The questions are separated into four main areas: Scope of Assessment, Cloud Services - 2FA, Patching and Software, and Policy Management.
Brigantia's Partner Support Team & CyberSmart's experts have answered the questions below:
Scope of Assessment:
To what extent are mobile devices now in scope?
Any mobile device that accesses company data is in scope. The only exception is if the device is only used for text, voice, or MFA, in which case it is not in scope.
Can you certify "part" of an organisation?
Yes, the in-scope network must be isolated from the rest of the organisation.
When do "user" accounts come into scope?
January 2023. Note that "admin" accounts are now in scope.
Can you separate out-of-date PCs and unsupported software into a new VLAN and remove them from scope?
Yes, as long as they don't have access to the internet. If they require internet access, they must complete a "part" certification.
What about a scenario in which an older device or software needs to be isolated from the internet but still requires internet access for software updates?
You would download the updates, perform an anti-virus scan on the media used to transfer the updates, and then transfer the updates to the affected devices.
Cloud Services - 2FA
Are all cloud services in scope, e.g., M365, Dropbox, MailChimp etc.?
Yes, they are included without any exceptions.
When you say that anything you access must adhere to the password policy, do you mean anything online, such as banking?
MFA is only applicable to accounts that you control and manage. For example, in Office 365, you can create accounts and enable MFA. MFA is built around accounts that you create and manage yourself. If a cloud service does not support MFA, make a note of it in the questionnaire. It is not in scope if you do not control and manage the service.
Is AAD conditional access a mitigation for not needing MFA in CE?
MFA is the current requirement, which can be configured in AAD.
Some businesses whitelist their office IP address and set up conditional access so that they are not prompted for MFA when they enter the office. I'm assuming this isn't permitted?
This is permitted; however, this type of MFA will be tested incognito or with alternate solutions, such as the assessor attempting to log into service with his device, or attempting to log in from his device using guest WiFi or hotspot to mobile.
How do we deal with cloud services that do not yet support MFA?
You will be asked to list these as part of the questionnaire so that IASME can contact them.
Do "fat clients" fall under the scope for cloud services, and therefore require 2FA, in 2022?
Yes, 2FA is intended for admin accounts accessing a cloud service, but it is strongly advised to begin the process of extending it to user accounts as soon as possible.
How are Azure compliance policies, such as those that allow access to cloud services without MFA from locations such as the office, viewed under the new CE scheme?
To gain access to cloud services, MFA is required.
Patching and Software
Is auto update required, or are managed updates, such as those provided by RMM, still acceptable?
It makes no difference how, as long as the updates are completed within the 14-day window.
Is it still acceptable for enterprise clients to postpone patching?
Patches can be delayed as long as they are applied within the required 14-day window.
Do we need to monitor "installed software" in the future? If so, does this include bring your own device (BYOD) or can this be policy-driven?
Installed software should ideally have auto updates enabled or a policy in place to install security/critical updates within 14 days. This includes BYOD which can be policy-driven.
With O365 and devices accessing it in scope, would it be an issue if users did not keep their apps up to date? Would using 'work profiles' help with this?
The question in CE is related to "Approved for work" apps, so these would need to be updated. If no MDM is used, this will be controlled by policy, with the user updating these themselves.
Will CyberSmart inform MSPs about which of their customers' software is out of compliance or out of date? We see customers with hundreds of different software versions on devices, and determining whether or not they are supported in order to meet the CE requirement takes a long time.
We are currently reviewing our software vulnerability report to see how we can make it more useful for partners and how we can use it to automate the Cyber Essentials questionnaire.
Policy Management
What happens if an end user violates the policy? What about liability?
With the end user, they are agreeing to their policy. You can only advise them on best practises as an MSP.
Can you provide us with Cyber Essentials policy templates that we can white label?
Yes, please schedule a call with Laurence so that he can show you around.
From a technical standpoint, bring your own device is extremely difficult to manage. Is a specific template policy available to assist in enforcing a minimum acceptable standard?
Yes, please schedule a call with Laurence so that he can show you around.
Will Heimdal account elevation be acceptable after the changes?
We have raised this with IASME and will provide an update as soon as possible.
Will CyberSmart be able to check security policies and MFA status in Office 365?
CyberSmart will publish a roadmap on this soon and solicit feedback before moving forward with development.
