Can a standard user be part of the Sudo’ers Group in *Nix systems? | There is no special provision within Cyber Essentials for mac/Linux machines to allow them to be essentially part of the sudoers group under the same account. This is because the requirement for cyber essentials is quite clear in that admin accounts need to be protected from the avoidable risks of compromise through email, web browsing and other standard user activities. By implementing separate accounts and restricting functionality you minimise the opportunity for compromise of the higher value administration accounts/activities. Maintaining the security of your software development environment is also important but not necessarily fully covered by the Cyber Essentials requirements. | |||
DEVICE_LOCKING | CF0001 | Is brute force device locking now mandatory? What are the requirements if so? | You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks | CHANGES 280423 |
3RD_PARTY | CF0002 | How do you deal with the use case where assets are supplied and managed by a third party (laptops), and they do the asset management? | Those third party devices, because you don't own them the controls would need to be applied by the third party because they have access to carry out the administration. This is a scenario we now realise is more common than we first thought and actually those third party devices would need to be included on a CE certificate by the organisation that owned those devices and they have the administration access to carry out and apply the controls. | CHANGES 280423 |
SUPPORT | CF0003 | What devices needed to have supported firmware and what does "supported" mean in this context? | All devices should be running supported firmware, however only routers and firewalls are required to provide the firmware version for the certification. Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular updates or patches. The vendor must provide the future date when they will stop providing updates. (Note that the vendor doesn’t need to have created the software originally, but they must be able to now modify the original software to create updates). | LITIG_050623 |
BYOD | CF0004 | Can a policy be used for BYOD end point compliance rather than technical controls? | This has been a difficult area, but there does need to be a technical element applied when managing BYOD devices. It can be a mixture of technical and written policy. This is actually in a blog statement by the NCSC, but we can't allow written policy only in this area. It is important that these devices are supported and able to receive regular security updates, based on evidence that is provided to us and the findings of subject matter experts. It forms a lot of the guidance by the NCSC and they should be monitored and checked to make sure that they are in support. | DigitalLoft240423 |
OPEN_SOURCE | CF0005 | Many courses use open source software, how does this fit with the requirement of all software to be supported? | This will be discussed at the CE Technical Working group and formal position posted at a future date. | UCISA_110523 |
SOFTWARE | CF0006 | What is the position on windows home edition / Pro. Are these considered acceptable CE OS | Windows Home and Professional editions are acceptable for CE. | UCISA_110523 |
SUPPORT | CF0007 | In response to dropping the whole model thing, it was said that only supported non-jailbroken Apple devices can support an OS, well if they're running on jailbroken Apple devices then that's not compliant. This still fails to address the issue that we can no longer evaluate supportability of Android devices without the model information, again it doesnt make sense to prevent the evaluation of supportability because some applicants.. This is a decision that was made by the NCSC, not us, at the minute it isn't going to change. If the applicant provides the information, then mark it and check it. If they don't then you can't really ask for it - sorry, I'm wrong, if they provide it you can give an advisory - cannot fail them - but again, it's a decision that was made by the NCSC and it won't change any time soon as far as I'm aware. | 0 | AW260423 |
MDM | CF0008 | Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification? We have a range of iOS and Windows devices (100+) that are not currently enrolled in any kind of MDM solution (we're looking to get budget) and need to know if this is a barrier to getting CE. | There is no requirement for using MDM in cyber essentials. | LinkedIn_280723 |
3RD_PARTY | CF0009 | Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it? | There are many different ways you can ensure this has happened, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks. | QUESTIONS_300823 |
AUTORUN | CF0010 | How do you disable auto-run or auto-play on a Mac? I can see anything that’s specifically for a memory stick or find anything online | Only the older Macs had this option, if you cant see this option and haven’t specifically installed any software that would allow external media to auto run / auto play, then you are compliant. | QUESTIONS_300823 |
SOFTWARE | CF0011 | We have just been informed by our auditors that during a recent webinar with IASME they were informed that Microsoft preview and insiders software is considered non-compliant with Cyber Essentials, and that the solution would be to run such software in a segregated development environment. As an IT services provider it is key to our business for staff to use and learn about the new features that are in Microsoft's roadmap. As we are now a largely home based organisation would the following be considered compliant? We setup a development Microsoft tenant. Users are provided test laptops that are joined to the development tenant as autopilot devices. Separate credentials are used for each environment. In the users home, both their corporate device, and the test device reside on the same physical network, but have the OS firewall enabled and controlled via policy on both devices. As we are dealing with cloud services, both devices would have internet access. So does the OS firewall provide sufficient control to be defined as a sub-set? In our scope the whole organisation is in scope except for the development environment? | Unfortunately, Beta software is not compliant with CE. | LINKEDIN_290923 |
General
Content
Integrations