Ensuring Compliance with Cyber Essentials: Requirements for IT Infrastructure v3.1
The UK’s Cyber Essentials is a government-backed scheme designed to help organizations protect themselves against a range of the most common cyber attacks. The latest version, v3.1, outlines essential requirements for IT infrastructure to ensure robust cybersecurity practices. This article will guide you through how EvolutionX can be configured to comply with these standards, highlighting the shared responsibility model between EvolutionX and its store owners. For more detailed information, you can refer to the official Cyber Essentials: Requirements for IT Infrastructure v3.1 PDF.
Scope of Compliance
The scope of compliance for EvolutionX under the Cyber Essentials standard includes both the SaaS infrastructure provided by EvolutionX and the configurations managed by the store owner. EvolutionX is responsible for ensuring that the underlying infrastructure is secure and compliant with the standards, while store owners must configure and manage their store Admin settings and user settings to maintain compliance. This shared responsibility model ensures that both the platform and its usage adhere to best practices in cybersecurity.
Compliance Areas and Responsibilities
1. Firewalls
Responsibility: EvolutionX
Configuration:
EvolutionX is hosted in AWS data centers which are Cyber Essentials Plus Certified
EvolutionX ensures that all incoming and outgoing traffic is filtered through AWS firewalls such as EC2 Security Groups and Web Access Firewall (WAF). This includes setting up rules to block unauthorised access and allowing only necessary traffic.
2. Secure Configuration
Responsibility: Both EvolutionX and Store Owner
Configuration:
EvolutionX: Provides a secure default configuration for the SaaS platform, including disabling unnecessary services and ensuring secure settings.
Store Owner: Must ensure that any additional configurations or customizations adhere to secure practices, such as disabling unused features and requiring MFA for admin users of EvolutionX. Refer to the following documents for specifics.
3. User Access Control
Responsibility: Both EvolutionX and Store Owner
Configuration:
EvolutionX: Implements role-based access control (RBAC) to restrict access based on user roles.
Store Owner: Ensures that user accounts are managed properly, including regular reviews of access rights and the use of strong, unique passwords.
Admin User Configuration using 2 Step Authentication for Admin Users | Evolution X Help Center or ECI Identity SSO.
Storefront User Configuration for accounts requiring Cyber Essentials compliant settings use Okta and Azure Single Sign-on on Storefronts by EvolutionX | Evolution X Help Center
4. Malware Protection
Responsibility: EvolutionX
Configuration: EvolutionX deploys anti-malware solutions to protect the SaaS infrastructure and staff devices from malicious software. This includes regular updates and scans to detect and remove malware.
5. Security Update Management
Responsibility: Both EvolutionX and Store Owner
Configuration:
EvolutionX: Regularly updates the SaaS platform with the latest security patches and updates.
Store Owner: Ensures that any third-party applications or plugins added by the Store Owner within the platform are also kept up to date with security patches.
6. Multi-Factor Authentication (MFA)
Responsibility: Both EvolutionX and Store Owner
Configuration:
EvolutionX: Provides the infrastructure to support MFA for user logins.
Store Owner: Configures MFA for user accounts to add an extra layer of security.
Admin User Configuration using 2 Step Authentication for Admin Users | Evolution X Help Center or ECI Identity SSO.
Storefront User Configuration for accounts requiring Cyber Essentials compliant settings use Okta and Azure Single Sign-on on Storefronts by EvolutionX | Evolution X Help Center
7. Data Backup
Responsibility: EvolutionX
Configuration:
EvolutionX: Ensures that the SaaS platform includes automated data backup solutions.
Documentation on these services is described in the document Data Processor GDPR Policy and Supplier Audit | Evolution X Help Center.
8. Asset Management
Responsibility: EvolutionX
Configuration: EvolutionX maintains an internal inventory of assets, including hardware and software, ensuring that all assets are accounted for and managed securely.
9. Incident Management
Responsibility: Both EvolutionX and Store Owner
Configuration:
EvolutionX: Provides tools and processes for detecting and responding to security incidents.
Refer to the responsibilities described for EvolutionX as a data processor in our Data Processor GDPR Policy and Supplier Audit | Evolution X Help Center document.
Store Owner: The Store Owner will notify EvolutionX staff, without undue delay, if they become aware of an incident.
Refer to our document Security & Compliance | Evolution X Help Center.
By following these guidelines, EvolutionX and its Store Owners can ensure compliance with the UK’s Cyber Essentials standards, providing a secure and reliable ecommerce platform.