Cyber Essentials Toolkit v2 Implementation Guide
5.2 Control 2: Secure configuration Relevant Toolkit documents: • • • • • • • • • • • •
CYB-DOC-02-1 Logging and Monitoring Policy CYB-DOC-02-2 Software Policy CYB-DOC-02-3 Mobile Device Policy CYB-DOC-02-4 Backup Policy CYB-DOC-02-5 Cloud Computing Policy CYB-DOC-02-6 Password Policy CYB-DOC-02-7 Hardware Inventory CYB-DOC-02-8 Configuration Standard CYB-FORM-02-1 Configuration Specification EXAMPLE Configuration Specification EXAMPLE Configuration Standard EXAMPLE Hardware Inventory
This control involves choosing the most secure settings for your devices and software. Cyber Essentials certification requires that only necessary software, accounts and apps are used. Most “out-of-the-box” hardware such as laptops are shipped with a set of added-value software and default settings that encourage you to use them, rather than to make them as secure as possible. Attackers often know this, and it makes new computers and devices particularly vulnerable. This means that a process often known as “hardening” is needed, to remove anything that is not required and bring the configuration to a secure starting point. This may involve uninstalling software, amending configuration settings and changing passwords. Those items that are permitted may be defined in a Configuration Standard, which is a document that sets out how a particular device should be set up. It’s important to know what hardware you have, so that you can verify that it is all configured correctly. The Toolkit includes a Hardware Inventory spreadsheet to record details of your devices, and you may be able to obtain some of this information from software tools you already use, such as Microsoft InTune (available as an add-on to Office365). When implemented correctly, passwords are an easy and effective way to prevent unauthorised users accessing your devices. Unfortunately, they can also represent the weakest link in your cyber defences. Passwords should be easy to remember and hard for someone else to guess. The default usernames and passwords which come with new devices, such as “admin” and “password” are the easiest of all for attackers to guess and lists of these may be freely available on the Internet. Change all default passwords before devices are made live (especially your Internet router). The use of other techniques such as PINs and fingerprint recognition (or more recently, facial recognition) can also help secure your devices, such as smartphones.
www.certikit.com
Page 11 of 20