Skip to content

02 · Fundamental Controls

This section covers five technical security controls that protect every device, every account, and every piece of information in the organisation. They are called fundamental controls because they are the baseline — the floor, not the ceiling. Every other security measure we have is built on top of these five.

You do not configure these controls. The IT team manages and maintains them on your behalf. What you need to understand is what each control does, why it matters, what you should not do to undermine it, and what to do if something looks wrong.

These five controls map directly to the Cyber Essentials framework — a UK government-backed certification that our customers and contracts require us to hold. They also form the foundation of our CMMC compliance programme and our DEFSTAN security obligations. When an assessor visits to verify our compliance, these are the first controls they check.

FC-01 · Firewalls

What a firewall does

A firewall is a security barrier between our network and the outside world. Every time your computer tries to connect to a website, an application, or an external service, that connection passes through the firewall. Every time something from the outside tries to connect to our systems, it passes through the firewall. The firewall decides, based on a set of rules, whether that connection is allowed or blocked.

Think of it like the reception desk at a building. Visitors who are expected and have a legitimate reason are let in. Visitors who show up unannounced, cannot identify themselves, or are trying to access areas they have no business entering are turned away. The firewall does this for network connections — automatically, continuously, for thousands of connections per hour.

We have firewalls at the boundary of our network — between us and the internet — and in some cases between different internal areas of the network. Your laptop also has a software firewall built into the operating system, which provides a second layer of protection even when you are working remotely or on an external network.

Why it matters

Without a firewall, any device connected to the internet is directly visible to anyone else on the internet. Automated scanning tools run constantly across the internet looking for exposed devices and services to attack. A device without firewall protection would be probed thousands of times per day. With a properly configured firewall, most of that activity is invisible to our systems — the connection attempts are silently discarded before they reach anything meaningful.

For our contracts — particularly US defence contracts under DFARS and UK defence work under DEFSTAN — a functioning boundary firewall is a baseline requirement. It is not optional. Our ISO 27001 certification and our Cyber Essentials certification both require it to be in place and reviewed regularly.

What this means for me

For most people, firewalls are invisible. You will never see one operating. The control is relevant to you in three scenarios.

The first is remote working. When you connect to our corporate VPN, your traffic passes through the corporate firewall and is subject to the same protections as if you were in the office. When you are not connected to the VPN — working directly on a home network or a public network — your laptop's local software firewall is your primary protection. This is one of the reasons VPN connection is mandatory for accessing company systems remotely, not optional.

The second is when software you are using asks to allow an incoming connection or asks you to allow it through the firewall. This will typically appear as a pop-up on your screen. Unless IT Operations has specifically told you to expect and approve this prompt, do not click Allow. Report the prompt to IT Operations instead.

The third is if you ever notice that internet access, system access, or connections to specific services have stopped working unexpectedly. This may mean a firewall rule has changed, or it may mean something more significant. Do not attempt to work around the restriction — report it to IT Operations.

What to do if something goes wrong

If you see a pop-up asking you to allow a connection through the firewall or approve an incoming connection: do not click Allow unless IT Operations has specifically told you to expect it. Take a screenshot, note the application name and what it was asking for, and report it to IT Operations.

If internet or system access stops working: report it to IT Operations via the helpdesk. Do not use a personal mobile hotspot to bypass the network restriction — this bypasses the firewall protection entirely and is a policy breach.

If you are advised by someone — including a caller claiming to be from IT support — to disable or turn off the firewall on your device: this is a social engineering attack. Do not comply. Report it immediately to IT Operations and the security team.

If the VPN is not working and you need to access company systems: contact IT Operations. Do not access company systems directly without VPN — your traffic will not be protected by the corporate firewall.

My obligations

  • Always connect to the corporate VPN when accessing company systems from outside the office.
  • Do not use personal mobile data connections (hotspots) to access company systems as a workaround when the corporate network or VPN is unavailable — report the outage to IT Operations instead.
  • Do not approve firewall connection prompts on your device without confirmation from IT Operations.
  • Do not attempt to disable, modify, or work around the firewall or network filtering on any company device or system.
  • Report any situation where a website or service that should be accessible is blocked, or where a connection is behaving unexpectedly.

