A Guide To The Cyber Essentials Update 2022
January 24th 2022 Update
Some of the technical control requirements will change in line with recommended security updates. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security.
- HOME WORKING DEVICES ARE IN SCOPE, BUT MOST HOME ROUTERS ARE NOT
Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it.
The use of a corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate firewall or virtual cloud firewall.
- ALL CLOUD SERVICES ARE IN SCOPE
If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user implements the control, depends on the type of cloud service.
- MULTI-FACTOR AUTHENTICATION MUST BE USED FOR ACCESS TO CLOUD SERVICES
As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrator accounts when connecting to cloud services.
The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.
- THIN CLIENTS ARE IN SCOPE WHEN THEY CONNECT TO ORGANISATIONAL INFORMATION OR SERVICES
A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet.
- ALL SERVERS INCLUDING VIRTUAL SERVERS ON A SUB-SET OR A WHOLE ORGANISATION ASSESSMENT ARE IN SCOPE
Servers are specific devices that provide organisational data or services to other devices as part of the business of the applicant.
- ALL SMART PHONES AND TABLETS CONNECTING TO ORGANISATIONAL DATA AND SERVICES ARE CONFIRMED IN SCOPE WHEN CONNECTING TO CORPORATE NETWORK OR MOBILE INTERNET SUCH AS 4G AND 5G.
However, mobile or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope.
- DEVICE LOCKING
Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device.
- PASSWORD-BASED AND MULTI-FACTOR AUTHENTICATION REQUIREMENTS
When using passwords, one of the following protections should be used to protect against brute-force password guessing:
- Using multi-factor authentication
- Throttling the rate of unsuccessful or guessed attempts.
- Locking accounts after no more than 10 unsuccessful attempts.
Technical controls are used to manage the quality of passwords. This will include one of the following:
- Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions.
- A minimum password length of at least 12 characters, with no maximum length restrictions.
- A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.