Questionnaire Part 5 Secure Business Operations (Secure Configuration)
Secure Business Operations
(Secure Configuration)
A5.1 Removed Unused Software
Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones, and cloud services? Describe how you achieve this.
To view your installed applications on Windows look in Start Menu, on macOS open Finder -> Applications and on Linux open your software package manager (apt, rpm, yum). You must remove or disable all applications, system utilities and network services that are not needed in day-to-day use. You need to check your cloud services and disable any services that are not required for day to day use.
In this question we are looking to see if you have removed any software that you are not using on your device.
We need a short description on how this is achieved.
An example of an acceptable answer is:
When configuring a device, we remove any software that may be shipped with the device.
Setup of the device is reviewed by a senior colleague before signed off as complete.
Going forward, any software that is no longer used by the company or individual is removed.
We regularly check what software applications are installed to remove them when any are retired.
A5.2 Remove Unrequired User Accounts
Have you ensured that all your laptops, computers, servers, tablets, mobile devices, and cloud services only contain necessary user accounts that are regularly used in the course of your business?
You must remove or disable any user accounts that are not needed in day-to-day use on all devices and cloud services. You can view your user accounts on Windows by righting-click on Start -> Computer Management -> Users, on macOS in System Preferences -> Users & Groups, and on Linux using "cat /etc/passwd".
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
We are looking to see that your devices only contain the user accounts that are required. Any other accounts must be removed.
Please note that unnecessary guest accounts must be removed as part of this requirement.
A5.3 Change Default Password
Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets, and mobile phones that follow the password-based authentication requirements of Cyber Essentials?
A password that is difficult to guess will be unique and not be made up of common or predictable words such as "password" or "admin", or include predictable number sequences such as "12345".This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Most devices come with default passwords that can be easily found on the internet. All default passwords must be changed.
A5.4 Internally Hosted External Services
Do you run external services that provides access to data (that shouldn't be made public) to users across the internet?
Your business might run software that allows staff or customers to access information across the internet to an external service hosted on the internal network or cloud data centre. This could be a VPN server, a mail server, or an internet application (SaaS or PaaS) that you provide to your customers as a product.
In all cases these applications provide information that is confidential to your business and your customers and that you would not want to be publicly accessible.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A5.5 External Service Password Configuration
If yes, which option of password-based authentication do you use?
A. Multi-factor authentication, with a minimum password length of 8 characters and no maximum length.
B. Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length.
C. A password with a minimum length of 12 characters and no maximum length.
Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document. https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
This is a multiple-choice question.
You must select at least one option to meet the scheme's requirements.
A5.6 Compromised Password on External Service
Describe the process in place for changing passwords when you believe they have been compromised.
Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product. You should be aware of this and know how to change the password if this occurs.
You should write a concise description of your procedure for changing potentially compromised passwords.
An example of an acceptable answer is:
If there is any suspicion that a device or password may have been compromised, the equipment in question is immediately reset to factory settings. It is then reconfigured from company documentation with a new password.
Any security or software/firmware updates available after a weakness has been discovered in a product will be applied after the initial reset, prior to reconfiguring. If no updates are available, or we cannot verify the integrity of the software on the device, the device will be retired and replaced with alternative equipment.
A5.7 External Service Brute Force
When not using multi-factor authentication which option are you using to protect your external service from brute-force attacks?
The external service that you provide must be set to slow down or stop attempts to log in if the wrong username and password have been tried a number of times. This reduces the opportunity for cyber criminals to keep trying different passwords (brute-forcing) in the hope of gaining access.
You should describe the controls you have in place to protect against brute force attacks. Compliant options include 'throttling' the rate of attempts (with a maximum of 10 guesses in 5 minutes) and locking accounts after a maximum of 10 failed attempts.
An example of an acceptable answer is:
Where no MFA is available, we use alternative brute force mitigations, including rate-limiting login attempts and locking accounts to local access only after a set number of consecutive failed logins. Geographic access restrictions are also in place (UK access only, EU, and other regions added/removed as required for travelling employees). Rate limiting is 2 attempts per minute. Accounts get locked to local-only access after 5 consecutive failed logins.
A5.8 External Service Password Policy
Do you have a documented password policy that guides all users of the external service?
The password policy must include: guidance on how to choose longer passwords for example ‘three random words’, not to use the same password for multiple accounts, which passwords may be written down and where they can be stored, and if they may use a password manager.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A5.9 Auto-Run Disabled
Is "auto-run" or "auto-play" disabled on all of your systems?
This is a setting which automatically runs software on a DVD or memory stick. You can disable "auto-run" or "auto-play" on Windows through Settings, on macOS through System Preferences and on Linux through the settings app for your distribution. It is acceptable to choose the option where a user is prompted to make a choice about what action will occur each time they insert a memory stick. If you have chosen this option you can answer yes to this question.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A5.10 Device Locking
When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?
Device locking mechanisms such as biometric, password or PIN, need to be enabled to prevent unauthorised access to devices accessing organisational data or services.
This a new requirement in Cyber Essentials. More information can be found in the Cyber Essentials requirement for Infrastructure document.https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A5.11 Device Locking Method
Which method do you use to unlock the devices?
Please refer to Device Unlocking Credentials paragraph found under Secure Configuration in the Cyber Essentials Requirements for IT Infrastructure document for further information.The use of a PIN with a length of at least six characters can only be used where the credentials are used solely to unlock a device and does not provide access to organisational data and services without further authentication.
Provide a brief description of the method used to unlock your devices.
If the credentials are unique to the device (not used to unlock any other devices), then acceptable methods are a biometric test (e.g., fingerprint ID) or a password/PIN with minimum 6 characters.
If the credentials are not unique to the device, then the method must be one of the following: password of minimum 8 characters supported by either MFA or a deny list, or a password of minimum 12 characters.
Related Articles
Questionnaire Part 6 Secure Business Operations (Security Update Management)
Secure Business Operations (Security Update Management) A6.1 Supported Operating System Are all operating systems and firmware on your devices supported by a vendor that produces regular security updates? Older operating systems that are out of ...Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
Secure Business Operations (Boundary Firewalls and Internet Gateways) This section is used to define what firewalls and gateways your company uses, if they are configured correctly, and if they are supported. You must answer all of the questions in ...Questionnaire Part 2 Scope of Assessment
Scope of Assessment This section is used to define the scope of the assessment. You must answer all of the questions in this section. Any unanswered questions will delay the assessment. Please read all the help text, as it is important that you ...Questionnaire Part 7 Access Control
Access Control (User Access Control) A7.1 User Account Creation Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process. You must ensure that user accounts (such as logins to ...Questionnaire Part 3 Insurance
Insurance When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability ...