Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
Secure Business Operations
(Boundary Firewalls and Internet Gateways)
This section is used to define what firewalls and gateways your company uses, if they are configured correctly, and if they are supported.
You must answer all of the questions in this section. Any unanswered questions will delay the assessment.
Please read all the help text, as it is important that you answer all the questions correctly.
A4.1 Boundary Firewall
Do you have firewalls at the boundaries between your organisation’s internal networks, laptops, desktops, servers and the internet?
You must have firewalls in place between your office network and the internet.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Your router normally has a firewall installed.
A4.1.1 Off Network Firewalls
When corporate or user-owned devices (BYOD) are not connected to the organisation’s internal network, how are the firewall controls applied?
You should also have firewalls in place for home-based workers. If those users are not using a corporate virtual private network (VPN) connected to your office network, they will need to rely on the software firewall included in the operating system of the device in use.You must protect all corporate and BYOD devices that can access company data (including emails) with a host-based firewall.
An example of an acceptable answer is:
All of our devices have been configured and are protected by the firewall that is built into the operating system.
or
All our company devices must be connected to our company VPN to access any company data.
A4.2 Firewall Default Password
When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices?
The default password must be changed on all routers and firewalls, including those that come with a unique password pre-configured (i.e. BT Business Hub, Draytek Vigor 2865ac).
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
You must change the default passwords to meet the scheme's requirements.
A4.2.1 Firewall Password Change Process
Please describe the process for changing the firewall password.
You need to be aware of how the password on a firewall is changed. Please give a brief description of how this is achieved.
Please give a short description of how the password is changed, including who manages this process and confirms that the password has been changed. If this is managed by a third party, you must include a statement that a named role at your organisation confirms with the third party that the password has been changed.
An example of an acceptable answer is:
All new equipment that is installed on our company network is configured with a new unique username and password by our IT company.
This is confirmed and recorded by our office manager before the new equipment is installed.
or
When configuring a new firewall, we follow a written procedure which involves running through a checklist of steps that ensure the firewall is set up securely.
This includes changing the firewall's default password.
When this is complete, the configuration is checked by a senior colleague to ensure all steps have been completed before being signed off by the company's CEO.
A4.3 Firewall Password Configuration
Is the new firewall password configured to meet the password-based authentication requirements? Please select the option being used.
Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document. https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
This is a multiple-choice question. You do not need to add Applicant Notes to be compliant.
Tick each box that applies. You must use at least one of the methods below to be compliant.
A. Multi-factor authentication with a minimum password length of 8 characters and no maximum length.
B. Automatic blocking of common passwords with a minimum password length of 8 characters and no maximum length.
C. A password with a minimum length of 12 characters and no maximum length.
A4.4 Firewall Password Issue
Do you change the firewall
password when you know or
suspect it has been
compromised?
Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product.
You should be aware of this and know how to change the password if this occurs.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
You must change this password to meet the scheme's requirements.
A4.5 Firewall Services
Do you have any services enabled that can be accessed externally through your internet router, hardware firewall, or software firewall?
At times your firewall may be configured to allow a system on the inside to become accessible from the internet (for example: a VPN server, a mail server, an FTP server, or a service that is accessed by your customers). This is sometimes referred to as "opening a port". You need to show a business case for doing this because it can present security risks. If you have not enabled any services, answer "No". By default, most firewalls block all services.
This question requires a yes or no answer.
If you answer yes, you will be taken to A4.5.1 to provide further information. If you answer no, you will be taken to A4.6.
Please note that you should not answer no if you have IAAS in scope.
A4.5.1 Firewall Documented Business Case
Do you have a documented business case for all of these services?
The business case should be documented and recorded. A business case must be signed off at board level and associated risks reviewed regularly.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
You must have a documented business case for any opened ports.
A4.6 Firewall Service Process
If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? A description of the process is required.
