Introduction

Cyber Essentials Plus is a government-backed scheme designed to help organisations protect against common cyber threats. This training manual provides employees and contractors with the knowledge required to comply with Cyber Essentials Plus requirements and adhere to the organisation’s IT policies.

 

Purpose of This Training

The purpose of this manual is to:

1.      Educate staff on Cyber Essentials Plus principles and organisational IT policies.

2.      Foster a culture of security awareness and responsibility.

3.      Ensure compliance with regulatory requirements and internal policies.

4.      Equip staff with practical knowledge to mitigate cyber threats and handle sensitive data securely.

Overview of Cyber Essentials Plus

Cyber Essentials Plus focuses on five key technical controls:

1.      Firewalls: Protecting your internet connection.

2.      Secure Configuration: Ensuring devices and software are secure.

3.      Access Control: Restricting access to data and services to authorised users.

4.      Malware Protection: Using antivirus and other tools to prevent malicious software.

5.      Patching: Keeping devices and software up-to-date.

Your Organisation’s Approach:

·     Use of OPNSense Firewall with Suricata IDS and Zenarmor.

·     Endpoint protection through Action1.com for patch management.

·     Authentication via RCDEVS OpenOTP, with certificates for secure access.

·     Encrypted data storage on Synology Directory Server.

 

Key IT Policies

Acceptable IT Usage Policy

·     Outlines how organisational IT systems, data, and networks should be used.

·     Includes prohibitions on unauthorised installations, sharing credentials, and accessing prohibited content.

Incident Management Policy

·     Defines how to report, escalate, and resolve security and IT incidents.

·     Includes procedures for responding to phishing attacks, malware infections, and system outages.Roles and Responsibilities Policy

·     Clarifies each employee’s duties in maintaining security and operational efficiency.

·     Includes escalation paths and dependencies for key roles.

·     Details on how to classify, store, and handle data securely.

·     Includes guidelines for using Synology storage and Microsoft 365 tools.

Patching Policy

·     Ensures all devices and software are kept up-to-date to protect against vulnerabilities.

·     Includes regular patching schedules managed through Action1.com.curity Best Practices

1.     Use Strong Passwords:

·      Follow organisation guidelines for password complexity.

·      Change passwords regularly and never reuse them across systems.

2.     Enable Multi-Factor Authentication (MFA):

·      Use RCDEVS OpenOTP or Microsoft Authenticator for secure access.

3.     Be Alert for Phishing Attempts:

·      Verify email senders before clicking links or opening attachments.

·      Report suspicious emails immediately via iTop.

4.     Keep Software Updated:

·      Ensure all updates are applied promptly via the Action1.com platform. 

5.     Follow Access Control Guidelines:

·      Access only data and systems required for your role.

·      Lock your device when not in use.

Training Modules

Access Management and Passwords

·      Topics:

·       Setting up strong passwords.

·       Using MFA for system access.

·       Escalating access issues to the IT team.

Secure Use of IT Systems

·      Topics:

·       Acceptable usage guidelines.

·       Safe browsing practices.

·       Avoiding unauthorised software installations.

Incident Reporting

·      Topics:

·       Identifying and reporting security incidents (e.g., phishing, malware).

·       Using the Incident Management Process to escalate issues.

·       Post-incident follow-ups and lessons learned.

Data Handling and Storage

·      Topics:

·       Classifying data as per the Data Classification Policy.

·       Storing data securely on Synology shares or Microsoft 365.

·       Securely deleting sensitive data when no longer required.

Assessment and Certification

1.     Training Assessment:

·      Employees will complete a knowledge check after training.

·      Assessments include scenario-based questions to test understanding of policies and best practices.

2.     Certification:

·      Employees who pass the assessment will receive a Cyber Essentials Plus Awareness Certificate.

 

​​​​​​Instructions 1. The knowledge check consists of multiple-choice, true/false, and scenario-based questions. 2. Answer all questions to the best of your ability. 3. A passing score of 80% is required

 

​​Disclaimer

This document has been prepared by AEON IT Limited in good faith.  The document is, however, supplied on the basis that AEON IT Limited accepts no liability for statements made in the document or for conclusions drawn or actions taken based on the product description unless the contract for the provision of the complete system is with AEON IT Limited The liability accepted by AEON IT Limited will be determined by the terms of such a contract.