Section-4: Office Firewalls and Internet Gateways

Firewall is the generic name for software or hardware which provides technical protection between your systems and the outside world. There will be a firewall within your internet router. Common internet routers are BT Home Hub, Virgin Media Hub or Sky Hub.
Your organisation may also have set up a separate hardware firewall device between your network and the internet. Firewalls are powerful devices and need to be configured correctly to provide effective security.
Questions in this section apply to: Hardware Firewall devices, Routers, Computers and Laptops only.

A4.1. Do you have firewalls at the boundaries between your organisation’s internal networks and the internet?

A4.2. When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?

A4.3. Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?

A4.4. Do you change the password when you believe it may have been compromised? How do you achieve this?

A4.5. Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?

A4.6. If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.

A4.7. Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?

A4.8. Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?

A4.9. If yes, is there a documented business requirement for this access?

A4.10. If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.

A4.11. Do you have software firewalls enabled on all of your computers and laptops?

A4.12. If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.

Check out our blog article 'Cyber Essentials Plus patching requirements'

Section-5: Secure Configuration

Computers are often not secure upon default installation. An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications or services. All of these present security risks.
Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones.

A5.1. Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

A5.2. Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?

A5.3. Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

A5.4. Do all your users and administrators use passwords of at least 8 characters?
The longer a password, the more difficult it is for cyber criminals to guess (or brute-force) it.


A5.5. Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?

A5.6. If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?

A5.7. If yes, do you ensure that you change passwords if you believe that they have been compromised?

A5.8. If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?

A5.9. If yes, do you have a password policy that guides all your users?

A5.10. Is "auto-run" or "auto-play" disabled on all of your systems?

Check out our blog article ‘What exactly is included in Cyber Essentials Plus audit?'

Section-6: Software Patching

To protect your organisation, you should ensure that your software is always up-to-date with the latest patches. If, on any of your in-scope devices, you are using an operating system which is no longer supported, (e.g. Microsoft Windows XP/Vista/2003 or macOS El Capitan, Ubuntu 17.10), and you are not being provided with updates from another reliable source, then you will not be awarded certification. Mobile phones and tablets are in-scope and must also use an operating system that is still supported by the manufacturer.
Questions in this section apply to: Servers, Computers, Laptops, Tablets, Mobile Phones, Routers and Firewalls.

A6.1. Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?

A6.2. Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

A6.3. Is all software licensed in accordance with the publisher’s recommendations?

A6.4. Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

A6.5. Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

A6.6. Have you removed any applications on your devices that are no longer supported and no longer receive regular fixes for security problems?

Section-7: User Accounts

It is important to only give users access to the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with e-mail whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.
Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones.

A7.1. Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.

A7.2. Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

A7.3. How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

A7.4. Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

Check out our blog article 'What is the process for Cyber Essentials plus?'

Administrative Accounts

User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When these privileged accounts are accessed by attackers they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. Special access includes privileges over and above those of normal users.
It is not acceptable to work on a day-to-day basis in a privileged “administrator” mode. Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones.

A7.5. Do you have a formal process for giving someone access to systems at an “administrator” level?
Describe the process.

A7.6. How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

A7.7. How do you ensure that administrator accounts are not used for accessing email or web browsing?


A7.8. Do you formally track which users have administrator accounts in your organisation?

A7.9. Do you review who should have administrative access on a regular basis?

A7.10. Have you enabled two-factor authentication for access to all administrative accounts?

A7.11. If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

Section-8: Malware protection

Malware (such as computer viruses) is generally used to steal or damage information. Malware are often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focussed attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages.

Malware are continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.

Questions in this section apply to: Computers, Laptops, Tablets and Mobile Phones.

A8.1. Are all of your computers, laptops, tablets and mobile phones protected from malware by either
A - having anti-malware software installed,
B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or
C - application sandboxing (i.e. by using a virtual machine)?

A8.2. If Option A: Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?

A8.3. If Option A: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

A8.4. If Option B: Where you use an app-store or application signing, are users restricted from installing unsigned applications?

A8.5. If Option B: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?

A8.6. If Option C: Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.

That is the IASME Cyber Essentials Questionnaire. Hope that helped. If you need any further help please get in touch CE@thetechforce.co.uk. Also try out our CE checklist below for instant results. It will give an indication of your certification based on your answers.