The question set ‘Evendine’ released 24th January 2022 heralded the largest changes to the scheme since its inception in 2014. Many organisations are unclear and concerned about the impact of these changes.
Changes to the boundary of scope have highlighted what the scheme aims to secure now that many companies and organisations have altered the way they work i.e. cloud-based or hybrid environments.
Our highly skilful cybersecurity team have outlined the 10 significant changes to the schemes scope and what can be done to prepare for the impacts of these altered criterion.
A government-backed scheme to increase the baseline security levels of companies and organisations with two levels Cyber Essentials Standard (CES) and Cyber Essentials Plus (CEP). The National Cyber Security Centre (NCSC) evaluate the needs and basic measures companies and organisations can take to improve security.
For more information on each of these elements please refer to the below links;
Any cloud services under configuration responsibility of the applicant upon which any organisational data or services are held or processed must be configured with all the Cyber Essential controls being met.
Create an inventory of the services utilised identifying the cloud service type and audit existing security measures and controls implemented so far. Who implements the controls will vary from service to service (IaaS, PaaS and SaaS).
The 5 key controls to consider
Flow's SaaS based managed service built on Palo Alto’s Prisma Cloud, for Cloud Security Posture Management (CSPM) is a cloud agnostic service that provides broad-based support for all contemporary cloud technologies. It enables organisations to manage their cloud debt by staying on top of misconfigurations, potential vulnerabilities, threats and compliance violations, all within a single integrated platform.
Understand the value of using a CSPM managed service - click here.
Any devices used by staff members while working from home to access organisational data now fall within the scope and must comply with requirements. Home (e.g. broadband) routers that are supplied by an Internet Service Provider (ISP) will not fall within the scope.
Ensure that all devices used to access company information have their software firewalls enabled and are generally compliant with Cyber Essentials and Cyber Essentials Plus requirements.
Multifactor authentication must be used to provide additional protection to administrator accounts used to connect to cloud services like O365 with the password element meeting a certain criteria.
Additional factors that may be considered:
This will eventually encompass all accounts, including standard users but this is not due to be a requirement until 2023.
Enable MFA as an option wherever and whenever possible.
One of the following protections must now be used:
For companies and organisations utilising a thin client estate/set-up to access servers facilitating virtual desktop environments. These have now clearly been brought into scope with explicit mentioning within assessor guidance.
Ensure these devices comply with all CE/CE+ controls.
Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
This also extends to shared administrative accounts for support purposes the company providing 3rd party support needs to facilitate separate named accounts for any individual conducting work on an applicant company or organisation.
Admin accounts should be standalone and require a login to conduct an administrative task. Creating separate named admin accounts will be enough to meet this requirement.
Biometrics or a minimum password/pin length of 6 characters must be used to unlock a device where applicable.
Provide a added layer of security to implement biometric authentication i.e. fingerprint or face detection and pin/password of at least 6 characters.
All security-related updates must be applied within a 14-day patch window. These are updates for “Critical” and “High” vulnerabilities in accordance with the CVSS v3 marking scheme. None may be present if there is a patch/mitigation available.
Unsupported software removed from scope will be marked for compliance from January 2023. Its continued presence will result in an automatic failure.
All server types, including virtual servers on a “sub-set” of an assessment where the scope has been defined as “whole organisation”, are now in scope. This means that for any company carrying out CEP these devices will also be subject to testing.
Ensure these devices comply with all CE/CE+ controls.
There have been some changes to ensure devices within scope are supported by their respective vendors. This requires more evidence than previously to be provided by the applicant.
Collect the make model and software version details for all mobile, workstation and server devices in advance of starting to fill out the CE questionnaire. The burden of evidence on the applicant side has impacted on the time it takes to mark self-assessments from approx. a hour to a day or more. Ensure you leave adequate time from initial submission for marking before any deadlines.
NCSC - read more
IASME - read more