FC-02 · Secure Configuration

What secure configuration means

Every device — your laptop, your mobile phone, a server, a network switch, a printer — ships from the manufacturer with a set of default settings. Those default settings are designed for ease of setup, not for security. They often include: default passwords that are the same on every device of that model; services and features enabled that are not needed; broad permissions that allow many things that should be restricted; and settings optimised for convenience rather than protection.

Secure configuration is the process of changing those defaults before a device or system is deployed — and maintaining those settings throughout the device's life. The IT team applies a hardened baseline configuration to every device before you receive it. That baseline disables unnecessary features, enforces strong security settings, and removes default accounts and passwords. The same process applies to every server, network device, and cloud service in the organisation.

This is not a one-time activity. Configuration drift — where settings change over time through updates, user actions, or software installations — is a constant risk. The IT team runs quarterly configuration audits to verify that settings match the approved baseline on every system. Any drift is detected and corrected.

Why it matters

Attackers routinely scan for devices and services with default or weak configurations. Default credentials are publicly documented for most products — anyone can look up the default administrator password for a common router model. Services that are enabled but not needed create attack surface that is not being monitored. Unnecessary user accounts provide additional ways in.

The 2017 WannaCry ransomware attack — which caused billions of pounds in damage globally including to the NHS — exploited a Windows feature called SMBv1 that was enabled by default and had been known to be vulnerable for months. Organisations with properly hardened configurations had that feature disabled and were largely unaffected. Organisations that had not addressed their baseline configuration were devastated.

For our compliance obligations, secure configuration is tested directly. Cyber Essentials requires it. CMMC requires it. DEFSTAN requires it. An assessor checking our configuration will run an automated tool against our systems and compare the results to the approved baseline.

What this means for me

You interact with secure configuration every day, mostly without noticing it. The screen locks automatically after 15 minutes. Your device encrypts your files. Certain websites are blocked. You cannot install software without IT approval. These are all configuration settings, and they exist for a reason.

The most important thing you can do for secure configuration is not undermine it. Every time someone asks IT to disable a security feature "just this once," every time someone installs a browser extension without approval, every time someone changes a system setting to make something more convenient — the security baseline is weakened. In aggregate, those individual decisions create a device that no longer matches the approved baseline and is less protected than it should be.

There are also things that look harmless but are significant. Browser extensions — small add-ons for your web browser — have extensive access to your browsing activity, your form data, and in some cases your stored passwords. A malicious browser extension can do significant harm without any obvious indication. The approved software list applies to browser extensions, not just installed applications. Extensions not on the approved list should not be installed.

What to do if something goes wrong

If a security feature is preventing you from doing your work: do not disable it. Contact IT Operations and explain what you are trying to do. There is almost always a way to accomplish your goal that does not involve turning off a security control.

If you notice that a system is behaving differently from how it usually does — settings that look changed, features that were previously unavailable now appearing, security prompts that no longer appear — report it to IT Operations. This may indicate configuration drift or something more serious.

If you accidentally change a setting and are not sure what it was before: tell IT Operations immediately. They can verify the correct setting and restore it. Trying to fix it yourself without knowing the correct value may make things worse.

If you receive a pop-up saying a security feature (antivirus, firewall, encryption) has been disabled and asking you to re-enable it: take a screenshot and contact IT Operations before clicking anything. Some malware presents false security alerts to trick you into taking action.

If software automatically installs something as part of a legitimate update and you are not sure whether the new component is expected: tell IT Operations. Legitimate software updates should be managed through the organisation's patch management process, not delivered as surprises.

My obligations

  • Do not change security settings on your company device. If a setting is causing a problem, report it rather than changing it.
  • Do not install software, applications, or browser extensions on your company device without IT Operations approval, regardless of how trusted or widely used the software appears to be.
  • Do not disable, bypass, or attempt to work around automatic screen lock, full-disk encryption, or antivirus on your device.
  • Report any unexpected changes to your device's appearance or behaviour to IT Operations promptly.
  • Do not use workarounds that involve changing how your device connects to networks, disabling security features to access a blocked resource, or installing tools to bypass content filtering.
  • When IT Operations needs to update your device configuration, cooperate promptly. Configuration updates are not optional.

FC-03 · User Access Control

What user access control means

User access control is the system that determines who can do what on our systems. Every account — every username and password — is tied to a specific person, and that account is granted access to the specific systems, files, and applications that person needs for their role. Nothing more.

This works through a combination of unique accounts (every person has their own username — accounts are never shared), authentication (proving you are who you say you are, usually with a password and a second factor), and authorisation (controlling what an authenticated person is allowed to access and do). These three elements — identity, authentication, and authorisation — are what user access control delivers.

The organisation uses a centralised identity platform (Microsoft Entra ID / Azure Active Directory) to manage all accounts. When you log in to your laptop, your email, Microsoft 365, or any of our approved cloud services, that authentication is validated through this central platform. When you are granted access to a new system, that access is recorded. When you leave, your account is disabled on your last day.

Multifactor authentication (MFA) is required for all access to company systems. MFA means that in addition to your password, you must prove your identity with a second factor — typically a notification to your authenticator app on your phone or a code from a hardware token. This means that even if someone learns your password, they still cannot access your account without your phone.

Why it matters

Compromised credentials are the entry point for the majority of serious cyberattacks. Password theft, phishing, credential stuffing (using leaked passwords from other sites) — attackers obtain a valid username and password, use it to log in, and then operate inside the network with the permissions of the account they have compromised.

MFA is the single most effective defence against credential-based attacks. If an attacker has your password but not your phone, they cannot log in. NCSC data consistently shows that organisations using MFA for all accounts are dramatically less likely to suffer account-based breaches than those relying on passwords alone.

Access control is also about limiting the damage when a breach does occur. An account with access to everything can be used by an attacker to access everything. An account with access only to what its owner needs means the attacker is limited to that scope. This is the principle of least privilege — the smallest possible access for any given role.

For our CMMC Level 2 compliance, MFA for all CUI-scope accounts is a mandatory requirement, not a recommendation. For our DEFSTAN contracts, access control is directly assessed. Shared accounts, accounts with excessive access, and accounts without MFA are findings.

What this means for me

You have a unique account. Your username and password are yours alone. The MFA app on your phone is yours alone. These are the keys to your work identity, and they should be treated like physical keys — you would not hand your house keys to a stranger, and you should not share your credentials.

The most important behavioural rules in this section are about protecting your credentials and using them correctly.

Your password should be strong. You should not use the same password for work that you use on personal accounts — if a personal account is breached and your password leaked, attackers will try that password on work accounts. A passphrase — four or five random words strung together — is easier to remember than a complex short password and is actually stronger. The organisation's password policy requires a minimum of 16 characters.

MFA approvals require care. When you receive an MFA notification on your phone, it is because someone is trying to log in with your credentials. If you receive an MFA notification that you did not initiate — you are not currently trying to log in to anything — this is a sign that someone else has your password and is attempting to use it. Deny the notification and immediately change your password and report it to IT Operations.

MFA fatigue is a real attack technique. Attackers who have a user's password send repeated MFA notifications hoping the user will eventually approve one just to stop them. If you receive multiple unexpected MFA notifications in quick succession, do not approve any of them. Report the situation to IT Operations immediately.

What to do if something goes wrong

If you receive an MFA notification you did not initiate: deny it immediately. Then change your password and contact IT Operations. Someone has your password and is attempting to use it.

If you receive multiple MFA notifications in quick succession: deny all of them. Do not approve to make them stop. Report to IT Operations immediately — this is an active attack attempt.

If you cannot log in to your account: contact IT Operations via the helpdesk. Your account may have been locked due to too many failed attempts, which may itself indicate someone is trying to access it.

If you think your account may have been compromised — unusual activity, emails you did not send, files that have been moved or deleted: report it to the security team immediately. The faster a compromised account is contained, the less damage it can cause.

If you lose your phone (the one your MFA app is on): report it to IT Operations immediately so your MFA registration can be revoked. Without this, whoever has your phone could potentially approve MFA requests.

If a colleague, manager, or IT helpdesk asks for your password: do not provide it. Legitimate IT support never needs your password. This is a social engineering attempt. Report it.

If you are leaving the organisation: cooperate with the access revocation process. Return your access card and equipment on or before your final day.

