Secure by default self certificationUsing this tool

This self-assessment tool has been prepared by the Surveillance Camera Commissioner (SCC) to help you and your organisation to self-certify the video surveillance (VSS) products you manufacture against the secure by default minimum requirements.

For ease, this template contains a number of yes/no questions and should be completed for each VSS product/product family that you wish to self-certify. Once the completed form has been returned to the Surveillance Camera Commissioner’s office for assessment they will issue you with the ‘secure by default’ branding. You will then be able to use this branding on the products that you have self-certified against.

The SCC will keep a list of self-certified products on the SCC website. Manufacturers should ensure that the information about products listed on the website is correct. If at any point the information that has been supplied to the SCC has been found to be false, the SCC reserves the right to remove the mark and the product from the products list – this may apply to all products listed by the manufacturer.

Completed self-assessments should be emailed to the SCC at scc@sccommissioner.gov.uk and we will endeavour to issue the branding within 28 working days. You can also send any queries about this process to the SCC and we would also appreciate your comments and feedback on the user experience with this template.

Answering ‘no’ to questions in this form will not mean that your product/s will fail to receive the secure by default self-certification mark. However, if you do answer ‘no’ to any questions you should include an accompanying submission explain why you have said ‘no’.

1

Organisation details

Name of organisation      

Name of person completing self-certification

     

Product/product family being assessed

     

Telephone number      

Email address      

Position withinorganisation

     

Date submitted      

2

Self Certification

1

Default passwords

1. All default usernames and passwords are forced to be changed on initial power up

Yes No

2. Devices provide visual indicator as to password strength Yes No

3. Devices have built in password checking and will not permit an insecure password

Yes No

2

Hardcoded passwords

4. Products do not use hardcoded usernames and passwords Yes No

5. There are no insecure ‘backdoors’ into products Yes No

3

Protocols and Ports

6. Only protocols that are necessary for the functioning of the component are enabled on devices and unnecessary ports are disabled as default

Yes No

7. All enabled ports are fully documented as part of the shipping documentation

Yes No

8. Manufacturer has documented and deployed an effective strategy to quickly fix identified vulnerabilities in protocols

Yes No

9. Manufacturer has an appropriate publication scheme for notification of vulnerabilities identified and detailing fixes required

Yes No

4

Encryption

10.Appropriate encryption is considered alongside other technical and organisational measures, taking into account the benefit and risks it can offer

Yes No

11.Products use Hyper Text Transfer Protocol Secure (HTTPS) for all communications with a web-based interface

Yes No

12.Products use Transport Layer Security (TLS) for all communications across all untrusted networks

Yes No

13.Products use an appropriate level of baseline encryption for all data being stored at rest

Yes No

5

Open Network Video Interface Forum Protocol (ONVIF Protocol)

14.Products must have ONVIF disabled on bootup by default Yes No

15.Products must have video streaming disabled until a new username and password has been created

Yes No

6

Remote Access

16.Remote access is fully disabled as default Yes No

17.Devices never attempt to access vendor-controlled network services without consent of the user

Yes No

18.Remote access into a VSS does not allow access to other connected network services

Yes No

19.Workstations and servers supplied with the VSS are locked down in line with industry best practice and include no remote access in baseline configuration

Yes No

7

Software Patching and Firmware Upgrades

20.Manufacturer has a portal policy/resource centre for handling patches/upgrades with community sign up programmes

Yes No

21.Critical updates (e.g. where a product is vulnerable) are proactively notified to those who have signed up to the portal/resource centre

Yes No

22.A non-critical and functional advisory service is available for users to subscribe to

Yes No

8

Penetration/Fuzz Testing (Vulnerability Scanning)

23.Manufacturer has a documented, implemented and effective process to security test components and devices

Yes No

24.Vulnerable components and devices are developed further before being put into and live environment

Yes No

9

Use of IEEE 802.1x

25.Products are IEEE 802.1x capable Yes No

10