to enable auto updates. devices have auto-updates enabled.
Auto updates should be enabled where possible.

A6.5.2 Manual Updates - Applications All applications on our devices are supported by a
Where auto updates are not being used, how do you supplier that produces regular fixes for any security
ensure all high-risk or critical security updates of all problems, and these are either manually or
applications are applied within 14 days of release? automatically applied. We use Azure and AWS remote
desktops to access applications. 1. We use Microsoft
It is not always possible to apply auto updates, this is PowerBI desktop (with fixes provided by Microsoft) via
often the case when you have critical systems or web access. 2. Microsoft Office 365 products,
applications and you need to be in control of the MSTeams (fixes provided by Microsoft) 3. Antivirus:
updating process. Sophos (for laptops) for VMs (fixes provided by QH) 4.
Please describe how any updates are applied when Adobe for PDF (fixes provided by Adobe) 5. Google
auto updates are not configured. Chrome 6. Microsoft Edge
If you only use auto updates, please confirm this in the
notes field for this question.

A6.6 Unsupported Software Removal Yes

Have you removed any software installed on your
devices that is no longer supported and no longer Notes:
receives regular updates for security problems? Applicant Notes: No unsupported software is used. Any
 Answer Export

such software (older or unsupported versions), if found

You must remove older software from your devices on the VMs or any device, is removed by the admin
when it is no longer supported by the manufacturer. team. Regular audits of the systems help the team to
Such software might include older versions of web ensure this and act promptly.
browsers, operating systems, frameworks such as
Java and Flash, and all application software.

A6.7 Unsupported Software Segregation No unsupported software is in use.

Where you have a business need to use unsupported
software, have you moved the devices and software
out of scope of this assessment? Please explain how
you achieve this.

Software that is not removed from devices when it

becomes un-supported will need to be placed onto its
own sub-set with no internet access.
If the out-of-scope subset remains connected to the
internet, you will not be able to achieve whole company
certification and an excluding statement will be required
in question A2.2.
A sub-set is defined as a part of the organisation whose
network is segregated from the rest of the organisation
by a firewall or VLAN.

A7.1 User Account Creation Yes, users are provided user access only after their
Are your users only provided with user accounts after a formal onboarding is done, which involves the
process has been followed to approve their creation? CMO/CTO approving access for any employee after
Describe the process. careful analysis of the employee's duties. This is done
via JML forms (built on MS Forms) and the Teams
You must ensure that user accounts (such as logins to channel, and there are also regular audits to check
laptops and accounts on servers) are only provided their required licenses.
after they have been approved by a person with a
leadership role in the business.

A7.2 Unique Accounts Yes

Are all your user and administrative accounts accessed
by entering a unique username and password? Notes:
Applicant Notes: We have MFA (multi-factor
You must ensure that no devices can be accessed authentication)-enabled virtual machines that are used
without entering a username and password. to access all sensitive information and applications that
Accounts must not be shared. are used to maintain and store company and customer
data; hence, users cannot share these accounts. All
passwords are set as per the company's password
policy.

A7.3 Leavers Accounts We follow the off-boarding process to disable all

How do you ensure you have deleted, or disabled, any accesses (email, virtual machines, etc.) for all the
accounts for staff who are no longer with your employees as soon as they are no longer working for
organisation? the company. The offboarding is done via the JML
forms (built on MS Forms) and Microsoft Teams
When an individual leaves your organisation you need channels.
to stop them accessing any of your systems.

A7.4 User Privileges Yes, at the time of onboarding, the roles and
Do you ensure that staff only have the privileges that responsibilities of the employees are defined, and a
they need to do their current job? How do you do this? decision regarding access privileges is made based on
access control (roles and responsibilities) and the SOD
 Answer Export

When a staff member changes job role, you may also (segregation of duties) framework. These privileges can
need to change their permissions to only access the be revised, if needed, only with the approval of the
files, folders and applications that they need to do their CEO, CMO, or CTO.
day to day work.

A7.5 Administrator Approval Yes, we have a written process in our access control
Do you have a formal process for giving someone policy. Any access required for administrator access is
access to systems at an “administrator” level and can given by a defined process governed by the CTO and
you describe this process? co-founder. If any access is requested or needed, the
requester submits a grant admin-request form via
You must have a process that you follow when deciding Microsoft Forms, which is then sent for CTO approval.
to give someone access to systems at administrator Only then will a separate admin account be provided in
level. This process might include approval by a person addition to their standard account.
who is an owner/director/trustee/partner of the
organisation.

A7.6 Use of Administrator Accounts The administrator account is provided to the user as a
How does your organisation make sure that separate separate account from their day-to-day standard
accounts are used to carry out administrative tasks account. The admin account is unique to the user and
(such as installing software or making configuration is not shared in any system.
changes)?

You must use a separate administrator account from

the standard user account, when carrying out
administrative tasks such as installing software. Using
administrator accounts all-day-long exposes the device
to compromise by malware. Cloud service
administration must be carried out through separate
accounts.

A7.7 Managing Administrator Account Usage Admin accounts are not used for day-to-day activities.
How does your organisation prevent administrator Monthly teaching sessions on cybersecurity topics are
accounts from being used to carry out every day tasks conducted for all employees. We have an IT Security
like browsing the web or accessing email? Policy in place that states that admin access should
only be granted to those individuals who need it, and
This question relates to the activities carried out when they should not use their access to browse the internet
an administrator account is in use. or access personal emails for any purposes not
You must ensure that administrator accounts are not pertaining to their organization-related duties. We also
used to access websites or download email. Using conduct system log reviews to monitor system activities
such accounts in this way exposes the device to while system admin privileges are being used.
compromise by malware. Software and update
downloads should be performed as a standard user
and then installed as an administrator. You might not
need a technical solution to achieve this, it could be
based on good policy, procedure and regular training
for staff.

A7.8 Administrator Account Tracking Yes

Do you formally track which users have administrator
accounts in your organisation? Notes:
Applicant Notes: An approved designated member of
You must track all people that have been granted the admin team is responsible for checking and
administrator accounts. tracking which users have admin accounts. This is
done at regular intervals (monthly for the majority of the
systems) and is reported to the management in a
company-standard format. We also track this for
Microsoft Suite products through our NHS OneDrive
Admin Tasks document.
 Answer Export

A7.9 Administrator Access Review Yes

Do you review who should have administrative access
on a regular basis? Notes:
Applicant Notes: We conduct a control audit monthly to
You must review the list of people with administrator review who has access to administrative rights. This
access regularly. Depending on your business, this process is managed by the CTO and co-founder.
might be monthly, quarterly or annually. Any users who
no longer need administrative access to carry out their
role should have it removed.

A7.10 Brute Force Attack Protection We employ several security measures to prevent brute-
Describe how you protect accounts from brute-force force attacks. Firstly, we use a multi-factor
password guessing in your organisation? authentication (MFA) or two-factor authentication (2FA)
system, so the user needs an extra piece of evidence
A brute-force attack is an attempt to discover a to login. We also use a set of rules to block a user from
password by systematically trying every possible allowing their password to be too simple (i.e., setting a
combination of letters, numbers, and symbols until you minimum length and requiring special characters).
discover the one correct combination that works. Lastly, after 10 attempts, the user account is locked.
Information on how to protect against brute-force
password guessing can be found in the Password-
based authentication section, under the User Access
Control section in the ‘Cyber Essentials Requirements
for IT
Infrastructure

https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf

A7.11 Password Quality We use a set of rules that are enforced on the system
Which technical controls are used to manage the when making a password, which are the following: 8
quality of your passwords within your organisation? characters for any local user account on a computer
and at least 12 characters with MFA for cloud systems.
Acceptable technical controls that you can use to
manage the quality of your passwords are outlined in
the new section about password-based authentication
in the ‘Cyber Essentials Requirements for IT
Infrastructure

https://www.ncsc.gov.uk/files/Cyber-Essentials-
Requirements-for-Infrastructure-v3-1-January-2023.pdf

A7.12 Password Creation Advice In our policies, there's a section about password
Please explain how you encourage people to use complexity that advises using three random words to
unique and strong passwords. create a strong, longer password that is easy to
remember.
You need to support those that have access to your
organisational data and services by informing them of
how they should pick a strong and unique password.

Further information can be found in the password-

based authentication section, under the User Access
Control section in the Cyber Essentials Requirements
for IT Infrastructure
document. https://www.ncsc.gov.uk/files/Cyber-Essenti
als-Requirements-for-Infrastructure-
v3-1-January-2023.pdf
 Answer Export

A7.13 Password Policy Yes

Do you have a process for when you believe the
passwords or accounts have been compromised? Notes:
Applicant Notes: SFR Medical does have an existing
You must have an established process that details how password policy that is revisited with any new product
to change passwords promptly if you believe or suspect launch that requires passwords. We have standard
a password or account has been compromised. password guidelines defined in the policy and ensure
that all users have viewed and understood it. We do
this by using quizzes on the policies, which the users
have to mandate.

