cyber_essentials.yaml

urn: urn:intuitem:risk:library:cyber_essentials_requirements_for_it_infrastructure
locale: en
ref_id: 'Cyber Essentials: Requirements for IT infrastructure'
name: 'Cyber Essentials: Requirements for IT infrastructure v3.1'
description: "Cyber Essentials is a set of baseline technical controls produced by\
  \ the UK Government and security industry to help organisations \u2013 large and\
  \ small \u2013 improve their cyber security defences and demonstrate a public commitment\
  \ to their network security and the standards to which they operate. \nhttps://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf"
copyright: 'Information

  Licence : https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/'
version: 2
provider: NCSC
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:cyber_essentials_requirements_for_it_infrastructure
    ref_id: 'Cyber Essentials: Requirements for IT infrastructure'
    name: 'Cyber Essentials: Requirements for IT infrastructure v3.1'
    description: "Cyber Essentials is a set of baseline technical controls produced\
      \ by the UK Government and security industry to help organisations \u2013 large\
      \ and small \u2013 improve their cyber security defences and demonstrate a public\
      \ commitment to their network security and the standards to which they operate.\
      \ \nhttps://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf"
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:a
      assessable: false
      depth: 1
      ref_id: A
      name: Introducing the technical controls
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:a
      description: 'We have organised the requirements under five technical controls:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node3
      description: 1. Firewalls
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node3
      description: 2. Secure configuration
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node3
      description: 3. Security update management
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node3
      description: 4. User access control
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node3
      description: 5. Malware protection
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node9
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:a
      description: "As a Cyber Essentials scheme applicant organisation, it's your\
        \ responsibility to make sure that your organisation meets all the requirements.\
        \ You might also be required to supply evidence before your certification\
        \ body can award certification at the level for which you\u2019re applying."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node10
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:a
      description: 'What you should do first:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node11
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node10
      description: Establish the boundary of scope for your organisation, and then
        determine what is in scope within this boundary.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node12
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node10
      description: Review each of the five technical control themes and the controls
        they embody as requirements.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node13
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node10
      description: Take the necessary steps to ensure that your organisation meets
        every requirement it needs for the scope you have determined.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      assessable: false
      depth: 1
      ref_id: B
      name: Definitions
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node15
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: 'Software includes operating systems, commercial off-the-shelf
        applications, plugins, interpreters, scripts, libraries, network software
        and firewall and router firmware. '
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node16
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: "Devices includes all types of hosts, networking equipment, servers,\
        \ networks, and end  user devices such as desktop computers, laptop computers,\
        \ thin clients, tablets and smartphones \u2014 whether physical or virtual."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node17
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: Applicant refers to your organisation which is seeking certification,
        or sometimes the individual who is acting as the main point of contact, depending
        on context.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node18
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: A corporate VPN is a virtual private network that connects back
        to your office location, or to a virtual or cloud firewall. You must administer
        the VPN so you can apply the firewall controls
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node19
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: Organisational data includes any electronic data belonging to your
        organisation, for example, emails, documents, database data, financial data.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node20
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: 'Organisational service includes any software applications, cloud
        applications, cloud services, user interactive desktops and mobile device
        management (MDM) solutions that your organisation owns or subscribes to. For
        example: web applications, Microsoft 365, Google Workspace, mobile device
        management containers, Citrix Desktop, Virtual Desktop solutions or IP telephony.'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node21
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: 'A sub-set is part of the organisation whose network is segregated
        from the rest of the organisation by a firewall or VLAN. '
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node22
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: "Servers are devices that provide organisational data or services\
        \ to other devices as part of your organisation\u2019s business."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node23
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:b
      description: "Licensed and supported software is software that you have a legal\
        \ right to use and that a vendor has committed to support by providing regular\
        \ updates or patches. The vendor must provide the future date when they will\
        \ stop providing updates. (Note that the vendor doesn\u2019t need to have\
        \ created the software originally, but they must be able to now modify the\
        \ original software to create updates)."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      assessable: false
      depth: 1
      ref_id: C
      name: Scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node25
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      name: Scope overview
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node26
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node25
      description: "Your assessment and certification should cover the whole of the\
        \ IT infrastructure used to carry out your organisation\u2019s business, or\
        \ if necessary, a well-defined and separately managed sub-set. Either way,\
        \ you must clearly define the scope boundary, namely: the business unit managing\
        \ it, the network boundary and physical location. You must agree the scope\
        \ with the certification body before assessment begins."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node27
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node25
      description: A sub-set can be used to define what is in scope or what is out
        of scope for your Cyber Essentials certification.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node28
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node25
      name: 'Please note: '
      description: Organisations that choose a scope which includes their whole IT
        infrastructure achieve the best protection and maximise their customers' confidence.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node29
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node25
      description: 'The requirements apply to all devices and software in scope and
        which meet any of these conditions:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node30
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node29
      description: "\u2022 can accept incoming network connections from untrusted\
        \ internet-connected hosts"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node31
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node29
      description: "\u2022 can establish user-initiated outbound connections to devices\