My obligations

  • Never share your password with anyone — not colleagues, not your manager, not IT support.
  • Never log in using another person's account, even with their permission.
  • Use a strong, unique password for your work account — at least 16 characters; a passphrase is recommended. Do not reuse passwords from personal accounts.
  • Enrol in MFA using the method specified by IT Operations. If your MFA device is lost, damaged, or changed, notify IT Operations immediately.
  • Approve MFA notifications only when you are actively logging in. Deny and report any unexpected MFA notification.
  • Lock your screen whenever you leave your workstation unattended, even briefly.
  • Do not let another person use your workstation while you are logged in.
  • Report any suspicious account activity immediately to IT Operations.

FC-04 · Malware Protection

What malware is and how it arrives

Malware — short for malicious software — is any software designed to damage, disrupt, or gain unauthorised access to a system. The category includes viruses, ransomware, trojans, spyware, keyloggers, and many other variants. What they share is intent: they are designed to do something you would not want them to do if you knew they were there.

Malware arrives on devices through a small number of routes. The most common by far is email — a malicious attachment, or a link to a malicious website. Second is malicious websites visited directly, which can deliver malware through compromised download links or browser vulnerabilities. Third is removable media — USB drives and external hard drives. Fourth is software downloaded from unofficial sources. Fifth, though less common for most employees, is direct network attack.

The most destructive form of malware in the current threat landscape is ransomware. Ransomware encrypts the files on an infected device and frequently spreads to connected network drives and other devices before the encryption becomes visible. The attackers then demand payment to provide the decryption key. NHS trusts, local councils, manufacturing companies, and defence contractors have all been hit by ransomware in recent years. The impact ranges from days of operational disruption to complete loss of years of data.

How we protect against it

The organisation deploys endpoint protection (antivirus and endpoint detection and response software, commonly called AV or EDR) on every company device. This software runs continuously, monitoring for known malware signatures and suspicious behaviour patterns. It receives updated threat intelligence continuously — new malware variants are identified and the protection is updated within hours.

Beyond endpoint protection, the email gateway scans every attachment and link before the email is delivered to your inbox. The web proxy blocks known malicious websites. The SIEM monitors for behavioural indicators of compromise — patterns of activity that suggest malware is operating even if it has not been identified by name.

These technical controls are effective but not perfect. New malware variants are created constantly. Sophisticated attackers craft attacks specifically designed to evade detection. This is why your behaviour matters — the technical controls are a defence in depth, and your choices are the first layer of that defence.

What this means for me

The most important malware protection behaviour is handling email attachments and links carefully.

Before opening an attachment: does the email make sense? Were you expecting this? Is the sender's email address genuinely from who they claim to be (not john.smith@company.co.uk.attackerdomain.com)? Does the urgency of the email feel manufactured? Attackers create a sense of urgency specifically to make you act without thinking. Pause and verify before opening.

Before clicking a link in an email: hover over the link (without clicking) to see where it actually leads. If the displayed text says "Click here to verify your account" but the actual URL in the bottom of your screen is a string of random characters or an unfamiliar domain, do not click it. Forward the email to the security team for analysis.

Attachments to be particularly careful with: anything with a .exe, .zip, .js, .vbs, .macro, or .docm extension from unexpected senders. PDF documents from unexpected senders. Any attachment that asks you to enable macros, run a program, or click through a security warning to view the content.

The same principles apply to files received via messaging platforms, shared links, and files on USB drives from external sources. The attack vector changes, but the caution required does not.

What to do if something goes wrong

If you click a link or open an attachment and something unexpected happens — the file does not open as expected, a strange program launches, you see an error message, your device becomes slow, unusual pop-ups appear — stop what you are doing. Do not close windows, do not try to delete files, do not restart the device. Contact IT Operations immediately. Leave the device as it is. Speed matters here — the earlier malware is contained, the less it can spread.

If your antivirus or endpoint protection software generates an alert — a pop-up saying a threat has been detected, quarantined, or blocked: do not dismiss it or click through it without reading it. Note what it says and contact IT Operations. They need to know what was detected, what file was involved, and when.

If you see a ransomware notice — a screen or pop-up saying your files have been encrypted and demanding payment: do not pay. Do not close it. Do not try to fix it. Disconnect the device from the network immediately (unplug the network cable or turn off Wi-Fi) and then contact IT Operations and the security team as an emergency. The disconnect limits spread to other network drives and devices.

