Access Control, Administrative Accounts and Password-Based Authentication in the Cyber Essentials SAQ

One issue we frequently come across involves question A7.2 Unique Accounts, which asks if your user and administrative accounts are accessed by entering a unique username and password.  This question is aimed at establishing both that no devices can be accessed without entering a username and password, but also that no accounts are shared by multiple individuals.  It is not uncommon for IT support or managed service providers (MSPs) to be provided with a single admin account and share this single account between different support personnel; this practice is not compliant with Cyber Essentials.  Everyone should be provided with their own account, as this facilitates accountability if your systems are misused.  If there are multiple individuals sharing an account and unauthorised activities are performed on this account, you will not know which individual perpetrated these activities.  As such, it is vital to ensure no accounts within your organisation are shared, and that all individuals are provided with their own accounts.

A7.4 User Privileges, asks if you ensure that staff only have the privileges they need to do their current job, and how you do so.  When answering this question, organisations will sometimes assume that it is only referring to standard and admin accounts, when, in fact, it is referring to any type of data access which individuals may have for their job role.  Perhaps the easiest way to answer this question is to reference the principle of least privilege, under which staff members are only provided with access to the data, resources and applications necessary to complete the tasks required of them (i.e., their job role).  This remains applicable to staff members who move from one job role to another within your organisation.  In this situation, permissions should be adjusted to ensure the staff member can only access the data and resources they need to complete their day-to-day work.

Question A7.6, Use of Administrator Accounts and A 7.7 Managing Administrator Accounts Usage, are very closely related, and you may be able to provide the same answer for both questions.   A7.6 asks you to specify how you ensure that separate accounts are used to carry out administrative tasks, such as installing software or making configuration changes, whilst A7.7 asks how your organisation prevents admin accounts from being used to carry out day-to-day tasks (web browsing, accessing email, etc.).  To provide a compliant answer to these questions, you must use an administrator account when carrying out these administrative tasks, which is separate from the standard user account which is used to complete non-administrative activities.  Malware that infects a device while it is logged in to an admin account will also have the associated administrative privileges. As such, using an admin account for longer than necessary heightens the risk to your organisation if a device becomes infected, and should be avoided.  You do not need to have a technical solution in place to meet these requirements; policy, procedure, and regular training are also acceptable.   Organisations will sometimes provide noncompliant answers to this question by stating that they have no admin accounts, and their MSP manages this for them.  Even if this is the case, it is still your organisation’s responsibility to be aware of what your MSP has in place.

You will be asked to describe how your organisation protects accounts from brute-force password guessing in your answer to question A7.10 Brute Force Attack Protection.  Generally, passwords alone are not an effective protection against brute force attacks, which are attempts by a malicious actor to discover a password by systematically trying every possible combination of letters, numbers, and symbols until the correct combination is discovered.  In this answer, you will need to provide details of any account lockouts, account throttling, or multi-factor authentication (MFA) you have implemented.

Question A7.11 Password Quality, asks you to detail the technical controls you use to manage the quality of your passwords within your organisation.  Your answer to this question must include any technical controls in place to ensure the strength of passwords, such as minimum character length, MFA, and any other restrictions you have in place.  The minimum acceptable character length for Cyber Essentials compliance is 12 characters, unless you are also using MFA and/or automated deny lists at all times, in which case 8-character passwords are acceptable.

For question A7.16 Administrator MFA and A7.17 User MFA, you will be asked whether MFA has been applied to all administrators of your cloud services and to all users of your cloud services, respectively.  These requirements are based on the assets you have declared in the cloud services list (question A2.9), and you will need to ensure all cloud services listed there have MFA enabled (in conjunction with a password of at least 8 characters) for any admin or user accounts.