Author: Stuart McCulloch, Lead Cyber Essentials assessor
Continuing on from the previous blog the other myths surrounding CE are:
Myth 5 – If I use Remote Desktop Services or VDI environments, then the devices connecting to those services are out of scope
Reality – This is not true. The devices themselves that facilitate the connection to Remote Desktop Services or VDI services are accessing business services and data and are in-scope whether they are corporately provided or personally owned. All technical controls will need to be applied in the same way as for any in-scope device.
Myth 6 – The home routers of employees working from home are in scope
The only home networking devices that are in scope are any devices supplied by the applicant organisation. So, if you supply routers or firewalls for staff to install and use at home, you need to make sure they are compliant and have had their default passwords changed. While ISP provided routers are not in scope, any corporately provided or personally owned end user devices used to access organisational services and data at home or remotely are in scope. So, you must ensure that all laptops or desktops in use rely upon their software firewalls or VPN as their network boundary and that the required controls are in place for all smartphones and tablets in use.
Myth 7 – Encryption is part of Cyber Essentials
Reality: This is not true. While encryption is a good thing to implement and have enabled on devices such as laptops, it is not part of CE and there are no questions around encryption.
Myth 8 – We cannot achieve CE+ if we have a major non-compliance in CE basic
Reality – CE+ is a test/audit of what you put in the CE self-assessment so as long as you passed CE basic and everything entered in the self-assessment is all true and correct, you can achieve CE+. You can pass CE basic with a small number of non-compliances, but you will need make sure you are compliant in all other areas.
Myth 9 – Student BYOD needs to be listed
Reality – Student BYOD is out of scope as long as student-owned devices access via a segregated network away from your main production or admin networks by means of a VLAN or hardware firewall. As long as student-owned devices are segregated in this way from devices used by staff, they are out of scope.
Educational institutions can still achieve whole organisation certification for CE if access from student-owned devices is segregated in this way. The application must encompass all their other networks, devices and operations though. Devices owned and managed by the institution and used by students, such as in a computer lab, will therefore be in scope unless appropriately segregated from the networks described in a sub-set application.
Myth 10 – ALL updates must be applied within 14 days of release
Reality – all high risk and critical security updates must be applied within 14 days of release. Any low priority feature updates can be done outside this window. High risk and critical security updates are classed as anything with a CVSS v3 score of 7 and above.
Myth 11 – If I get a major non-compliance I cannot achieve Cyber Essentials
Reality: You can have two major non-compliances in a submission and still pass CE, as long as everything else within the submission is compliant of course.
Myth 12 – sub-set scopes don’t require BYOD
Reality: BYOD is always in scope whether you are applying with a whole organisation or a sub-set scope. CE certification relates to an organisation and its operations. It doesn’t just encompass networks and devices, but policies and procedures too. Think of CE as being like other organisational certifications, like Investors in People and ISO 9001. Networks and devices don’t achieve CE; organisations do.
The NCSC recommends that CE’s controls are applied as widely as possible, ideally across the entire organisation. This can be challenging though, so applicants can instead choose to certify a part of their organisation, such as an individual business unit or department, rather than its entirety. CE refers to this as a sub-set application.
Any BYOD/personal devices used by staff encompassed by your scope to access organisational data and services need to be listed as part of the submission. The only devices you do not need to list are any phones solely used for calling, texting and as a second factor for multi-factor authentication (MFA), these are out of scope. A sub-set scope does not negate the requirement to provide inventory details for and manage any personally owned staff devices in use within the sub-set. However, focusing on part of rather than the whole organisation reduces the scale of this task.
Myth 13 – I need to control all applications on BYOD mobile and tablet devices
Reality: Where BYOD mobile phones and tablets are concerned, you must ensure that the apps being used to access organisational data and services are supported and up to date. You must maintain an approved application list, stating, for example, that staff must only use the Microsoft Outlook app to access their email on a mobile device. For corporately provided devices you must also ensure any application/software not being used is removed or disabled and that only supported, required software is used.
You also need to ensure that no rooted or jailbroken devices are used to access organisational services and data, to address potential malware risks. A user is free to install whatever applications they choose on their own device and, provided it is currently supported and up to date, can use it to access organisational services and data via the apps you specify, but they should only install and run apps via the official channels (the App Store, Google Play).
Myth 14 – All contractors’ BYOD needs to be listed
Reality: All employees’ corporately provided devices as well as BYOD are in scope, whether they are paid staff or volunteers of the organisation, and these staff members form the organisation size for the submission.
If you have contractors/3rd party providers doing work for yourselves, their devices, if managed and provided by another company other than yourselves, these are out of scope as well as their BYOD but if you provide them with a device, this will be in scope and the controls must be met on that device.
The contractors/3rd party providers would be expected to have the relevant controls implemented on their devices and meeting CE requirements and you as the applicant must deal with this through the supply chain. How this is dealt with is up to yourselves but is out with the scope of CE (you do not need to mention this in the submission).