| Page Properties |
|---|
| hidden | true |
|---|
| id | Navigation_Page |
|---|
|
Subject | SecureConfiguration |
|---|
Type | FAQ |
|---|
| |
|---|
|
The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#
| Excerpt |
|---|
|
QUESTION | ANSWER |
|---|
What is the difference between a user and an admin account? | | Why do I need to remove unused software or apps from my devices? | | What is a brute force attack? | | What is throttling? | | What does device locking apply to? | | What is a default account and why does it matter? | | What is the minimum length of a PIN number for Cyber Essentials? | | Does a customer count as a user? | | How is secure configuration managed when assets are supplied and managed by a third party? | In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices. | Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it? | There are many different ways you can ensure this, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks. | Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification? | There is no requirement for using MDM in Cyber Essentials.
We do not dictate how you implement the controls, this can be done through a combination of technical implementation, policy or procedure - although it is expected that a technical solution would be used. |
|