Versions Compared

Version Old Version 6 New Version Current
Changes made by

Joe Checketts

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

DOC-XXX-XXXXX

Document type:

Guidance

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

No

Scope:

Cyber Essentials

Reason for change:

Initial version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Monthly by Cyber Essentials Manager

Associated documentation:

Distribution:

Controlled in Confluence Quality Management System.

Refined Knowledge Hub

https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#

Page Properties
hiddentrue
idNavigation_Page

Subject

SecureConfiguration

Type

FAQ

idKH_PropertyPage

Area

Secure Configuration

Page Type

Content

Page Name

Secure Configuration : FAQ

Last Updated

04/11/24

Update Notes

Reviewed

04/11/24

Reviewer

JC

Next Review

04/11/25

The below will appear on the Refined page athttps://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure + Configuration + - +FAQ#FAQ

Excerpt
nameM_FAQ_SecureConfig
How do you deal with the use case where

QUESTION

ANSWER

 Is brute force device locking now mandatory? What are the requirements if so?

You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks

Why do I need to remove unused software or apps from my devices?

Unused software is less likely to be kept updated and may contain vulnerabilities that make your system less secure.

What is a brute force attack?

A brute force attack can discover a password by trying every combination of characters until the correct one is found.

What is throttling?

Throttling is a way of protecting against brute force attacks by increasing the time between each attempt at entering a password, slowing down the rate at which combinations can be tried. For Cyber Essentials, no more than 10 guesses in 5 minutes are allowed.

What does device locking apply to?

Device locking applies when someone has physical access to a device which is used to access your organisation’s data or services and means that you must enter a password, PIN or biometric data to use the device.

What is a default account and why does it matter?

A default account will often have an easily-discoverable default password (or empty password) meaning that anybody could use it to access a device.

What is the minimum length of a PIN number or password for Cyber Essentials?

When unlocking a device, 6 characters. Where common passwords are blocked automatically, or MFA is in use, 8 characters. In all other cases, 12 characters.

Who counts as a user?

If they are accessing organisational data and services using an account, they will count as a user. This would include employees, students, customers and anyone else accessing your systems.

What should be done in the case of a developer who may need admin permissions to carry out their work?

It’s been established that admin is not always a necessity for developers. There are some situations where admin is required but this is not universally the case. It’s a good idea for organisations to have a separate, segregated network or networks for development, not only because this mitigates the problem of admin rights for developers, but also because test versions of software may themselves contain vulnerabilities that could be exploited.

How is secure configuration managed when assets are supplied and managed by a third party (laptops), and they do the asset management?Those third party devices, because you don't own them ?

In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a scenario we now realise is more common than we first thought and actually those third party devices would need to be included on a CE certificate by the organisation that owned those devices and they have the administration access to carry out and apply the controls.

What devices needed to have supported firmware and what does "supported" mean in this context?

All devices should be running supported firmware, however only routers and firewalls are required to provide the firmware version for the certification. Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular updates or patches. The vendor must provide the future date when they will stop providing updates. (Note that the vendor doesn’t need to have created the software originally, but they must be able to now modify the original software to create updates)fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices.  In IaaS, PaaS or SaaS scenarios, both your organisation and the cloud provider are responsible for implementing the controls.

Does the requirement to disable or remove unused software also apply to contractors – if so how do we ensure this? Is it enough to ask them to do it?

There are many different ways you can ensure this, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks.

Is having a Mobile Device Management tool such as MS InTune a requirement for Cyber Essentials Plus certification?

There is no requirement for using MDM in Cyber Essentials.
We do not dictate how you implement the controls, this can be done through a combination of technical implementation, policy or procedure - although it is expected that a technical solution would be used