Page Comparison

DOC-XXX-XXXXX

Guidance

Cyber Essentials Manager

No

Cyber Essentials

Initial version

Reviewed Monthly by Cyber Essentials Manager

Controlled in Confluence Quality Management System.

Refined Knowledge Hub

https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842966/Security+Update+Management+FAQ#

Why is it important to keep systems updated?

All systems contain security flaws and as these are discovered, vendors release updates which fix the issues. Once security flaws are known about, ways of exploiting them are quickly developed by malicious actors, so systems that aren’t kept updated are vulnerable to attack.

What is a security update?

A security update is a fix for a security flaw which is released by a vendor.

What does ‘patching’ mean?

A patch is another word for a security update and patching is the process of applying the updates.

What is meant by ‘software vulnerability’?

A software vulnerability is a flaw in a computer system which may be ‘exploited’ by an attacker in order to compromise a system.

What happens if a system is not updated due to staff absence (e.g. holidays or sickness)?

The system must be updated as soon as the staff member returns and before being used to access any organisational data or services. 

When devices no longer receive firmware updates but are still getting security patches on a biannual schedule, would the security patch be enough to pass an audit or does the device have to be fully supported?

This would be still considered a regular update, so it would be compliant with the standard and would pass the audit as long as it updated.

What does licensed and supported mean?Define licensed and supported in simple terms

‘Licensed’ refers to having the correct license to use the software from the vendor. It’s important because many systems only provide security updates if the license fee has been paid. ‘Supported’ means that the vendor is releasing security updates for the software - they must also provide a date when they will stop doing this.

What about software where the vendor gives no indication about support periods, and where no new release has happened for a long time?

That would be considered as unsupported and up to the applicant to prove otherwise if they disagree.

Do personally-owned devices (and any installed software) need to be kept up to date with security updates for Cyber Essentials?

Yes, personally-owned devices must be kept up to date if they are being used to access organisational data and services.

What if we have unsupported software or operating systems that are vital to our operations?

Many organisations have devices with unsupported operating systems (for example medical or industrial equipment). Where this is the case, these systems should not be allowed to connect to the internet.

If a firewall's last firmware update was 6 months ago, would this fail as it is no longer supported by the vendor? 

As long as the vendor still supports the firewall and it receives regular security updates then it would be compliant.
If a firewall has not had any new firmware updates  after 6 months, check with the supplier if the device is still supported. 

For personally-owned devices, is it mandatory to have automatic updates enabled?

The requirement is that automatic updates should be enabled where possible. A manual update process is allowable but the updates must be applied within 14 days.  For personally-owned devices, using the built-in auto-update option is the easiest way to keep these devices compliant. 

How do we ensure that all devices accessing a network have the latest operating system updates installed?

There are MDM (Mobile Device Management) systems available that can automatically block non-compliant devices from accessing networks, and you can use this technical control along with a policy to ensure that any devices accessing the network are up to date. This can be particularly useful when dealing with personally-owned devices.