QUESTION | ANSWER |
|---|
Why is it important to keep systems updated? | All systems contain security flaws and as these are discovered, vendors release updates which fix the issues. Once security flaws are known about, ways of exploiting them are quickly developed by malicious actors, so systems that aren’t kept updated are vulnerable to attack. |
What is a security update? | A security update is a fix for a security flaw which is released by a vendor. |
What does ‘patching’ mean? | A patch is another word for a security update and patching is the process of applying the updates. |
What is meant by ‘software vulnerability’? | A software vulnerability is a flaw in a computer system which may be ‘exploited’ by an attacker in order to compromise a system. |
What happens if a system is not updated due to staff absence (e.g. holidays or sickness)? | The system must be updated as soon as the staff member returns and before being used to access any organisational data or services. Some of our carry out their duties. |
When devices no longer receive firmware updates , but are still getting security patches on a biannual schedule. Would , would the security patch be enough to pass an audit or does the device have to be fully supported.? | This would be still considered a regular update, so it would be compliant with the standard and would pass the audit as long as it updated. |
We have a large window estate, and our inventory tooling is showing a handful of out of date Windows version because these employees are out on sick leave and have not turned their devices on and connected to automatically receive the updates. How should this be handled when submitting the Cyber Essentials Questionnaire? Can we exclude these devices? | This would be similar to a furloughed employee:
A furloughed employee's device is considered not currently in use and therefore not connected to internet or used for business purposes - they can be considered out of scope. However as soon as the employee returns, the device needs to be updated or replaced, and CE controls put in place, before it can be used by the employee. |
What does "supported" mean in the context of open source software? | Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular updates or patches. The vendor must provide the future date when they will stop providing updates. (Note that the vendor doesn’t need to have created the software originally, but they must be able to now modify the original software to create updates). Open Source software is acceptable as long as regular security updates are made available and there is a published end of life date. |
What is the definition for an out of support application. If the vendor has not officially stopped supporting an application? | "Supported' in this context means that the vendor is providing regular security updates and has published the date at which these updates will stop being providedthe update has been applied. |
What does licensed and supported mean? | ‘Licensed’ refers to having the correct license to use the software from the vendor. It’s important because many systems only provide security updates if the license fee has been paid. ‘Supported’ means that the vendor is releasing regular vulnerability fixes for the software - they must also provide a date when they will stop doing this. |
What about software where the vendor gives no indication about support periods, and where no new release has happened in a year or twofor a long time? | That would be considered as unsupported and up to the applicant to prove otherwise if they disagree. |
Some devices rely on operating systems and software that is no longer supported but these devices are essential to carry out key tasks. Can you suggest a way to make such devices compliant or can they never attain Cyber Essentials certification? | The devices themselves would never be compliant for CE. A common approach in this scenario is put them into a subset and then cut all inbound and outbound Internet connections at the boundary of that subset. Many organizations that have these sort of Do personally-owned devices (and any installed software) need to be kept up to date with security updates for Cyber Essentials? | Yes, personally-owned devices must be kept up to date if they are being used for work duties. |
Are Beta/Preview builds acceptable for Cyber Essentials? | No. These versions of software are not guaranteed to be supported with updates by the vendor, and often do not have an end-of-life date. |
What if we have unsupported software or operating systems that are vital to our operations? | Many organisations have devices with unsupported operating systems (for example , in the case of medical or industrial equipment). The devices can still communicate across that boundary to in-scope devices, but all inbound and outbound Internet connections must be blocked at the subset boundary. Where this is the case, these systems should not be allowed to connect to the internet. This can be done using network segmentation - separating part of the network using a firewall or VLAN. |
If a firewall's last firmware update was 6 months ago, would this fail as it is no longer supported by the vendor? | The requirement is only that the update must be applied within 14 days. So as As long as the vendor still supports the firewall and it receives regular security updates then it would be compliant. For some operating systems, firmware and applications, if annual licensing is not purchased, they will not be receiving regular security updates.
If a firewall has not had any new firmware updates after 6 months, check with the supplier if the device is still supported. Due to the number of vulnerabailites being discovered, vendors are increasing the frequency of firmware updates. For BYOD |
For personally-owned devices, is it mandatory for people to have automatic updates enabled? | Automatic The requirement is that automatic updates should be enabled where possible is the requirment. A manual update process is allowable but he the updates must be applied within 14 days. For BYOD personally-owned devices, using the built-in option to use auto updating auto-update option is the easiest option way to keep these devices compliant. |
How do we enforce BYOD to ensure all OS updates are installed and on the latest OS?There are MDM systems available that can automatically block non-compliant devices from accessing networks, and you can use this technical control along with a policy to ensure that any BYOD devices accessing the network are up to datethat all devices accessing a network have the latest operating system updates installed? | Most devices have an option to install operating system updates automatically and you should ensure that this is selected for both company-owned and personally-owned devices. There are also systems available that will automatically block devices from connecting if they do not have the required updates installed. |
How much detail regarding the operating system is required for the assessment?” | You should provide the name and version of the operating system so that the assessor can determine if it is still supported. For example MacOS Sonoma, Windows 11 Pro 21H2, iOS 17, Android 14. For network device such as routers and firewalls, the make and model is needed. For example Fortinet Fortigate 100F |
Is virtual patching an allowed method in Cyber Essentials? | Virtual patching is not an acceptable mitigation to the security vulnerabilities of legacy unsupported operating systems long term and so will not be recognised as a mechanism for compliance with Cyber Essential requirements. |