self assessment tool - guidance · web viewsecure by default self certification using this tool...
TRANSCRIPT
Secure by default self certificationUsing this tool
This self-assessment tool has been prepared by the Surveillance Camera Commissioner (SCC) to help you and your organisation to self-certify the video surveillance (VSS) products you manufacture against the secure by default minimum requirements.
For ease, this template contains a number of yes/no questions and should be completed for each VSS product/product family that you wish to self-certify. Once the completed form has been returned to the Surveillance Camera Commissioner’s office for assessment they will issue you with the ‘secure by default’ branding. You will then be able to use this branding on the products that you have self-certified against.
The SCC will keep a list of self-certified products on the SCC website. Manufacturers should ensure that the information about products listed on the website is correct. If at any point the information that has been supplied to the SCC has been found to be false, the SCC reserves the right to remove the mark and the product from the products list – this may apply to all products listed by the manufacturer.
Completed self-assessments should be emailed to the SCC at [email protected] and we will endeavour to issue the branding within 28 working days. You can also send any queries about this process to the SCC and we would also appreciate your comments and feedback on the user experience with this template.
Answering ‘no’ to questions in this form will not mean that your product/s will fail to receive the secure by default self-certification mark. However, if you do answer ‘no’ to any questions you should include an accompanying submission explain why you have said ‘no’.
1
Organisation details
Name of organisation
Name of person completing self-certification
Product/product family being assessed
Telephone number
Email address
Position withinorganisation
Date submitted
2
Self Certification
1
Default passwords
1. All default usernames and passwords are forced to be changed on initial power up
Yes No
2. Devices provide visual indicator as to password strength Yes No
3. Devices have built in password checking and will not permit an insecure password
Yes No
2
Hardcoded passwords
4. Products do not use hardcoded usernames and passwords Yes No
5. There are no insecure ‘backdoors’ into products Yes No
3
Protocols and Ports
6. Only protocols that are necessary for the functioning of the component are enabled on devices and unnecessary ports are disabled as default
Yes No
7. All enabled ports are fully documented as part of the shipping documentation
Yes No
8. Manufacturer has documented and deployed an effective strategy to quickly fix identified vulnerabilities in protocols
Yes No
9. Manufacturer has an appropriate publication scheme for notification of vulnerabilities identified and detailing fixes required
Yes No
4
Encryption
10.Appropriate encryption is considered alongside other technical and organisational measures, taking into account the benefit and risks it can offer
Yes No
11.Products use Hyper Text Transfer Protocol Secure (HTTPS) for all communications with a web-based interface
Yes No
12.Products use Transport Layer Security (TLS) for all communications across all untrusted networks
Yes No
13.Products use an appropriate level of baseline encryption for all data being stored at rest
Yes No
5
Open Network Video Interface Forum Protocol (ONVIF Protocol)
14.Products must have ONVIF disabled on bootup by default Yes No
15.Products must have video streaming disabled until a new username and password has been created
Yes No
6
Remote Access
16.Remote access is fully disabled as default Yes No
17.Devices never attempt to access vendor-controlled network services without consent of the user
Yes No
18.Remote access into a VSS does not allow access to other connected network services
Yes No
19.Workstations and servers supplied with the VSS are locked down in line with industry best practice and include no remote access in baseline configuration
Yes No
7
Software Patching and Firmware Upgrades
20.Manufacturer has a portal policy/resource centre for handling patches/upgrades with community sign up programmes
Yes No
21.Critical updates (e.g. where a product is vulnerable) are proactively notified to those who have signed up to the portal/resource centre
Yes No
22.A non-critical and functional advisory service is available for users to subscribe to
Yes No
8
Penetration/Fuzz Testing (Vulnerability Scanning)
23.Manufacturer has a documented, implemented and effective process to security test components and devices
Yes No
24.Vulnerable components and devices are developed further before being put into and live environment
Yes No
9
Use of IEEE 802.1x
25.Products are IEEE 802.1x capable Yes No
10