        \ via the internet"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node32
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node29
      description: "\u2022 control the flow of data between any of the above devices\
        \ and the internet."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node33
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node25
      description: "A scope that doesn\u2019t include end-user devices isn\u2019t\
        \ acceptable."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node34
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      name: Asset management and Cyber Essentials
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node35
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node34
      description: "Asset management isn\u2019t a specific Cyber Essentials control,\
        \ but effective asset management can help meet all five controls, so it should\
        \ be considered as a core security function."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node36
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node34
      description: "Most business operations depend on some aspect of asset management,\
        \ and cyber security shouldn\u2019t be considered in isolation, or as the\
        \ primary consumer of asset information. These functions include IT operations,\
        \ financial accounting, managing software licences, procurement and logistics.\
        \ They may not all need the same information, but there will be overlaps and\
        \ dependencies between the respective requirements. Integrating and coordinating\
        \ asset management across your organisation will help reduce or manage any\
        \ conflicts between these functions."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node37
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node34
      description: "Effective asset management doesn\u2019t mean making lists or databases\
        \ that are never used. It means creating, establishing and maintaining authoritative\
        \ and accurate information about your assets that enables both day-to-day\
        \ operations and efficient decision making when you need it. In particular,\
        \ it will help you track and control devices as they're introduced into your\
        \ business."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node38
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node34
      description: The NCSC has comprehensive guidance for organisations on asset
        management.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.i
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.i
      name: Bring your own device (BYOD)
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node40
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.i
      description: 'In addition to mobile or remote devices owned by the organisation,
        user-owned devices which access organisational data or services (as defined
        above) are in scope. However, all mobile or remote devices used only for the
        purpose of:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node41
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node40
      description: "\u2022 native voice applications"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node42
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node40
      description: "\u2022 native text applications"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node43
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node40
      description: "\u2022 multi-factor authentication (MFA) applications"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node44
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.i
      description: are out of scope.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node45
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.i
      description: Traditionally, user devices were managed centrally, which ensured
        consistency across the organisation. Certifying security controls in this
        way is more straightforward as there is a standard build or reference.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node46
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.i
      description: "BYOD complicates matters, as users are given more freedom to \u2018\
        customise\u2019 their experience making consistent implementation of the controls\
        \ more challenging. Using the organisational data and services definitions\
        \ to enforce strong access policies should remove some of this ambiguity."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node47
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.i
      description: "For further information and advice on the use of BYOD please see\
        \ the NCSC\u2019s guidance."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.ii
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.ii
      name: Home working
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node49
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.ii
      description: "Our default approach is that all corporate or BYOD home working\
        \ devices used for your organisation\u2019s business are in scope for Cyber\
        \ Essentials."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node50
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.ii
      description: If your organisation gives the homeworker a router, that router
        is then also in scope.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node51
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.ii
      description: All other routers are out of scope which means you need to apply
        Cyber Essentials firewall controls (such as a software firewall) on users'
        devices.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node52
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.ii
      description: If the home worker is using a corporate VPN, their internet boundary
        is on the company firewall or virtual/cloud firewall.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iii
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.iii
      name: Wireless devices
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node54
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iii
      description: 'Wireless devices (including wireless access points) are:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node55
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node54
      description: "\u2022 in scope if they can communicate with other devices via\
        \ the internet"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node56
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node54
      description: "\u2022 out of scope if it's not possible for an attacker to attack\
        \ directly via the internet (the Cyber Essentials scheme isn\u2019t concerned\
        \ with attacks that can only be launched within the signal range of the wireless\
        \ device)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node57
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node54
      description: "\u2022 out of scope if they are part of an ISP router at the home\
        \ location"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iv
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.iv
      name: Cloud services
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node59
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iv
      description: "If your organisation\u2019s data or services are hosted on cloud\
        \ services, these services must be in scope."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node60
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iv
      description: 'For cloud services, the applicant organisation is always responsible
        for ensuring all controls are implemented, but some of the controls can be
        implemented by the cloud service provider. Who implements which control depends
        on the type of cloud service. We consider three different types of cloud service:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node61
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node60
      description: "Infrastructure as a Service (IaaS) \u2013 the cloud provider delivers\
        \ virtual servers and network equipment that, much like physical equipment,\
        \ your organisation configures and manages. Examples of IaaS include Rackspace,\
        \ Google Compute Engine, or Amazon EC2."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node62
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node60
      description: "Platform as a Service (PaaS) \u2013 the cloud provider delivers\
        \ and manages the underlying infrastructure, and your organisation provides\
        \ and manages the applications. Examples of PaaS include Azure Web Apps and\
