Questionnaire Part 8 Malware Protection
Malware Protection
A8.1 Malware Protection
Are all of your desktop computers, laptops, tablets, and mobile phones protected from malware by either:
A - having anti-malware software installed and/or:
B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) and/or:
C - application sandboxing (i.e. by using a virtual machine)?
Please select all the options that are in use in your organisation across all your devices. Most organisations that use smartphones and standard laptops will need to select both option A and B.
This is a multiple-choice question. You should make sure to consider all devices in scope. All devices should be protected from malware by at least one of the three options.
A8.2 Daily Update
(A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?
This is usually the default setting for anti-malware software. You can check these settings in the configuration screen for your anti-virus software. You can use any commonly used anti-virus product, whether free or paid-for as long as it can meet the requirements in this question. For the avoidance of doubt, Windows Defender is suitable for this purpose.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Anti-malware software is available for MacOS, Windows, Linux, often Unix, Android, and Blackberry OS, and should be set to update daily and scan files automatically.
A8.3 Scan Web Pages
(A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?
Your anti-virus software should have a plugin for your internet browser or for the operating system itself that prevents access to known malicious websites. On Windows 10, SmartScreen can provide this functionality.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A8.4 Application Signing
(B) Where you use an app-store or application signing, are users restricted from installing unsigned applications?
By default, most mobile phones and tablets restrict you from installing unsigned applications. Usually you have to "root" or "jailbreak" a device to allow unsigned applications.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
One way to meet this requirement would be to restrict iOS/Android application downloads to the App Store/Google Play store only. Rooted or jailbroken devices are not acceptable.
A8.5 Approved Application List
(B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?
You must create a list of approved applications and ensure users only install these applications on their devices. This includes employee-owned devices. You may use mobile device management (MDM) software to meet this requirement but you are not required to use MDM software if you can meet the requirements using good policy, processes and training of staff.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A8.6 Application Sandboxing
(C) Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals, and your local network? Describe how you achieve this.
If you are using a virtual machine to sandbox applications, you can usually set these settings within the configuration options of the virtual machine software.
You should write a concise description of how you configure your virtual machine software so that applications are restricted from accessing critical assets.
An example of an acceptable answer is:
When using application sandboxing, we run the application within a virtual machine that cannot access data stores, peripherals, or the local network.
Related Articles
Questionnaire Part 6 Secure Business Operations (Security Update Management)
Secure Business Operations (Security Update Management) A6.1 Supported Operating System Are all operating systems and firmware on your devices supported by a vendor that produces regular security updates? Older operating systems that are out of ...Questionnaire Part 7 Access Control
Access Control (User Access Control) A7.1 User Account Creation Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process. You must ensure that user accounts (such as logins to ...Questionnaire Part 3 Insurance
Insurance When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability ...Questionnaire Part 2 Scope of Assessment
Scope of Assessment This section is used to define the scope of the assessment. You must answer all of the questions in this section. Any unanswered questions will delay the assessment. Please read all the help text, as it is important that you ...Questionnaire Part 5 Secure Business Operations (Secure Configuration)
Secure Business Operations (Secure Configuration) A5.1 Removed Unused Software Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile ...