Contactor Devices - "In Scope?"

We use a number of contractors (not direct employees), are their devices in the scope of our assessment?

This is a very good question that often comes up during assessments and the answer is, most likely, no, they are not in scope.

If you have a contractor, not on the payroll, but a contractor, who accesses your systems, but with their own device (a device you do not provide to them) that device isn't in the scope of our testing/assessment, however, it would be expected that the device should be compliant with the standard and therefore you should have a policy/process/agreement document, which the contractor signs up to, which details that they will keep their device compliant with the standard.

For example:

When contracting with {company name} the contractor {contractor name} will ensure that they comply with our Information Security Policy, as it is updated from time to time and will ensure that their device complies with the then requirements of Cyber Essentials, including but not limited to:

  • The device is patched within 14 days of any patch release that is Critical or High
    • Patching within 14 days is to be completed for any issue that is classified as Critical or High and if an update doesn't specify what severity of issues it covers, the expectation is for that update to be installed within 14 days.
    • Don't forget 
  • The device and any associated software installed on the device are kept within Manufacturer/Vendor support and therefore is being actively supported for security fixes (as per the above patching) ensuring that any issues identified with the product and/or software/firmware are patched within 14 days of the patch release.
  • A suitable anti-virus/anti-malware solution is installed which updates at least daily to ensure that the device is protected from malware.
    • A commercial anti-virus/anti-malware solution is required for any MAC device, as these are not compliant with Cyber Essentials, when using "out of the box" anti-virus software - you will always need a 3rd Party product.
    • Microsoft Windows Defender, as "out of the box" on Windows is perfectly acceptable as a compliant anti-malware/anti-virus solution.
    • Linux devices will require a suitable anti-virus solution deployed - in most cases, a commercial 3rd party solution is required.
  • The user of the device has a separate day-to-day user account and has a separate admin account which is not used for anything other than device configuration/changes and where possible, is never logged into Interactively and is used only for elevation. The admin account will never be used for web browsing or email.
    • For the avoidance of doubt, elevating existing user accounts (SUDO / MAC Padlock / Windows UAC) is not acceptable, true and total account separation is required to comply with Cyber Essentials.
  • User account and Admin account passwords will either be:
    • 12 characters with no maximum length set
    • 8 characters with Multi-Factor Authentication
  • Account lockout will be enabled to ensure the device is protected from brute force password attacks and should lock the account at 10 or fewer attempts

 

There are of course other things that can be added and the above is a good guide towards ensuring contractor compliance, however, again, if you are not providing the device, you just need to be ensuring they are compliant, but they will not be in scope of the assessment.