Cyber Essentials Self Assessment: Secure Configuration

This cyber essentials security wiki provides guidelines for achieving secure configuration of devices and services within your organisation. Follow the recommendations below to minimise potential vulnerabilities and enhance the overall security posture.

A5.1. Removal or Disabling of Unnecessary Software and Services:

Ensure that all laptops, desktop computers, thin clients, servers, tablets, mobile phones, and cloud services have unnecessary software and services removed or disabled. Describe the process or practices employed to achieve this.

A5.2. Management of User Accounts:

Confirm that all laptops, computers, servers, tablets, mobile devices, and cloud services only contain necessary user accounts regularly used in the course of your business. Remove or disable any user accounts that are not required for day-to-day operations.

A5.3. Changing Default Passwords:

Indicate whether you have changed the default passwords for user and administrator accounts on desktop computers, laptops, thin clients, servers, tablets, and mobile phones. Ensure that the new passwords comply with the Password-based authentication requirements of Cyber Essentials.

A5.4. External Services with Restricted Data Access:

Specify whether your organisation runs external services that provide access to data which should not be publicly accessible. Answer "yes" or "no" to indicate the presence of such services.

A5.5. Password-based Authentication for External Services:

If you have external services allowing user access over the internet, specify the password-based authentication mechanism used. Choose one of the following options or provide a description if none of the options apply:

A. Multi-factor authentication, with a minimum password length of 8 characters and no maximum length.

B. Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length.

C. A password with a minimum length of 12 characters and no maximum length.

D. None of the above (please describe).

A5.6. Password Change Process for Compromised Services:

Provide a brief description of the process followed to change passwords on external services when a compromise is suspected.

A5.7. Protection Against Brute Force Attacks:

If multi-factor authentication is not used, specify the method employed to protect external services from brute force attacks. Choose one of the following options or provide a description if none of the options apply:

A. Throttling the rate of attempts.

B. Locking accounts after 10 unsuccessful attempts.

C. None of the above (please describe).

A5.8. Disabling "Auto-Run" or "Auto-Play" Functionality:

Confirm whether "auto-run" or "auto-play" is disabled on all systems within your organisation. Answer "yes" or "no" to indicate the status of this functionality.

Implementing these secure configuration practices will help protect your organisation's devices and services from potential threats. Regularly review and update configurations to maintain a strong security posture.

Note: The information provided above is based on general security practices. Organisations should adapt these guidelines to align with their specific requirements and consult with cybersecurity professionals for tailored advice related to secure configuration.

Find out more about Periculo Cyber Essentials or contact us