The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576646422/User+Access+Control+FAQ#
QUESTION | ANSWER |
|---|---|
Some developers need local admin access to compile, debug and check-in source code changes using their standard account. Would this be a auto-fail and if yes, how do organisations manage their local admin privilege needs for development team members? | There are lots of different ways you can manage it. You can use group policies as one way that you can achieve this. It wouldn't be an automatic failure of Cyber Essentials, but you would have problems should you wish to go ahead and undertake CE plus assessment. So one of the core controls is that you need to have account separation between standard users and administrators and if that can't be achieved, we've suggested to descope the developer network. That is a method that you can use to move it out of scope. Obviously it's best practice to get as many of the controls as you can to apply to that descoped portion of the network. If you really can't achieve it, then the best option would be to create a developer network and descope it from the assessment. |
Are Admin by Request or Microsoft's newly announced Endpoint Privilege Management a suitable solution to handle local administrator access on user devices? For a large enterprise with thousands of users, each of our developers and users requiring admin rights having multiple accounts (Privileged & productivity) is simply not possible. | Admin by Request can be configured in various ways however this does not mean it is compliant. |