If a colleague's device appears to be behaving strangely — running slowly for no reason, showing unusual activity, making unexpected network connections: tell them to contact IT Operations immediately. Malware on a networked device can spread to shared storage that you use too.

If you receive an email from someone you know that contains an unexpected attachment or suspicious link: contact that person by phone or in person to verify they sent it before opening anything. Attackers frequently compromise accounts and then send malicious emails from them. A familiar name in the From field is not a guarantee of safety.

Phishing specifically

Phishing deserves specific attention because it is the most common malware delivery mechanism by a significant margin. A phishing email is designed to look legitimate — it may appear to be from your bank, from Microsoft, from HMRC, from a courier, from a colleague, or from senior management. The goal is to make you click a link or open an attachment.

The organisation runs periodic phishing simulation exercises — test phishing emails sent by the security team to see how many people click. If you click a simulated phishing link, you will be directed to a training page. This is not disciplinary; it is educational. Participating in the simulation honestly — clicking or not clicking based on your genuine assessment — is more useful than searching for signals that an email is a test.

If you receive a suspicious email and are not sure whether it is real or a test: the correct action is the same in both cases. Report it using the phishing report button in your email client (or forward it to the security reporting address). Do not forward it to colleagues to warn them — forward it to the security team.

The phishing report button: in Outlook, this is a button in your email toolbar — your IT team will have shown you where it is during onboarding. Use it. Every report helps improve the organisation's threat intelligence and gives the security team visibility of current attack campaigns.

My obligations

  • Do not open email attachments from unexpected senders or that you were not expecting, even if the sender appears familiar.
  • Do not click links in emails without verifying where the link leads. Hover over the link to inspect the URL.
  • Do not enable macros in Office documents unless you have specifically requested them to be enabled by IT Operations for a known file.
  • Report suspicious emails using the phishing report button — do not forward them to colleagues.
  • Do not plug USB drives or external storage into company devices unless the device has been approved and scanned by IT Operations.
  • Do not download software from unofficial sources. All software installation goes through the IT Operations approval process.
  • If you believe your device may be infected, contact IT Operations immediately and do not use the device for sensitive work while you are waiting.
  • Never attempt to remove malware yourself. Do not run online "virus removal tools" or follow instructions from pop-up warnings. Contact IT Operations.

FC-05 · Patch Management

What patching is and why it matters

Software has vulnerabilities — weaknesses in the code that can be exploited by attackers to gain access to a system, escalate privileges, or cause damage. These vulnerabilities are discovered constantly, by security researchers, by the software vendors themselves, and by attackers. When a vendor discovers a vulnerability in their software, they release a patch — a software update that fixes the vulnerability.

The time between a vulnerability being publicly disclosed and attackers actively exploiting it is shrinking. In many cases, working exploits for newly disclosed vulnerabilities are available within days of the patch being released. Organisations that apply patches promptly are protected. Organisations that delay are exposed for every day the patch is not applied.

This is not hypothetical. The WannaCry ransomware attack of 2017 that disrupted the NHS exploited a Windows vulnerability for which Microsoft had released a patch two months earlier. Every organisation that was running unpatched Windows systems was vulnerable. Every organisation that had applied the patch in those two months was protected.

Our patch management policy requires Critical vulnerabilities to be patched within seven calendar days of the vendor releasing the patch, and High vulnerabilities within fourteen days. These SLAs are measured from the date the vendor releases the patch, not the date we discover it. This means IT Operations monitors vendor security advisories continuously and acts promptly.

For vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalogue — a US government list of vulnerabilities confirmed to be actively exploited in the wild — the response time is even faster. These are treated as a priority regardless of their official severity rating, because evidence of active exploitation changes the risk calculation immediately.

What this means for me

For most people, patching is something IT Operations does on your behalf while you are not using your device. Updates are typically deployed overnight or during defined maintenance windows. The practical impact on your working day is minimal.

What you need to understand is the importance of not obstructing the patch process. The most common way employees delay patching is by ignoring or postponing restart prompts. When your device tells you that it needs to restart to apply updates, this is not a suggestion. It is a notification that a security update is waiting and requires a restart to take effect. Delaying that restart leaves the vulnerability present on your device.

