Cyber Essentials Plus requirements cover five main areas of cyber security; Firewalls, Secure Configuration, Security Update Management, User Access Control and Malware Protection.
My1Login’s solution enables enterprises to address 25 of the 59 Cyber Essentials 2022 questions listed in the requirements, specifically addressing a number of obligations for Firewalls, Secure Configuration, User Access Control and Malware Protection.
This document lists the 25, relevant Cyber Essentials Plus questions and requirements, together with an overview of how My1Login can be used to address these requirements.
Firewalls
| Cyber Essentials Plus Question Reference | Cyber Essentials Plus Question | How My1Login Helps |
| A4.2 | Firewall Default Password When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? The default password must be changed on all routers and firewalls, including those that come with a unique password pre-configured. |
A centralised password policy can be configured within My1Login that forces a password change on all internet routers and firewalls based on their URLs, enforcing a change from the default password and providing an audit trail this has been completed. |
| A4.2.1 | Firewall Password Change Process Please describe the process for changing the firewall password? You need to be aware of how the password on a firewall is changed. Please give brief description of how this is achieved |
Password change policies can be configured on My1Login to either: a) Generate a new firewall password when the user navigates to the password change form on the router OR b) Periodically, automatically update the router password when the user logs in after a defined period has elapsed since the last change. Any changes will be logged in the audit trail. |
| A4.3 |
Firewall Password Configuration |
The NCSC “Cyber Essentials Requirements for IT Infrastructure” document refers to using the password generator features available in some password managers. My1Login provides the ability to enforce password policies by automatically generating long, high-entropy passwords and updating these on the firewall. In addition, even where the firewall does not support multi-factor authentication, My1Login can prompt the user to satisfy a multi-factor authentication challenge before making the password available. |
| A4.4 | Firewall Password Issue Do you change the firewall password when you know or suspect it has been compromised? Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product. You should be aware of this and know how to change the password if this occurs. |
My1Login provides an easy, mechanism for administrators to change firewall passwords by automating the password generation and update process and providing an audit log of this activity. |
| A4.9 | Documented Admin Access If yes, is there a documented business requirement for this access? You must have made a decision in the business that you need to provide external access to your routers and firewalls. This decision must be documented (i.e. written down) |
My1Login can provide documented, centralised tracking of users that have been granted Admin Access to routers and firewalls and timestamped audit logs of who accessed these devices. |
Secure Configuration
| Cyber Essentials Plus Question Reference | Cyber Essentials Plus Question | How My1Login Helps |
| A5.2 | Remove Unrequired User Accounts Have you ensured that all your laptops, computers, servers, tablets, mobile devices and cloud services only contain necessary user accounts that are regularly used in the course of your business? You must remove or disable any user accounts that are not needed in day-today use on all devices and cloud services. You can view your user accounts on Windows by righting-click on Start -> Computer Management -> Users, on macOS in System Preferences -> Users & Groups, and on Linux using "cat /etc/passwd". |
Once identities are being managed within My1Login solution, it can provide audit trails of access to server and cloud service accounts enabling dormant accounts to be identified. |
| A5.3 | Change Default Password Have you changed the default password for all user and administrator accounts on all your laptops, desktop computers, thin clients, servers, tablets and smartphones that follow the Password-based authentication requirements of Cyber Essentials? A password that is difficult to guess will be unique and not be made up of common or predictable words such as "password" or "admin", or include predictable number sequences such as "12345". |
My1Login can be used to provide centralised reporting on the strength of passwords used to across the organisation to ensure these meet the requirements of Cyber Essentials. |
| A5.5 | External Service Password Configuration If yes, which option of password-based authentication do you use? Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructurev3-0-January-2022.pdf |
Password change policies can be configured on My1Login to either: a) Generate long, random, high-entropy passwords when the user navigates to the password change form on the application/service and then update this on the application/service. |
| A5.6 | Compromised Password on External Service Describe the process in place for changing passwords when you believe they have been compromised. Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product. You should be aware of this and know how to change the password if this occurs. |
My1Login’s password policy enforcement feature enables administrators to set a policy that can automatically change users passwords the next time they log into an application to mitigate against the risk of compromised passwords or manufacturer vulnerabilities. |
| A5.7 | External Service Brute Force When not using multi-factor authentication which option are you using to protect your external service from brute force attacks? The external service that you provide must be set to slow down or stop attempts to log in if the wrong username and password have been tried a number of times. This reduces the opportunity for cyber criminals to keep trying different passwords (brute-forcing) in the hope of gaining access. |
My1Login provides the automated enforcement of long, random, high-entropy passwords on external applications and services meaning there is an almost negligible likelihood of these being brute forced. |
User Access Control
| Cyber Essentials Plus Question Reference | Cyber Essentials Plus Question | How My1Login Helps |
| A7.1 | User Account Creation Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process. You must ensure that user accounts (such as logins to laptops and accounts on servers) are only provided after they have been approved by a person with a leadership role in the business. |
My1Login can be used to automate the provisioning of user accounts on cloud applications by creating provisioning policies that are driven by group membership on the corporate directory as part of any broader approvals process. |
| A7.2 | Unique Accounts Are all user and administrative accounts accessed by entering a unique username and password? You must ensure that no devices can be accessed without entering a username and password. Users cannot share accounts. Accounts must not be shared. |
My1Login’s Enterprise Password Management functionality can be used to generate and manage the use of unique usernames and passwords for user and administrative accounts. |
