The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#
QUESTION | ANSWER |
|---|---|
What is the difference between a user and an admin account? |
|
Why do I need to remove unused software or apps from my devices? |
|
What is a default account and why does it matter? |
|
What is the minimum length of a PIN number for Cyber Essentials? |
|
Does a customer count as a user? |
|
How is secure configuration managed when assets are supplied and managed by a third party? | In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices. |
Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it? | There are many different ways you can ensure this, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks. |
Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification? | There is no requirement for using MDM in Cyber Essentials. |