A7.14 MFA Enabled Yes

Do all of your cloud services have multi-factor
authentication (MFA) available as part of the service? Notes:
Applicant Notes: Yes, MFA is enabled on all our
Where your systems and cloud services support multi- services (both internal and external), such as Amazon
factor authentication (MFA), for example, a text Workspaces (authenticator), Azure VMs
message, a one time access code, notification from an (authenticator), Microsoft Suite products (email),
authentication app, then you must enable for all users Dynamics, Adobe (phone), SFR Medical Portal (email),
and administrators. For more information see the etc. This is achieved either through phones, emails, or
NCSC’s guidance on MFA. authenticator apps on different systems.
Where a cloud service does not have its own MFA
solution but can be configured to link to another cloud
service to provide MFA, the link will need to be
configured.
A lot of cloud services use another cloud service to
provide MFA. Examples of cloud services that can be
linked to are Azure, MS365, Google Workspace.

A7.16 Administrator MFA Yes

Has MFA been applied to all administrators of your
cloud services? Notes:
Applicant Notes: All admin accounts have MFA
It is required that all administrator accounts on cloud enabled. All admin account passwords are system-
service must apply multi-factor authentication in generated, and for systems where a user can change
conjunction with a password of at least 8 characters. their password, there is a technical system in place to
ensure it has to follow the password policy (number
and special character requirement, 12 characters long).
Admin accounts are only created upon approval from
the CMO or CTO.

A7.17 User MFA Yes

Has MFA been applied to all users of your cloud
services? Notes:
Applicant Notes: All users have been set up and
All users of your cloud services must use MFA in accounts enabled via MFA. No user can log into our
conjunction with a password of at least 8 characters. system without an MFA OTP sent to the official
registered email address.

A8.1 Malware Protection A - Anti-Malware Software,

Are all of your desktop computers, laptops, tablets and B - Limiting installation of applications by 'application
mobile phones protected from malware by either: allow listing' from an approved app store
A - Having anti-malware software installed
and/or
B - Limiting installation of applications by application
allow listing (For example, using an app store and a list
of approved applications, using a Mobile Device
Management(MDM solution)
or
C - None of the above, please describe
 Answer Export

Please select all the options that are in use in your

organisation across all your devices. Most
organisations that use smartphones and standard
laptops will need to select both option A and B.
Option A - option for all in-scope devices running
Windows or macOS including servers, desktop
computers; laptop computers
Option B - option for all in-scope devices

Option C - none of the above, explanation notes will be

required.

A8.2 Daily Update Yes

If Option A has been selected: Where you have anti-
malware software installed, is it set to update in line Notes:
with the vendor's guidelines and prevent malware from Applicant Notes: All antimalware software used by SFR
running on detection? Medical including Windows defender security (for
windows virtual machines), Sophos Antivirus (10.8.14.1
VE3.87.0) endpoint protection(for physical windows
This is usually the default setting for anti-malware devices), and Norton 360(for Mac devices) on devices
software. You can check these settings in the and virtual networks is enabled and is set for daily
configuration screen for your anti-malware software. update and scan files upon access.
You can use any commonly used anti-malware product,
whether free or paid-for as long as it can meet the
requirements in this question. For the avoidance of
doubt, Windows Defender is suitable for this purpose.

A8.3 Scan Web Pages Yes

If Option A has been selected: Where you have anti-
malware software installed, is it set to scan web pages Notes:
you visit and warn you about accessing malicious Applicant Notes: Yes, Windows defender: Microsoft
websites? windows defender browser protection and smart
screens help scan web pages. A user visits and warns
Your anti-malware software or internet browser should the users about accessing malicious websites.
be configured to prevent access to known malicious Alongside we also have anti-virus software - Sophos
websites. On Windows 10, SmartScreen can provide endpoint protection installed on Windows devices. On
this functionality. Mac systems, we have Norton 360, which ensures that
web pages are scanned and warnings are given at any
malicious websites. By default, Browser Protection is
turned on for Norton 360 to ensure protection against
malicious websites.

A8.4 Application Signing Yes

If Option B has been selected: Where you use an app-
store or application signing, are users restricted from
installing unsigned applications?

Some operating systems which include Windows S,

Chromebooks, mobile phones and tablets restrict you
from installing unsigned applications. Usually you have
to "root" or "jailbreak" a device to allow unsigned
applications.

A8.5 Approved Application List Yes

If Option B has been selected: Where you use an app-
store or application signing, do you ensure that users
only install applications that have been approved by
your organisation and do you maintain this list of
 Answer Export

approved applications?

You must create a list of approved applications and

ensure users only install these applications on their
devices. This includes employee-owned devices. You
may use mobile device management (MDM) software
to meet this requirement but you are not required to
use MDM software if you can meet the requirements
using good policy, processes and training of staff.

All Answers Approved Yes

Have all the answers provided in this assessment been
approved at Board level or equivalent? An appropriate
person will be asked to validate your answers when
you submit your questions.

Powered by TCPDF (www.tcpdf.org)