Académique Documents
Professionnel Documents
Culture Documents
Firewalls
1a) Are there firewalls in place which protect all your devices?
These firewalls may be host-based, which only protect the single device on which they are
installed and configured, or they may be boundary firewalls in place between the systems in
scope and the internet
Yes/No
Please describe how your firewalls are placed in your network in scope.
1b) If not, are you using other network devices which restrict access to network services?
Yes/No/Not Applicable
2) Has the default administrative password on all firewalls (or equivalent devices) been changed
to a password that is difficult to guess?
Yes/No
3a) Is it possible for a user to access the administrative interface of the firewall (or equivalent
device) remotely?
Yes/No
3b) If the answer to (3a) is yes, have you implemented protection for the administrative interface
in the form of a second authentication factor, such as a one-time token?
Yes/No/Not Applicable
3c) If the answer to (3b) is no, have you implemented protection for the administrative interface
in the form of an IP whitelist, which limits access to a small range of trusted IP addresses?
Yes/No/Not Applicable
Yes/No
5) For any configured inbound firewall rules, are they approved and documented by an
authorised individual, including a description of why each rule is needed?
Yes/No
6) Are configured firewall rules removed or disabled when they are no longer needed?
Yes/No
7) Do you have host-based (individual) firewalls on devices which are used on untrusted
networks, such as public Wi-Fi hotspots?
Yes/No
Secure Configuration
These may include guest accounts and administrative accounts that won't be used.
Yes/No
9) Have all passwords been changed from default or guessable to something non-obvious?
Yes/No
10) Has all software which is unnecessary for your organisation been removed or disabled?
Yes/No
11) Have all auto-run features which allow file execution without user authorisation (for
example, when they are downloaded from the Internet) been disabled for all media types and
network file shares?
Yes/No
12) Are external users authenticated before they are given Internet-based access to commercially
or personally sensitive data, or data which is critical to the running of the organisation?
Yes/No
Password-based authentication
13) Are systems accessible from the Internet protected against brute-force password guessing by
either:
Yes/No
Yes/No
Yes/No
Yes/No
17) Do you have a password policy that meets the requirements as set out in Cyber Essentials
Requirements: Password Authentication?
Yes/No
18) Are user accounts controlled through a creation and approval process?
Yes/No
19) Are users required to authenticate before being granted access to devices and applications,
using unique credentials?
Yes/No
20) Are accounts removed or disabled when no longer required?
For example, when a user leaves the organisation or after a defined period of account inactivity
Yes/No
Yes/No
In practice, this means no emailing, web browsing or other standard user activities that may
expose administrative privileges to avoidable risks
Yes/No
23) Are special access privileges removed or disabled when no longer required?
Yes/No
Malware Protection
There are several ways in which your devices may be protected against malware. The Cyber
Essentials scheme recognises anti-malware software (sometimes known as antivirus
software) application whitelisting and application sandboxing as acceptable mechanisms.
24) Do you have either anti-malware software, application whitelisting or application sandboxing
on each of your devices?
Yes/No
26a) Is the software kept up to date, with signature files updated at least daily?
Yes/No
Yes/No
Yes/No
26d) Are connections prevented to malicious websites on the Internet, unless unless there is a
clear, documented business need and you understand and accept the associated risk?
Yes/No
Yes/No
Yes/No
Yes/No
Yes/No
For all devices which use application sandboxing:
28) Is all code of unknown origin run within a 'sandbox' that prevents access to other resources
unless permission is explicitly granted by the user?
This includes:
Yes/No
Patch Management
29) Is all software installed on computers and network devices in the scope licensed and
supported?
Yes/No
30) Are all "critical" or "high risk" software patches applied within 14 days of release?
If the vendor uses different terms to describe the severity of vulnerabilities, see the precise
definition in the Common Vulnerability Scoring System (CVSS).
For the purposes of the Cyber Essentials scheme, 'critical' or 'high risk' vulnerabilities are those
with the following values:
Yes/No
31) If a vendor releases a patch for multiple issues as a single update which includes any
"critical" or "high risk" issues, is it installed within 14 days?
Yes/No
Approval
It is a requirement of the Scheme that a Board level (or equivalent) of the organisation has
approved the information given. Please provide evidence of such approval: