The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#
QUESTION | ANSWER |
|---|---|
Is brute force device locking now mandatory? What are the requirements if so? | You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks |
How is secure configuration managed when assets are supplied and managed by a third party? | In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices. |
Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it? | There are many different ways you can ensure this has happened, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks. |
Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification? | There is no requirement for using MDM in Cyber Essentials. |