        \ Amazon Web Services Lambda."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node63
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node60
      description: "Software as a Service (SaaS) \u2013 the cloud provider delivers\
        \ applications, and your organisation then configures the services. You must\
        \ still make sure that the service is configured securely. Examples of SaaS\
        \ include Microsoft 365, Dropbox and Gmail."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node64
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iv
      description: 'Who implements the controls will vary, depending how the cloud
        service is designed. The table below explains who might typically be expected
        to implement each control:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node65
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node64
      name: Firewalls
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node66
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node65
      name: IaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node67
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node65
      name: PaaS
      description: The cloud provider and sometimes also your organisation
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node68
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node65
      name: SaaS
      description: The cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node69
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node64
      name: Secure configuration
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node70
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node69
      name: IaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node71
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node69
      name: PaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node72
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node69
      name: SaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node73
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node64
      name: Security update management
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node74
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node73
      name: IaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node75
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node73
      name: PaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node76
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node73
      name: SaaS
      description: The cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node77
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node64
      name: User access control
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node78
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node77
      name: IaaS
      description: Your organisation
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node79
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node77
      name: PaaS
      description: Your organisation
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node80
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node77
      name: SaaS
      description: Your organisation
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node81
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node64
      name: Malware protection
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node82
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node81
      name: IaaS
      description: Both your organisation and the cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node83
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node81
      name: PaaS
      description: The cloud provider and sometimes also your organisation
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node84
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node81
      name: SaaS
      description: The cloud provider
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node85
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.iv
      description: "In cases where the cloud provider implements one of the controls\
        \ on your behalf, you must make sure that the cloud provider has committed\
        \ to implementing this via contractual clauses or documents referenced by\
        \ contract, such as security statements or privacy statements. Cloud providers\
        \ will often explain how they implement security in documents published in\
        \ their trust centres, referencing a \u2018shared responsibility model.\u2019"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.v
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.v
      name: Accounts used by third parties and managed infrastructure
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node87
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.v
      description: All accounts your organisation owns are in scope, even when those
        accounts are used by a third party, such as a supplier, contractor or Managed
        Service Provider (MSP) to manage or support your infrastructure.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node88
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.v
      description: "If you\u2019re using externally managed services (such as remote\
        \ administration), you must be able to confirm that the Cyber Essentials technical\
        \ controls are being met, and be able to demonstrate this in your assessment\
        \ answers."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.vi
      name: Devices used by third parties
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node90
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      description: All end user devices your organisation owns that are loaned to
        a third party must be included in then assessment scope.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node91
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      description: 'For devices not owned by your organisation, the table below explains
        what is in and out of scope:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node92
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: Employee
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node93
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node92
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node94
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node92
      name: Owned by a third party
      description: N/A
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node95
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node92
      name: BYOD
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node96
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: Volunteer
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node97
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node96
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node98
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node96
      name: Owned by a third party
      description: N/A
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node99
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node96
      name: BYOD
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node100
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: Trustee
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node101
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node100
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node102
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node100
      name: Owned by a third party
      description: N/A
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node103
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node100
      name: BYOD
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node104
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: University research assistant
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node105
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node104
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node106
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node104
      name: Owned by a third party
      description: N/A
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node107
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node104
      name: BYOD
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node108
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: Student
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node109
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node108
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node110
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node108
      name: Owned by a third party
      description: N/A
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node111
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node108
      name: BYOD
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node112
