M_Secure Configuration : FAQ

What is the difference between a user and an admin account?

A user account is a standard account with limited control over a device or system. An admin (administrator) account is an account which has a high level of access and control (for example it can create, modify or delete accounts, change system settings, and install software).

What happens if a member of staff needs an admin account for their job role?

They can be provided with an admin account as long as you ensure the following:

• the member of staff is added to the organisation's list of users with admin access

• the member of staff has two accounts on their machine - a standard user account and a separate admin account

• when they start their day, they log into their machine using their standard-user account

• if they want to run a piece of software that needs administrator access, they choose the "Run as administrator" option for that piece of software and enter the credentials of their administrator account

Why do I need to remove unused software or apps from my devices?

Unused software is less likely to be kept updated and may contain vulnerabilities that make your system less secure.

What is a brute force attack?

A brute force attack can discover a password by trying every combination of characters until the correct one is found.

What is throttling?

Throttling is a way of protecting against brute force attacks by increasing the time between each attempt at entering a password, slowing down the rate at which combinations can be tried. For Cyber Essentials, no more than 10 guesses in 5 minutes are allowed.

What does device locking apply to?

Device locking applies when someone has physical access to a device which is used to access your organisation’s data or services and means that you must enter a password, PIN or biometric data to use the device.

What is a default account and why does it matter?

A default account will often have an easily-discoverable default password (or empty password) meaning that anybody could use it to access a device.

What is the minimum length of a PIN number or password for Cyber Essentials?

When unlocking a device, 6 characters. Where common passwords are blocked automatically, or MFA is in use, 8 characters. In all other cases, 12 characters.

Does a customer count as a user?

If they are accessing organisational data and services, they will count as a user.

How is secure configuration managed when assets are supplied and managed by a third party?

In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices. 

Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it?

There are many different ways you can ensure this, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks.

Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification?

There is no requirement for using MDM in Cyber Essentials.
We do not dictate how you implement the controls, this can be done through a combination of technical implementation, policy or procedure - although it is expected that a technical solution would be used.