Hints & Tips for your Cyber Essentials Assessment
Admin Accounts
These must be unique and never shared. This includes your MSP who should have unique accounts for every user, not a single account used by every engineer. This has always been a requirement of Cyber Essentials but since people are still struggling to comply, it is now spelt
out specifically in the Self-Assessment Questionnaire (SAQ).
Cloud Services
All cloud services you use should be listed. The NCSC have confirmed that there are no excluded cloud services or services that are not applicable. If you log into the system and it has business data or personal/private data stored in the solution, you can count it as a cloud service.
Multi Factor Authentication
Why would you not ensure that Multi Factor Authentication was available on every cloud service you use? All those that are members of the Cloud Security Alliance agree. The NCSC suggests that if your cloud provider/service provider doesn’t support MFA, then you should look for an alternative solution provider.
With "admin" accounts, this is obvious, of course, but you MUST ensure that MFA is enabled and enforced on any account used to administer your cloud solution. Imagine what would happen and the challenges you would have if you lost control of the service, with compromised credentials and no MFA protection. If your solution is one that we allow the same admin/user account (i.e., no separation) then your account must be MFA protected as it's an admin as well as a user.
This is required now if your account is an admin and a user - but don't forget, if you say “YES” and confirm that all your user accounts are protected by MFA, you will have no grace and it will be tested in your plus assessment – so make sure you check all services!
Account Separation
An obvious thing really and something that has always been the case, however, with cloud now in scope, this requirement extends into the cloud. You should have a separate admin account to your day-to-day account – Privilege Access Management (PIM) and Password Access Management (PAM) solutions do not provide this. You need to have, on your network, a separate
account (that is not a user account for day to day access) for each admin that accesses your systems, whether internal or external support people.
This is the same for any cloud service that can offer authentication into other services (single sign-on) such as Azure, 365, Google, and in those, you have to have an admin account (with MFA of course) and a user account (of course this should have MFA already as well)
Break Glass Accounts
Microsoft used to say have one account that doesn’t have MFA, but check out the wording now. It says “should have a different MFA method to other accounts”. They have aligned to the NCSC and the requirements of the standard.
End of Life
This is the most important part of the scheme and a very common issue. All operating systems need to be current and in security update support. The major problem with end of life software comes down to security. If the vendor no longer releases patches for security vulnerabilities, the user simply can't keep their system patched and will be relying on vulnerable software.
This includes hardware such as routers and you need to ensure that whatever your system is that it is capable of still receiving security updates.
Not Applicable
Nothing within the assessment is “Not Applicable” and an answer as such will receive a major non-conformance, as it suggests you have not considered the question. You should answer anything that isn’t relevant, with an answer that demonstrates you understand the question and why you believe it is not relevant.
Remember, however, even a single user / sole trader should have processes and documentation, just as good practice, so when presented with these types of questions, instead of 'not applicable' you can respond: “Whilst I am a sole trader and I don’t have any need for anyone else to have an admin account, my company policy states that I would have to agree on the access and I would provision this if I felt the request was valid. Once provisioned, admin access would be reviewed
quarterly”.
Buy your Cyber Essentials Certification application here!
These must be unique and never shared. This includes your MSP who should have unique accounts for every user, not a single account used by every engineer. This has always been a requirement of Cyber Essentials but since people are still struggling to comply, it is now spelt
out specifically in the Self-Assessment Questionnaire (SAQ).
Cloud Services
All cloud services you use should be listed. The NCSC have confirmed that there are no excluded cloud services or services that are not applicable. If you log into the system and it has business data or personal/private data stored in the solution, you can count it as a cloud service.
Multi Factor Authentication
Why would you not ensure that Multi Factor Authentication was available on every cloud service you use? All those that are members of the Cloud Security Alliance agree. The NCSC suggests that if your cloud provider/service provider doesn’t support MFA, then you should look for an alternative solution provider.
With "admin" accounts, this is obvious, of course, but you MUST ensure that MFA is enabled and enforced on any account used to administer your cloud solution. Imagine what would happen and the challenges you would have if you lost control of the service, with compromised credentials and no MFA protection. If your solution is one that we allow the same admin/user account (i.e., no separation) then your account must be MFA protected as it's an admin as well as a user.
This is required now if your account is an admin and a user - but don't forget, if you say “YES” and confirm that all your user accounts are protected by MFA, you will have no grace and it will be tested in your plus assessment – so make sure you check all services!
Account Separation
An obvious thing really and something that has always been the case, however, with cloud now in scope, this requirement extends into the cloud. You should have a separate admin account to your day-to-day account – Privilege Access Management (PIM) and Password Access Management (PAM) solutions do not provide this. You need to have, on your network, a separate
account (that is not a user account for day to day access) for each admin that accesses your systems, whether internal or external support people.
This is the same for any cloud service that can offer authentication into other services (single sign-on) such as Azure, 365, Google, and in those, you have to have an admin account (with MFA of course) and a user account (of course this should have MFA already as well)
Break Glass Accounts
Microsoft used to say have one account that doesn’t have MFA, but check out the wording now. It says “should have a different MFA method to other accounts”. They have aligned to the NCSC and the requirements of the standard.
End of Life
This is the most important part of the scheme and a very common issue. All operating systems need to be current and in security update support. The major problem with end of life software comes down to security. If the vendor no longer releases patches for security vulnerabilities, the user simply can't keep their system patched and will be relying on vulnerable software.
This includes hardware such as routers and you need to ensure that whatever your system is that it is capable of still receiving security updates.
Not Applicable
Nothing within the assessment is “Not Applicable” and an answer as such will receive a major non-conformance, as it suggests you have not considered the question. You should answer anything that isn’t relevant, with an answer that demonstrates you understand the question and why you believe it is not relevant.
Remember, however, even a single user / sole trader should have processes and documentation, just as good practice, so when presented with these types of questions, instead of 'not applicable' you can respond: “Whilst I am a sole trader and I don’t have any need for anyone else to have an admin account, my company policy states that I would have to agree on the access and I would provision this if I felt the request was valid. Once provisioned, admin access would be reviewed
quarterly”.
Buy your Cyber Essentials Certification application here!