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: MSP administrator
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node113
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node112
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node114
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node112
      name: Owned by a third party
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node115
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node112
      name: BYOD
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node116
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: Third party contractor
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node117
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node116
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node118
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node116
      name: Owned by a thirdparty
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node119
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node116
      name: BYOD
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node120
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vi
      name: Customer
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node121
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node120
      name: Owned by your organisation
      description: In scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node122
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node120
      name: Owned by a third party
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node123
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node120
      name: BYOD
      description: Out of scope
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vii
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c
      ref_id: C.vii
      name: Web applications
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node125
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:c.vii
      description: Publicly available commercial web applications (rather than apps
        developed in-house) are in scope by default. Bespoke and custom components
        of web applications are out of scope. The best way to mitigate vulnerabilities
        in applications is robust development and testing in line with commercial
        best practice, such as the OWASP Application Security Verification Standard
        | OWASP Foundation.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d
      assessable: false
      depth: 1
      ref_id: D
      name: Requirements by technical control theme
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d
      ref_id: D.1
      name: Firewalls
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node128
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.1
      description: 'Applies to: boundary firewalls, desktop computers, laptops, routers,
        servers, IaaS, PaaS, SaaS'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node129
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.1
      name: Aim
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node130
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node129
      description: To make sure that only secure and necessary network services can
        be accessed from the internet.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node131
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.1
      name: Introduction
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node132
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node131
      description: All devices run network services to allow them to communicate with
        other devices and services. By restricting access to these services, you reduce
        your exposure to attacks. You can do this using firewalls or network devices
        with firewall functionality. For cloud services, you can achieve this using
        data flow policies.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node133
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node131
      description: "A boundary firewall is a network device which can restrict the\
        \ inbound and outbound network traffic to services on its network of computers\
        \ and mobile devices. It can help protect against cyber attacks by implementing\
        \ restrictions, known as \u2018firewall rules,\u2019 which can allow or block\
        \ traffic depending on its source, destination and type of communication protocol."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node134
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node131
      description: "Alternatively, if your organisation doesn't control the network\
        \ to which a device connects, you must configure a software firewall on the\
        \ device. This works in the same way as a boundary firewall but only protects\
        \ the single device on which it\u2019s configured. This approach allows for\
        \ more tailored rules and means that the rules apply to the device wherever\
        \ it's used. But you should note that this creates a greater administrative\
        \ overhead when managing firewall rules."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node135
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.1
      name: Requirements
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node136
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node135
      description: You must protect every device in scope with a correctly configured
        firewall (or network device with firewall functionality).
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node137
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node135
      name: 'Information:'
      description: Most desktop and laptop operating systems now come with a software
        firewall pre- installed, we advise that these are turned on in preference
        to a third-party firewall application.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node138
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node135
      description: 'For all firewalls (or network devices with firewall functionality),
        your organisation must:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node139
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node138
      description: "\u2022 change default administrative passwords to a strong and\
        \ unique password (see password- based authentication) \u2013 or disable remote\
        \ administrative access entirely"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node140
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node138
      description: "\u2022  prevent access to the administrative interface (used to\
        \ manage firewall configuration) from the internet, unless there is a clear\
        \ and documented business need, and the interface is protected by one of the\
        \ following controls:"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node141
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node140
      description: o multi-factor authentication (see MFA details below)
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node142
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node140
      description: o an IP allow list that limits access to a small range of trusted
        addresses combined with a properly managed password authentication approach
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node143
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node138
      description: " \u2022 block unauthenticated inbound connections by default"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node144
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node138
      description: "\u2022 ensure inbound firewall rules are approved and documented\
        \ by an authorised person, and include the business need in the documentation"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node145
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node138
      description: "\u2022 remove or disable unnecessary firewall rules quickly, when\
        \ they are no longer needed"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node146
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node135
      description: Make sure you use a software firewall on devices which are used
        on untrusted networks, such as public wifi hotspots.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d
      ref_id: D.2
      name: Secure configuration
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node148
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.2
      description: 'Applies to: servers, desktop computers, laptops, tablets, mobile
        phones, thin clients, IaaS, PaaS,SaaS'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node149
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.2
      name: Aim
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node150
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node149
      description: 'Ensure that computers and network devices are properly configured
        to:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node151
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node150
      description: "\u2022 reduce vulnerabilities"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node152
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node150
      description: "\u2022 provide only the services required to fulfil their role"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node153
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.2
      name: Introduction
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node154
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node153
      description: "The default configurations of computers and network devices aren\u2019\
        t always secure. Standard out-of- the-box configurations often include one\
        \ or more weak points such as:"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node155
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node154
      description: "\u2022 an administrative account with a pre-set, publicly known\
        \ default password or without multi- factor authentication enabled"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node156
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node154
      description: "\u2022 pre-enabled but unnecessary user accounts (sometimes with\
        \ special access privileges)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node157
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node154
      description: "\u2022 pre-installed but unnecessary applications or services"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node158
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node153
      description: "These default installations can allow attackers to gain unauthorised\
        \ access to your organisation\u2019s sensitive information."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node159
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node153
      description: But by applying some simple technical controls when installing
        computers and network devices, you can minimise vulnerabilities and protect
        against common types of attack.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node160
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.2
      name: Requirements
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node161
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node160
      name: Computers and network devices
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node161
      description: 'Your organisation must proactively manage your computers and network
        devices. You must regularly:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node163
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      description: "\u2022 remove and disable unnecessary user accounts (such as guest\
        \ accounts and administrative accounts that won\u2019t be used)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node164
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      description: "\u2022 change any default or guessable account passwords (see\
        \ password-based authentication)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node165
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      description: "\u2022 remove or disable unnecessary software (including applications,\
        \ system utilities and network services)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node166
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      description: "\u2022 disable any auto-run feature which allows file execution\
        \ without user authorisation (such as when they are downloaded)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node167
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      description: "\u2022 ensure users are authenticated before allowing them access\
        \ to organisational data or services"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node168
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node162
      description: "\u2022 ensure appropriate device locking controls (see \u2018\
        device unlocking\u2019, below) for users that are physically present"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node169
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node160
      name: Device unlocking credentials
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node170
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node169
      description: "If a device requires a user\u2019s physical presence to access\
        \ a device\u2019s services (such as logging on to a laptop or unlocking a\
        \ mobile phone), a credential such as a biometric, password or PIN must be\
        \ in place before a user can gain access to the services."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node171
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node169
      description: 'You must protect your chosen authentication method (which can
        be biometric authentication, password or PIN) against brute-force attacks.
        When it''s possible to configure, you should apply one of the following:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node172
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node171
      description: "\u2022 \u2018throttling' the rate of attempts, so that the number\
        \ of times the user must wait between attempts increases with each unsuccessful\
        \ attempt you shouldn\u2019t allow more than 10 guesses in 5 minutes"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node173
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node171
      description: "\u2022 locking devices after more than 10 unsuccessful attempts."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node174
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node169
      description: "When the vendor doesn't allow you to configure the above, use\
        \ the vendor\u2019s default setting."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node175
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node169
      description: "Technical controls must be used to manage the quality of credentials.\
        \ If credentials are just to unlock a device, use a minimum password or PIN\
        \ length of at least 6 characters. When the device unlocking credentials are\
        \ also used for authentication, you must apply the full password requirements\
        \ to the credentials described in \u2018user access controls.\u2019"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d
      ref_id: D.3
      name: ' Security update management'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node177
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.3
      description: 'Applies to: servers, desktop computers, laptops, tablets, mobile
        phones, firewalls, routers, IaaS, PaaS, SaaS'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node178
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.3
      name: Aim
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node179
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node178
      description: Ensure that devices and software are not vulnerable to known security
        issues for which fixes are available.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node180
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.3
      name: Introduction
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node181
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node180
      description: Any device that runs software can contain security flaws, known
        as vulnerabilities.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node182
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node180
      description: "Vulnerabilities are regularly discovered in all sorts of software.\
        \ Once discovered, malicious individuals or groups move quickly to misuse\
        \ (or \u2018exploit\u2019) vulnerabilities to attack computers and networks."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node183
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node180
      name: 'Caution:'
      description: "Product vendors provide fixes for vulnerabilities identified in\
        \ products that they still support, in the form of software updates known\
        \ as \u2018patches\u2019 or security updates. These may be made available\
        \ to customers immediately or on a regular release schedule (perhaps monthly)."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node184
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.3
      name: Requirements
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node185
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node184
      description: 'You must make sure that all software in scope is kept up to date.