If you no longer need a service to be enabled on your firewall, you must remove it to reduce the risk of compromise. You should have a process that you follow to do this
(i.e., when are services reviewed, who decides to remove the services, who checks that it has been done?).
You must have a process for closing opened ports when they are no longer needed. Even if you plan to use a service for the foreseeable future, you must have a process in place.
An example of an acceptable answer is:
All opened ports that are no longer needed are closed when the service is deconditioned, and all opened ports are reviewed yearly by our Operations Director.
A4.7 Firewall Service Block
Have you configured your boundary firewalls so that they block all other services from being advertised to the internet?
By default, most firewalls block all services from inside the network from being accessed from the internet, but you need to check your firewall settings.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
This question also applies to you if you rely on software firewalls to provide your boundary.
You must have configured your firewall to block all other services from being advertised to the internet.
A4.8 Firewall Remote Configuration
Are your boundary firewalls configured to allow access to their configuration settings over the internet?
Sometimes organisations configure their firewall to allow other people (such as an IT support company) to change the settings via the internet. If you have not set up your firewalls to be accessible to people outside your organisations or your device configuration settings are only accessible via a VPN connection, then answer "no" to this question.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant, but you may wish to add a note to clarify, depending on your setup.
You must have configured your firewall to block all other services from being advertised to the internet.
An example of an acceptable answer is:
Our firewall is accessible over the internet but is configured to be accessible only from our own IP address.
A4.9 Documented Admin Access
If yes, is there a documented business requirement for this access?
You must have made a decision in the business that you need to provide external access to your routers and firewalls. This decision must be documented (i.e., written down).
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
You must have a documented business need to meet the scheme's requirements.
A4.10 Admin Access Method
If yes, is the access to the settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings? Please explain which option is used.
If you allow direct access to configuration settings via your router or firewall's external interface, this must be protected by one of the two options.
Access to the settings must be protected either by multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings. One of these two options is required if the firewall's admin interface is accessible via the internet. The question is not concerned with interface access from within the local network.
An example of an acceptable answer is:
Our firewall is accessible over the internet but is configured to be accessible only from our own IP address.
A4.11 Software Firewalls
Do you have software firewalls enabled on all of your computers, laptops, and servers?
Your software firewall needs be configured and enabled at all times, even when sitting behind a physical/virtual boundary firewall in an office location. You can check this setting on Macs in the Security & Privacy section of System Preferences. On Windows laptops you can check this by going to Settings and searching for "Windows firewall". On Linux try "ufw status".
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
You must protect all corporate and BYOD devices that can access company data (including emails) with a host-based firewall.
A4.12 Software Firewalls Not Default
If no, is this because software firewalls are not installed by default for the operating system you are using? Please list the operating systems.
Only very few operating systems do not have software firewalls available. Examples might include embedded Linux systems or bespoke servers. For the avoidance of doubt, all versions of Windows, macOS and all common Linux distributions such as Ubuntu do have software firewalls available.
Note that software firewalls must be enabled unless they are not commonly available for the operating system being used. If you give a contradictory answer, this would be non-compliant.
Related Articles
Questionnaire Part 6 Secure Business Operations (Security Update Management)
Secure Business Operations (Security Update Management) A6.1 Supported Operating System Are all operating systems and firmware on your devices supported by a vendor that produces regular security updates? Older operating systems that are out of ...Questionnaire Part 5 Secure Business Operations (Secure Configuration)
Secure Business Operations (Secure Configuration) A5.1 Removed Unused Software Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile ...Questionnaire Part 2 Scope of Assessment
Scope of Assessment This section is used to define the scope of the assessment. You must answer all of the questions in this section. Any unanswered questions will delay the assessment. Please read all the help text, as it is important that you ...Questionnaire Part 1 Your Organisation
Your Organisation This section is used to identify the organisation we are assessing. Please answer all of the questions in this section—missed questions will delay the assessment. Please note that the answer for A1.1 will be the name that is printed ...Questionnaire Part 3 Insurance
Insurance When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability ...