The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576842897/Secure+Configuration+-+FAQ#
QUESTION | ANSWER |
|---|---|
Do personally-owned devices (and any installed software) need to be kept up to date with security updates for Cyber Essentials? | Yes, personally-owned devices must be kept up to date if they are being used to access organisational data and services. |
Is brute force device locking now mandatory? What are the requirements if so? | You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks. |
How is secure configuration managed when assets are supplied and managed by a third party? | In this case the controls would need to be applied by the third party because they would have the access to carry out the administration of the devices. This is a fairly common scenario - but you would still be responsible for making sure that the controls have been applied to the devices. |
Does the requirement to disable or remove unused software also apply to contractors – how do we police that? Is it enough to ask them to do it? | There are many different ways you can ensure this, ranging from technical implementation to a written policy. For contractors a good suggestion might be to add it in as part of the SLA or contract. If you move onto a CE Plus a sample of these devices would be tested by an assessor. You could always follow this same approach and look at a sample as part of your management checks. |
Is having an MDM tool such as MS Intune a requirement for Cyber Essentials Plus certification? | There is no requirement for using MDM in Cyber Essentials. |