        All software on in-scope devices must:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node186
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node185
      description: "\u2022 be licensed and supported"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node187
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node185
      description: "\u2022 removed from devices when it becomes unsupported or removed\
        \ from scope by using a defined sub-set that prevents all traffic to / from\
        \ the internet"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node188
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node185
      description: "\u2022 have automatic updates enabled where possible"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node189
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node185
      description: "\u2022 be updated, including applying any manual configuration\
        \ changes required to make the update effective, within 14 days* of an update\
        \ being released, where:"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node190
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node189
      description: "o the update fixes vulnerabilities described by the vendor as\
        \ \u2018critical\u2019 or \u2018high risk\u2019"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node191
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node189
      description: o the update addresses vulnerabilities with a CVSS v3 base score
        of 7 or above
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node192
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node189
      description: o there are no details of the level of vulnerabilities the update
        fixes provided by the vendor
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node193
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node184
      name: 'Please note: '
      description: "For optimum security we strongly recommend (but it\u2019s not\
        \ mandatory) that all released updates are applied within 14 days of release."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node194
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node184
      description: '*It''s important that updates are applied as soon as possible.
        14 days is considered a reasonable

        period to be able to implement this requirement. Any longer would constitute
        a serious security risk

        while a shorter period may not be practical.'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node195
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node184
      name: 'Information:'
      description: "If the vendor uses different terms to describe the severity of\
        \ vulnerabilities, see the precise definition in the Common Vulnerability\
        \ Scoring System (CVSS). For the purposes of the Cyber Essentials scheme,\
        \ \u2018critical\u2019 or \u2018high risk\u2019 vulnerabilities are those\
        \ with a CVSS3 score of 7 or above or are identified by the vendor as 'critical\
        \ or high risk'."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node196
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node184
      name: 'Caution: '
      description: "Some vendors release security updates for multiple issues with\
        \ differing severity levels as a single update. If such an update covers any\
        \ \u2018critical\u2019 or \u2018high risk\u2019 issues then it must be installed\
        \ within 14 days."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d
      ref_id: D.4
      name: ' User access control'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node198
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      description: 'Applies to: servers, desktop computers, laptops, tablets, mobile
        phones, IaaS, PaaS, SaaS'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node199
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      name: Aim
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node200
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node199
      description: 'Ensure that user accounts:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node201
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node200
      description: "\u2022 are assigned to authorised individuals only"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node202
      assessable: false
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node200
      description: "\u2022 provide access to only those applications, computers and\
        \ networks the user needs to carry out their role"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      name: Introduction
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node204
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      description: Every active user account in your organisation facilitates access
        to devices and applications, and to sensitive business information. By making
        sure that only authorised individuals have user accounts, and that they're
        only granted as much access as they need to carry out their role, you reduce
        the risk of information being stolen or damaged.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node205
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      description: Compared to normal user accounts, accounts with special access
        privileges have enhanced access to devices, applications and information.
        If these accounts are compromised, an attacker could take advantage of their
        greater accesses to corrupt information on a large scale, disrupt business
        processes or gain unauthorised access to other devices in the organisation.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node206
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      description: 'Administrative accounts are especially highly privileged, for
        example. These accounts typically allow the user to:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node207
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node206
      description: "\u2022 execute software that can make significant and security-related\
        \ changes to the operating system"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node208
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node206
      description: "\u2022 make changes to the operating system for some or all users"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node209
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node206
      description: "\u2022 create new accounts and allocate privileges"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node210
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      description: All types of administrators will have this kind of account, including
        domain administrators and local administrators.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node211
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      description: "This is important because if a user opens a malicious URL or email\
        \ attachment, the malware would typically be executed with the same privilege\
        \ level of the user\u2019s account. This is why it\u2019s important to take\
        \ special care allocating and using privileged accounts."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node212
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node203
      name: 'Example: '
      description: "Jody is logged in with an administrative account. If Jody opens\
        \ a malicious URL or email attachment, any associated malware is likely to\
        \ acquire administrative privileges. Unfortunately, this is exactly what happens.\
        \ Using Jody\u2019s administrative privileges, a type of malware known as\
        \ ransomware encrypts all of the data on the network and then demands a ransom.\
        \ The ransomware was able to encrypt far more data than would have been possible\
        \ with standard user privileges, making the problem that much more serious."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node213
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      name: Requirements
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node214
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node213
      description: "Your organisation must be in control of your user accounts and\
        \ the access privileges that allow access to your organisational data and\
        \ services. It\u2019s important to note that this also includes third party\
        \ accounts \u2013 for example accounts used by your support services. You\
        \ also need to understand how user accounts authenticate and manage the authentication\
        \ accordingly."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node213
      description: 'This means your organisation must:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node216
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      description: "\u2022 have in place a process to create and approve user accounts"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node217
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      description: "\u2022 authenticate users with unique credentials before granting\
        \ access to applications or devices (see password-based authentication)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node218
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      description: "\u2022 remove or disable user accounts when they\u2019re no longer\
        \ required (for example, when a user leaves the organisation or after a defined\
        \ period of account inactivity)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node219
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      description: "\u2022 implement MFA, where available \u2013 authentication to\
        \ cloud services must always use MFA"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node220
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      description: "\u2022 use separate accounts to perform administrative activities\
        \ only (no emailing, web browsing or other standard user activities that may\
        \ expose administrative privileges to avoidable risks)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node221
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node215
      description: "\u2022 remove or disable special access privileges when no longer\
        \ required (when a member of staff changes role, for example)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node222
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      name: Password-based authentication
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node223
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node222
      description: All user accounts require the user to authenticate.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node224
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node222
      description: 'Where this is carried out using a password, you should put in
        place the following protective measures:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node225
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node224
      description: "\u2022 Passwords are protected against brute-force password guessing\
        \ by implementing at least one of:"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node226
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node225
      description: ' o multi-factor authentication (see below)'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node227
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node225
      description: "o \u2018throttling' the rate of attempts, so that the number of\
        \ times the user must wait between attempts increases with each unsuccessful\
        \ attempt \u2013 you shouldn\u2019t allow more than 10 guesses in 5 minutes"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node228
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node225
      description: o locking accounts after no more than 10 unsuccessful attempts
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node229
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node224
      description: "\u2022 Use technical controls to manage the quality of passwords.\
        \ This will include one of the following:"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node230
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node229
      description: o Using multi-factor authentication (see below)
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node231
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node229
      description: o A minimum password length of at least 12 characters, with no
        maximum length restrictions
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node232
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node229
      description: o A minimum password length of at least 8 characters, with no maximum
        length restrictions and use automatic blocking of common passwords using a
        deny list.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node233
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node224
      description: "\u2022 Support users to choose unique passwords for their work\
        \ accounts by:"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node234
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node233
      description: o educating people about avoiding common passwords, such as a pet's
        name, common keyboard patterns or passwords they have used elsewhere. This
        could include teaching people to use the password generator feature built
        into some password managers.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node235
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node233
      description: "o encouraging people to choose longer passwords by promoting the\
        \ use of multiple words (a minimum of three) to create a password (such as\
        \ the NCSC\u2019s guidance on using three random words)"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node236
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node233
      description: o providing usable secure storage for passwords (for example a
        password manager or secure locked cabinet) with clear information about how
        and when it can be used.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node237
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node233
      description: o not enforcing regular password expiry
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node238
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node233
      description: o not enforcing password complexity requirements
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node239
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node222
      description: You should also make sure there is an established process in place
        to change passwords promptly if you know or suspect a password or account
        has been compromised.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node240
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.4
      name: Multi-factor authentication (MFA)
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node241
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node240
      description: "As well as providing an extra layer of security for passwords\
        \ that aren\u2019t protected by the other technical controls, you should always\
        \ use multi-factor authentication to give administrative accounts extra security,\
        \ and accounts that are accessible from the internet."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node242
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node240
      description: The password element of the multi-factor authentication approach
        must have a password length of at least 8 characters, with no maximum length
        restrictions.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node243
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node240
      description: 'There are four types of additional factor to consider:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node244
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node243
      description: "\u2022 a managed/enterprise device"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node245
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node243
      description: "\u2022 an app on a trusted device"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node246
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node243
      description: "\u2022 a physically separate token"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node247
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node243
      description: "\u2022 a known or trusted account"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node248
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node240
      description: "Additional factors should be chosen so that they are usable and\
        \ accessible. You might need to carry out user testing to decide what is best\
        \ for your users. For more information see NCSC\u2019s guidance on MFA."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node249
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node240
      name: 'Information:'
      description: SMS is not the most secure type of MFA, but still offers a huge
        advantage over not using any MFA at all. Any multi-factor authentication is
        better than not having it at all. However, if there are alternatives available
        that will work for your situation, we recommend you use these instead of SMS.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d
      ref_id: D.5
      name: Malware protection
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node251
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.5
      description: 'Applies to: Servers, desktop computers, laptops, tablets, mobile
        phones, IaaS, PaaS, SaaS'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node252
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.5
      name: Aim
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node253
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node252
      description: To restrict execution of known malware and untrusted software,
        from causing damage or accessing data.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node254
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.5
      name: Introduction
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node255
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node254
      description: 'Malware, such as computer viruses, worms and ransomware, is software
        that has been written and distributed deliberately to perform malicious actions.
