The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576646422/User+Access+Control+FAQ#
QUESTION | ANSWER |
|---|---|
Some developers need local admin access to compile, debug and check-in source code changes using their standard account. Would this fail the Cyber Essentials assessment and if so, how do organisations manage their local admin privilege needs for development team members? | It would not automatically fail a Cyber Essentials assessment, but would be an issue if certifying for Cyber Essentials Plus. Account separation is a core control and if this can't be achieved, we would suggest de-scoping the developer network by creating a subset using a firewall or VLAN. |
Are shared accounts permissible under certain circumstances, such as a shared third-party web application account? Or are they not allowed at all? | Shared accounts are not compliant with Cyber Essentials scheme. The use of unique accounts is required by all users and administrators. As stated in the Cyber Essentials Requirements you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks required for the user to perform their role. |
While admin accounts shouldn't be used on a day-to-day basis, what about when admin privileges are temporarily needed to install software or run scripts? | All Administrator accounts need to be approved by a person of authority. |
When using third-party cloud services (such as MS365) is it acceptable to use one centralised mobile device owned by one user to retrieve the authentication code, even if there are various users using the system? | It's acceptable but perhaps not advisable. For example - what happens if you lose the phone? You would need to consider various scenarios and what might happen if problems occurred. |
If an organisation has a policy that we do not allow personally-owned devices, is a technical control needed to stop unauthorised devices from connecting? | A common solution is to monitor your cloud services and not allow them to connect unless they are authorised devices supplied by the organization. Asset management can play a role here as you would need to understand how and which devices are connecting to your cloud services. |
Why the need for controls on personally-owned devices accessing virtual desktops as clients? | Client access software needs to be on a supported operating system and that client access software must be kept up to date and updated with all their latest security updates. There are known commodity attacks against devices trying to access those sessions and screen recording those sessions, so therefore they must remain in scope. |