| A7.3 | Leavers Accounts How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? When an individual leaves your organisation you need to stop them accessing any of your systems. |
My1Login can be linked to your corporate directory to automate the process of suspending or deleting leaver’s access to accounts and passwords. This can be achieved by: |
| A7.4 | User Privileges Do you ensure that staff only have the privileges that they need to do their current job? How do you do this? When a staff member changes job role, you may also need to change their permissions to only access the files, folders and applications that they need to do their day to day work. |
My1Login enables user access to applications and privileges to be linked to their group membership within the corporate directory. Provisioning policies can be configured in My1Login to enable and revoke access to applications based on the current groups the user is a member of. |
| A7.5 | Administrator Approval Do you have a formal process for giving someone access to systems at an “administrator” level and can you confirm how this is recorded? You must have a formal, written-down process that you follow when deciding to give someone access to systems at administrator level. This process might include approval by a person who is an owner/director/trustee/partner of the organisation. |
My1Login provides an audit trail of the identities and passwords users have access to providing enterprises with a record of who has access to administrator level accounts for applications and services. |
| A7.8 | Administrator Account Tracking Do you formally track which users have administrator accounts in your organisation? You must track, by means of list or formal record, all people that have been granted administrator accounts. |
My1Login provides an audit trail of the identities and passwords users have access to providing enterprises with a mechanism to track who has access to administrator level accounts for applications and services. |
| A7.9 | Administrator Access Review Do you review who should have administrative access on a regular basis? You must review the list of people with administrator access regularly. Depending on your business, this might be monthly, quarterly or annually. Any users who no longer need administrative access to carry out their role should have it removed. . |
Reports can be pulled from My1Login to enable a review of administrator access on a periodic basis. |
| A7.10 | Brute Force Attack Protection Describe how you protect accounts from brute-force password guessing in your organisation? A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. Information on how to protect against brute-force password guessing can be found in the password-based authentication section, under the User Access Control section in the ‘Cyber Essentials Requirements for IT Infrastructure https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructurev3-0-January-2022.pdf |
My1Login can protect accounts from brute-force password guessing by enforcing strong password policies on external applications to ensure these password are long, high-entropy, random strings of characters, significantly reducing the likelihood of these being brute-forced. |
| A7.11 | Password Quality Which technical controls are used to manage the quality of your passwords within your organisation? Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructurev3-0-January-2022.pdf |
My1Login includes a purpose-built Enterprise Password Manager meaning that Password policies can be configured to either: |
| A7.12 | Password Creation Advice Please explain how you encourage people to use unique and strong passwords. You need to support those that have access to your organisational data and services by informing them of how they should pick a strong and unique password. Further information can be found in the password-based authentication section, under the User Access Control section in the Cyber Essentials Requirements for IT Infrastructure document. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructurev3-0-January-2022.pdf |
My1Login includes a purpose-built Enterprise Password Manager meaning that Password policies can be configured to either: |
| A7.13 | Password Policy Do you have a documented password policy that includes a process for when you believe that passwords or accounts have been compromised? You must have an established process that details how to change passwords promptly if you believe or suspect a password or account has been compromised. |
My1Login’s Enterprise Password Manager enables enterprises to create, documented, application-specific password policies. |
| A7.14 | MFA Enabled Have you enabled multi-factor authentication (MFA) on all of your cloud services? Where your systems and cloud services support multi-factor authentication (MFA), for example a text message, a one time access code, notification from an authentication app, then you must enable for users and administrators. For more information see the NCSC’s guidance on MFA. https://www.ncsc.gov.uk/guidance/multifactor-authentication-online-services |
For circumstances where applications do not support MFA, application-specific MFA policies can be configured within My1Login that require users to satisfy a MFA challenge before making the identity/password available for use by the user. |
| A7.16 | Administrator MFA Has MFA been applied to all administrators of your cloud services? It is required that all administrator accounts on cloud service must apply multi-factor authentication in conjunction with a password of at least 8 characters. |
For circumstances where applications do not support MFA, application-specific MFA policies can be configured within My1Login that require users to satisfy a MFA challenge before making the identity/password available for use by the user. |
| A7.17 | User MFA Has MFA been applied to all users of your cloud services? This question is currently for information only. From January 2023 this question will require that all user accounts are protected by MFA on cloud services and marked for compliance. All users of your cloud services must use MFA in conjunction with a password of at least 8 characters. |
For circumstances where applications do not support MFA, application-specific MFA policies can be configured within My1Login that require users to satisfy a MFA challenge before making the identity/password available for use by the user. |
Malware Protection
| Cyber Essentials Plus Question Reference | Cyber Essentials Plus Question | How My1Login Helps |
| A8.3 | Scan Web Pages (A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites? Your anti-virus software should have a plugin for your internet browser or for the operating system itself that prevents access to known malicious websites. On Windows 10, SmartScreen can provide this functionality. |
My1Login’ Single Sign-On capability helps mitigate malware risks as the My1Login application will not disclose user credentials to a malicious/“spoofed” URL. |
My1Login’s solution enables enterprises to address 25 of the 59 Cyber Essentials 2022 questions listed in the requirements for Firewalls, Secure Configuration, Security Update Management, User Access Control and Malware Protection.
For more information on how the My1Login solution can help you achieve Cyber Essentials Plus whilst delivering cost savings, productivity benefits and mitigating an array of cyber-risks, please contact us.