        Potential sources include: malicious email attachments, downloads (including
        those from application stores), and direct installation of unauthorised software.'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node256
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node254
      description: If a system is infected, your organisation is likely to suffer
        from problems like malfunctioning systems, data loss, or onward infection
        that goes unseen until it causes harm elsewhere.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node257
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node254
      description: 'You can largely avoid the potential for harm by:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node258
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node257
      description: "\u2022 preventing malware from being delivered to devices"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node259
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node257
      description: "\u2022 preventing malware from running on devices"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node260
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node254
      name: 'Example:'
      description: Acme Corporation implements code signing alongside a rule that
        allows only vetted applications from the device application store to execute
        on devices. Unsigned and unapproved applications will not run on devices.
        The fact that users can only install trusted (allow-listed) applications leads
        to a reduced risk of malware infection.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node261
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:d.5
      name: Requirements
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node262
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node261
      description: 'You must make sure that a malware protection mechanism is active
        on all devices in scope. For each device, you must use at least one of the
        options listed below. In most modern products these options are built in to
        the software supplied. Alternatively, you can purchase products from a third-
        party provider. In all cases the software must be active, kept up to date
        in accordance with the vendors instructions, and configured to work as detailed
        below:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node263
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node261
      name: Anti-malware software
      description: (option for in scope devices running Windows or MacOS including
        servers,desktop computers, laptop computers)
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node264
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node263
      description: 'If you use anti-malware software to protect your device it must
        be configured to:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node265
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node264
      description: "\u2022 prevent connections to malicious websites over the internet."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node266
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node264
      description: "\u2022 be updated in line with vendor recommendations"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node267
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node264
      description: "\u2022 prevent malware from running"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node268
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node264
      description: "\u2022 prevent the execution of malicious code"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node269
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node264
      description: "\u2022 prevent connections to malicious websites over the internet."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node270
      assessable: false
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node261
      name: Application allow listing
      description: (option for all in scope devices)
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node271
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node270
      description: 'Only approved applications, restricted by code signing, are allowed
        to execute on devices. You must:'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node272
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node271
      description: "\u2022 actively approve such applications before deploying them\
        \ to devices"
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node273
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node271
      description: "\u2022 maintain a current list of approved applications, users\
        \ must not be able to install any application that is unsigned or has an invalid\
        \ signature."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:e
      assessable: false
      depth: 1
      ref_id: E
      name: ' Further guidance'
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node275
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:e
      name: Backing up your data
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node276
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node275
      description: Backing up means creating a copy of your information and saving
        it to another device or to cloud storage (online).
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node277
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node275
      description: Backing up regularly means you will always have a recent version
        of your information saved. This will help you recover quicker if your data
        is lost or stolen.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node278
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node275
      description: You can also turn on automatic backup. This will regularly save
        your information into cloud storage, without you having to remember.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node279
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node275
      description: "If you back up your information to a USB stick or an external\
        \ hard drive, disconnect it from your computer when a backup isn\u2019t being\
        \ done."
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node280
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node275
      description: Backing up your data is not a technical requirement of Cyber Essentials;
        however we highly recommend implementing an appropriate backup solution.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node281
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:e
      name: Zero trust and Cyber Essentials
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node282
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node281
      description: Network architecture is changing. More services are moving to the
        cloud and use of Software as a Service (SaaS) continues to grow.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node283
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node281
      description: At the same time, many organisations are embracing flexible working,
        which means lots of different device types may connect to your systems from
        many locations. It's also increasingly common for organisations to share data
        with their partners and guest users, which requires more granular access control
        policies.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node284
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node281
      description: Zero trust architecture is designed to cope with these changing
        conditions by enabling an improved user experience for remote access and data
        sharing.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node285
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node281
      description: A zero trust architecture is an approach to system design where
        inherent trust in the network is removed. Instead, the network is assumed
        hostile and each access request is verified, based on an access policy. Confidence
        in a request is achieved by building context, which relies on strong authentication,
        authorisation, device health, and value of the data being accessed.
    - urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node286
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:cyber_essentials_requirements_for_it_infrastructure:node281
      description: As organisations move towards zero trust architecture models, we
        have considered it in this context, and are confident that implementing the
        technical controls doesn't prevent you using a zero trust architecture as
        defined by the NCSC guidance.