We have been receiving a number of requests for information from schools that are working towards the Cyber Essentials scheme for their services. Rest assured the standards on the network exceed those set out within this scheme. To make these easier to complete we will post Q and A for reference.
We will update this page with other details are they come in..
- Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?
- All network-attached devices are secured by a 2-factor authentication with access only granted to dedicated and documented personnel. All passwords conform to the standards set and are required to conform to a set of standard practices with a mix of length and characters.
- Do you change the password when you believe it may have been compromised? How do you achieve this?
- Access to devices is controlled only by 2-factor authentication with a set of controlled and regulated procedures in place for lost or stolen tokens. In the very unlikely event, a PIN is compromised and a token obtained then we would suspend any suspicious activity and prevent access. A complex local password could be used in the event of the failure of the remote solution to authenticate a user. This password is complex, only used in the event of failure and only locally when attached to the router. If this password is ever used then we would change the local password once used.
- Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?
- Only from a secured source, we only access the configuration from a small number of selected servers which is locked down via access control and complex strings. As discussed above we only allow certain employees access to these devices via a secure medium.
- If yes, is there a documented business requirement for this access?
- Yes. A documented internal KCOM solution to allow access via these secure servers is in place and all devices are monitored for access to the devices. All commands entered are logged, all access attempts are logged and locked command sets are locked to specific personnel.
- If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.
- Yes, answered above, 2-factor authentication, documented procedures, locked down access control and monitoring of all accounts.
If you have any further questions or would like further information on the above please get in touch via firstname.lastname@example.org