Versions Compared

Version Old Version 9 New Version 10
Changes made by

Joe Checketts

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

DOC-XXX-XXXXX

Document type:

Guidance

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

No

Scope:

Cyber Essentials

Reason for change:

Initial version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Monthly by Cyber Essentials Manager

Associated documentation:

Distribution:

Controlled in Confluence Quality Management System.

Refined Knowledge Hub

https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#

Page Properties
hiddentrue
idNavigation_Page

Subject

SecureConfiguration

Type

FAQ

The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#

Excerpt
nameM_FAQ_SecureConfig

QUESTION

ANSWER

Do personally-owned devices (and any installed software) need to be kept up to date with security updates for Cyber Essentials?

Yes, personally-owned devices must be kept up to date if they are being used to access organisational data and services.

Is brute force device locking now mandatory? What are the requirements if so?

You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks.What is the difference between a user and an admin account?

Why do I need to remove unused software or apps from my devices?

What is a default account and why does it matter?

What is the minimum length of a PIN number for Cyber Essentials?

Does a customer count as a user?

How is secure configuration managed when assets are supplied and managed by a third party?

In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices. 

Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it?

There are many different ways you can ensure this, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks.

Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification?

There is no requirement for using MDM in Cyber Essentials.
We do not dictate how you implement the controls, this can be done through a combination of technical implementation, policy or procedure - although it is expected that a technical solution would be used.