Cyber Essentials is a Government-backed cyber security certification scheme, which defines the fundamental technical controls, across 5 key control themes, that organisations should have in place to protect themselves against common cyber threats. To achieve Cyber Essentials certification, organisations must complete a self-assessment questionnaire (SAQ), answering questions about their IT environment and the cyber security measures they have implemented to safeguard against attack. However, organisations will, at times, misunderstand what information the questionnaire is asking them to provide, and, as a result, will give noncompliant answers.
In this blog, we will offer advice and guidance on how to compliantly answer a selection of questions from the SAQ’s User Access Control, Administrative Accounts and Password-Based Authentication sections. We will advise on how to avoid making unnecessary mistakes and any misinterpretations of what you are being asked to specify or describe. To learn more about other areas of the Cyber Essentials scheme that frequently pose a challenge to certifying organisations, see our blog on Common Cyber Essentials Challenges and how to Overcome Them.
Unique Accounts
One issue we frequently come across involves question A7.2 Unique Accounts, which asks if your user and administrative accounts are accessed by entering a unique username and password. This question is aimed at establishing both that no devices can be accessed without entering a username and password, but also that no accounts are shared by multiple individuals. It is not uncommon for IT support or managed service providers (MSPs) to be provided with a single admin account and share this single account between different support personnel; this practice is not compliant with Cyber Essentials. Everyone should be provided with their own account, as this facilitates accountability if your systems are misused. If there are multiple individuals sharing an account and unauthorised activities are performed on this account, you will not know which individual perpetrated these activities. As such, it is vital to ensure no accounts within your organisation are shared, and that all individuals are provided with their own accounts.
User Privileges
A7.4 User Privileges, asks if you ensure that staff only have the privileges they need to do their current job, and how you do so. When answering this question, organisations will sometimes assume that it is only referring to standard and admin accounts, when, in fact, it is referring to any type of data access which individuals may have for their job role. Perhaps the easiest way to answer this question is to reference the principle of least privilege, under which staff members are only provided with access to the data, resources and applications necessary to complete the tasks required of them (i.e., their job role). This remains applicable to staff members who move from one job role to another within your organisation. In this situation, permissions should be adjusted to ensure the staff member can only access the data and resources they need to complete their day-to-day work.
Administrator Accounts and Managing Administrator Accounts Usage
Question A7.6, Use of Administrator Accounts and A 7.7 Managing Administrator Accounts Usage, are very closely related, and you may be able to provide the same answer for both questions. A7.6 asks you to specify how you ensure that separate accounts are used to carry out administrative tasks, such as installing software or making configuration changes, whilst A7.7 asks how your organisation prevents admin accounts from being used to carry out day-to-day tasks (web browsing, accessing email, etc.). To provide a compliant answer to these questions, you must use an administrator account when carrying out these administrative tasks, which is separate from the standard user account which is used to complete non-administrative activities. Malware that infects a device while it is logged in to an admin account will also have the associated administrative privileges. As such, using an admin account for longer than necessary heightens the risk to your organisation if a device becomes infected, and should be avoided. You do not need to have a technical solution in place to meet these requirements; policy, procedure, and regular training are also acceptable. Organisations will sometimes provide noncompliant answers to this question by stating that they have no admin accounts, and their MSP manages this for them. Even if this is the case, it is still your organisation’s responsibility to be aware of what your MSP has in place.
Brute Force Attack Protection
You will be asked to describe how your organisation protects accounts from brute-force password guessing in your answer to question A7.10 Brute Force Attack Protection. Generally, passwords alone are not an effective protection against brute force attacks, which are attempts by a malicious actor to discover a password by systematically trying every possible combination of letters, numbers, and symbols until the correct combination is discovered. In this answer, you will need to provide details of any account lockouts, account throttling, or multi-factor authentication (MFA) you have implemented.
Password Quality
Question A7.11 Password Quality, asks you to detail the technical controls you use to manage the quality of your passwords within your organisation. Your answer to this question must include any technical controls in place to ensure the strength of passwords, such as minimum character length, MFA, and any other restrictions you have in place. The minimum acceptable character length for Cyber Essentials compliance is 12 characters, unless you are also using MFA and/or automated deny lists at all times, in which case 8-character passwords are acceptable.
Administrator MFA and User MFA
For question A7.16 Administrator MFA and A7.17 User MFA, you will be asked whether MFA has been applied to all administrators of your cloud services and to all users of your cloud services, respectively. These requirements are based on the assets you have declared in the cloud services list (question A2.9), and you will need to ensure all cloud services listed there have MFA enabled (in conjunction with a password of at least 8 characters) for any admin or user accounts.
How URM can Help?
If your organisation would benefit from support with certifying to the Cyber Essentials security scheme, URM can leverage its extensive experience with and knowledge of the scheme to assist your organisation. In our capacity as an accredited certification body, we have facilitated hundreds of assessments both to Cyber Essentials and to Cyber Essentials Plus (the scheme’s higher-level qualification), providing our assessors with a comprehensive understanding of the scheme and its requirements. Meanwhile, as an Assured Service Provider under the NCSC Cyber Advisor scheme, our team of Cyber Advisors (Cyber Essentials) are able to offer you practical and reliable advice on achieving Cyber Essentials and Cyber Essentials Plus certification, as well as recommendations for improving your cyber security posture in general.
In the initial stages, one of our Cyber Advisors (Cyber Essentials) can perform a gap analysis to identify whether your existing policies and controls meet the scheme’s requirements, and offer advice on how to remediate any areas of non-compliance. When you are ready for assessment, we can offer an application review service prior to you formally submitting your SAQ. URM’s assessor can either work through a Cyber Essentials checklist with you before you fill out the SAQ, explaining each question to help you successfully complete the questionnaire yourself, or review your already completed SAQ before submission. Regardless of which option you select, you will be able to submit your SAQ secure in the knowledge that you have completed it accurately.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
URM’s blog highlights the growing threat to cyber security in the UK and the importance of the Cyber Essentials scheme in mitigating these risks.
URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes
URM’s blog offers advice on answering questions in the Cyber Essentials SAQ which relate to access control, admin accounts and authentication methods.