Versions Compared

Version Old Version 7 New Version 8
Changes made by

Joe Checketts

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

DOC-XXX-XXXXX

Document type:

Guidance

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

No

Scope:

Cyber Essentials

Reason for change:

Initial version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Monthly by Cyber Essentials Manager

Associated documentation:

Distribution:

Controlled in Confluence Quality Management System.

Refined Knowledge Hub

https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842966/Security+Update+Management+FAQ#

Page Properties
hiddentrue
idNavigation_Page

Subject

SecurityUpdateMgmt

Type

FAQ

The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842966/Security+Update+Management+FAQ#

Excerpt
nameM_FAQ_SecurityUpdateMgmt

QUESTION

ANSWER

Why is it important to keep systems updated?

What is a security update?

What does ‘patching’ mean?

What is meant by ‘software vulnerability’?

What happens if a system is not updated due to staff absence (e.g. holidays or sickness)?

The system must be updated as soon as the staff member returns and before being used to access any organisational data or services. 

When devices no longer receive firmware updates but are still getting security patches on a biannual schedule, would the security patch be enough to pass an audit or does the device have to be fully supported?

This would be still considered a regular update, so it would be compliant with the standard and would pass the audit as long as it updated.

When there are devices that have not been updated because employees have not turned their devices on or connected (for example due to sick leave or holidays) can we exclude these devices from the scope?

If the employee's device is not connected to the internet or used for business purposes it can be considered out of scope. However as soon as the employee returns, the device needs to be updated or replaced, and controls put in place, before it can be used by the employee to access organisational data and services.

What does " licensed and supported " mean in the context of open source software?

Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular updates or patches. The vendor must provide the future date when they will stop providing updates. (Note that the vendor doesn’t need to have created the software originally, but they must be able to now modify the original software to create updates).  Open Source software is acceptable as long as regular security updates are made available and there is a published end of life date.

What if the vendor has not officially stopped supporting an application?

"Supported' in this context means that the vendor is providing regular security updates and has published the date at which these updates will stop being provided. Define licensed and supported in simple terms

What about software where the vendor gives no indication about support periods, and where no new release has happened for a long time?

That would be considered as unsupported and up to the applicant to prove otherwise if they disagree.

Some devices rely on What if we have unsupported software or operating systems and software that is no longer supported but these devices are essential to carry out key tasks. Can you suggest a way to make such devices compliant or can they never attain Cyber Essentials certificationare vital to our operations?

Many organisations have devices with unsupported operating systems (for example medical or industrial equipment). While the devices themselves would never be compliant for Cyber Essentials, a common approach to this is to put them into a segregated network and block all inbound and outbound internet connections at the network boundaryWhere this is the case, these systems should not be allowed to connect to the internet.

If a firewall's last firmware update was 6 months ago, would this fail as it is no longer supported by the vendor? 

The requirement is only that the update must be applied within 14 days. As long as the vendor still supports the firewall and it receives regular security updates then it would be compliant.
If a firewall has not had any new firmware updates  after 6 months, check with the supplier if the device is still supported. 

For personally-owned devices, is it mandatory to have automatic updates enabled?

The requirement is that automatic updates should be enabled where possible. A manual update process is allowable but the updates must be applied within 14 days.  For personally-owned devices, using the built-in auto-update option is the easiest way to keep these devices compliant. 

How do we ensure that all devices accessing a network have the latest operating system updates installed?

There are MDM (Mobile Device Management) systems available that can automatically block non-compliant devices from accessing networks, and you can use this technical control along with a policy to ensure that any devices accessing the network are up to date. This can be particularly useful when dealing with personally-owned devices.

...