The organisation's patch management system reports which devices have applied available updates and which have not. IT Operations monitors this and will escalate if a device has not been updated within the SLA window. A device that has been told to update and has not restarted is a device with an open vulnerability.

For devices that are not under the organisation's MDM management — personal devices you might use for work purposes — the patch status is your responsibility. If you use a personal device for any work activity (including reading work email, accessing the company portal, or working remotely), that device must be kept up to date. An unpatched personal device on the corporate VPN can be an attack vector into the corporate network.

Software patching also applies to applications, not just the operating system. Your web browser, your Microsoft Office applications, any other software installed on your device — all of these receive security updates that need to be applied. The company's software deployment system handles this for approved applications. For any software you have installed outside the approved list — which, as noted in FC-02, should not have happened without approval — the patch status is unmanaged and unverified.

What to do if something goes wrong

If you receive a software update notification on your company device: read it and apply it as soon as practically possible. If the update requires a restart, restart during a break or at the end of your working day. Do not click "Remind me tomorrow" repeatedly.

If an update fails to install — you see an error message, the update seems to get stuck, the device behaves unexpectedly after an update attempt: contact IT Operations and describe what happened. Do not try to manually install updates from the internet.

If IT Operations contacts you to say your device needs to be updated and asks you to ensure it is restarted: do so as soon as possible. This contact means your device is outside the SLA window and prompt action is required.

If a software application presents a security warning — telling you that the version you are using is out of date or no longer supported: report this to IT Operations. Running software that is beyond the vendor's support period means security patches are no longer being released for it. This is a known vulnerability.

If you receive an email or pop-up claiming to be from Microsoft, Apple, or another software vendor telling you to click a link to install an urgent update: this is almost certainly a phishing or malware delivery attempt. Software updates on company devices are deployed by IT Operations, not delivered via email links. Report it as a suspicious email.

If you believe a security vulnerability exists on a system you use — a known issue you have read about in the news, a system running a version you know is vulnerable: report it to IT Operations or the security team. You do not need to be a technical expert to flag a concern.

My obligations

  • When your device prompts you to restart to apply updates, restart as soon as practically possible. Do not repeatedly defer restarts.
  • Do not attempt to manually download or install system updates from the internet. Patches are deployed by IT Operations.
  • If you use a personal device for any work activity, ensure that device's operating system and applications are kept up to date. Unpatched personal devices represent a risk when connected to company systems.
  • Report any software that shows as out of date or unsupported to IT Operations.
  • Do not ignore IT Operations communications about device updates. Respond to requests to ensure your device is restarted or updated within the timeframe requested.
  • Do not install software that is not on the approved list — unapproved software may not receive patches through the organisation's patch management process, creating an unmanaged vulnerability.

The five controls together

These five controls are interdependent. A firewall without secure configuration may have unnecessary ports open. Secure configuration without patch management may be hardening an already-vulnerable version of software. Access control without malware protection may mean that once malware arrives it can use legitimate credentials to move laterally. Patch management without malware protection means vulnerabilities are closed systematically but the device is still exposed to threats that do not exploit known vulnerabilities.

The controls work together as a system. Undermining any one of them weakens all of them.

The behaviours that protect all five controls simultaneously are consistent and simple:

  • Use your company device for work. Do not use personal devices as substitutes.
  • Do not install software without approval.
  • Do not share credentials.
  • Do not ignore security prompts and update notifications.
  • Do not try to fix things yourself when something looks wrong — report it.
  • When in doubt, ask IT Operations before doing something you are not sure about.

The IT team maintains these controls so you do not have to. Your job is to use the tools you are given, within the boundaries they are configured for, and to report when something looks wrong.

Who to contact

IT Operations helpdesk: for anything related to your device, access, updates, or technical problems.

Security team / CISO: for anything that might be a security incident — suspicious emails, unexpected account activity, potential malware, lost devices, anything you are not sure about but feels wrong.

The phishing report button in Outlook: for suspicious emails. Use it. Every report helps.

Details for all of the above are in the User Guidance Hub.

Fundamental Controls section — last reviewed: [DATE]. Owner: IT Manager. Questions: helpdesk or CISO.