The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576646422/User+Access+Control+FAQ#
QUESTION | ANSWER |
---|---|
Are shared accounts permissible under certain circumstances, such as a shared third-party web application account? Or are they not allowed at all? | Shared accounts are not compliant with Cyber Essentials scheme. The use of unique accounts is required by all users and administrators. As stated in the Cyber Essentials Requirements you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks required for the user to perform their role. |
When using third-party cloud services (such as MS365) is it acceptable to use one centralised mobile device owned by one user to retrieve the authentication code, even if there are various users using the system? | It's acceptable but perhaps not advisable. For example - what happens if you lose the phone? You would need to consider various scenarios and what might happen if problems occurred. |
Why the need for controls on personally-owned devices accessing virtual desktops as clients? | Client access software needs to be on a supported operating system and that client access software must be kept up to date and updated with all their latest security updates. There are known commodity attacks against devices trying to access those sessions and screen recording those sessions, so therefore they must remain in scope. |
Why is it important to have separate user and admin accounts? | Because admin accounts provide far greater control over the device, any attack which compromises an admin account can have more serious effects. Consider the scenario where a user is logged in to a user account and clicks on a malicious link. The link may attempt to install malicious software such as ransomware or spyware onto the device. However, because a user account does not have sufficient privileges to install software, the attempt would fail. But if the logged in account was an admin account, the software installation could succeed and the attacker could then take control of the machine and carry out any number of damaging activities. That is why day-to-day activities should be done using a user account, and admin accounts must not access the internet or emails. |
If an organisation has a policy that we do not allow personally-owned devices, is a technical control needed to stop unauthorised devices from connecting? | A common solution is to monitor your cloud services and not allow them to connect unless they are authorised devices supplied by the organisation. Asset management can play a role here as you would need to understand how and which devices are connecting to your cloud services. |
Why the need for controls on personally-owned devices accessing virtual desktops as clients? | There are known commodity attacks against such devices which try to access or screen record sessions, so therefore they must remain in scope. Client access software must be running on a supported operating system and the software must be kept up to date with the latest security updates. |
While admin accounts shouldn't be used on a day-to-day basis, what about when admin privileges are temporarily needed to install software or run scripts? | All admin accounts need to be approved by a person of authority. |
Some developers need local admin access to compile, debug and check-in source code changes using their standard account. Would this fail the Cyber Essentials assessment and if so, how do organisations manage their local admin privilege needs for development team members? | It would not automatically fail a Cyber Essentials assessment, but would be an issue if certifying for Cyber Essentials Plus. Account separation is a core control and if this can't be achieved, we would suggest de-scoping the developer network by creating a subset using a firewall or VLAN. |
If we have a generic account used by a few people, which is managed using an auto-lock and a fingerprint reader, would this be compliant with Cyber Essentials? | Shared accounts are not compliant with the Cyber Essentials scheme. The use of unique accounts is required by all users and administrators - you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, devices and networks required for them to perform their role. |
Does a 'break glass' account need to have MFA applied or would it be out of scope? | Break glass accounts should still have a form of MFA applied, but should use an alternative method of MFA to other users. An example of MFA for a break glass account could be logging into it from a trusted managed device. |