A7 CE Danzell

User Access Control

Largely identical to Willow. Key additions: A7.15 now carries explicit auto-fail if a listed cloud service actually has MFA available. A7.16 and A7.17 carry explicit fail declarations. Cloud service definition added to A7.14.

17 questions
3 auto-fail
A7.1
Are your users only provided with user accounts after a process has been followed to approve their creation?
yesnodescribe
A7.2
Are all your user and administrative accounts accessed by entering unique credentials?
yesno
A7.3
How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?
text
A7.4
Do you ensure that staff only have the access privileges that they need to do their current job? How do you do this?
yesnodescribe
A7.5
Do you have a formal process for giving someone access to systems at an 'administrator' level and can you describe this process?
yesnodescribe
A7.6
How does your organisation make sure that separate accounts are used to carry out administrative tasks?
text
A7.7
How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email?
text
A7.8
Do you formally track which users have administrator accounts in your organisation?
yesno
A7.9
Do you review who should have administrative access on a regular basis?
yesno
A7.10
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?
text
A7.11
Which technical controls are used to manage the quality of your passwords within your organisation?
text
A7.12
Please explain how you encourage people to use unique and strong passwords.
text
A7.13
Do you have a process for when you believe the passwords or accounts have been compromised?
yesno
A7.14
Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?
yesno
A7.15
If you have answered 'No' to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.
list Auto-fail
A7.16
Has MFA been applied to all administrators of your cloud services, excluding any listed in A7.15 that do not provide it?
yesno Auto-fail
A7.17
Has MFA been applied to all users of your cloud services, excluding any listed in A7.15 that do not provide it?
yesno Auto-fail
← Previous section
A6
Security Update Management
Next section →
A8
Malware Protection

Does your organisation meet the User Access Control requirements?

Check your real-world posture across all 5 Cyber Essentials control areas in 3 minutes. Free, no account needed.

Check my readiness → Explore the questions first