The questions are separated into 4 main areas: Scope of Assessment, Cloud Services - 2FA, Patching and Software, and Policy Management.
Brigantia's Partner Support Team & CyberSmart's experts have answered the questions below:
Scope of Assessment:
To what extent are mobile devices now in scope?
Any mobile device accessing company data is in scope. The only exception is if the device is used solely for text, voice or MFA, then it is not in scope.
Can you certify "part" of an organisation?
Yes, the in-scope network has to be separated from any other part of the organisation.
Noted that "admin" accounts are now in scope. When do "user" accounts come into scope?
January 2023
Can you segregate things such as out of date PCs and unsupported software into a new VLAN and drop them out of scope?
Yes, as long as they do not have internet access. If they need internet access then they would need to do a "part" certification.
Cloud Services - 2FA
Are all cloud services in scope, e.g., M365, Dropbox, MailChimp etc.?
Yes, they are included without any exceptions.
Is AAD conditional access a mitigation for not needing MFA in CE?
The current requirement is MFA, which can be set up in AAD.
How do we handle cloud services that do not currently support 2FA?
As part of the questionnaire you will be asked to list these so that IASME can speak with them.
Do "fat clients" fall under the scope for cloud services, and therefore require 2FA, in 2022?
Yes, 2FA is for admin accounts accessing a cloud service but it is strongly recommended to start the process to apply to user accounts.
How are Azure compliance policies, for example that allow access to cloud services from locations such as the office without MFA, looked at under the new CE scheme?
MFA is needed to access cloud services.
Patching and Software
Is auto update a requirement or are managed updates via RMM, for example, still acceptable?
It does not matter how, just as long as updates are done in the 14-day window.
Enterprise clients often like to delay patches - is this still acceptable?
The delay of patches is fine as long as the patches are applied within the 14-day window required.
Do we need to monitor "installed software" moving forwards? If yes, does this include BYOD or can this be policy driven?
Installed software ideally needs auto updates turned on or a policy to install security/critical updates within 14 days. This includes BYOD and this can be policy driven.
Policy Management
What happens if an end user does not follow the policy? Where is liability?
With the end user - it is their policy which they are agreeing to. As an MSP you can only advise them of best practice.
Can you provide templates for Cyber Essentials policies that we can white label?
Yes - book a call with Laurence to show you here.
BYOD is very hard to control from a technical perspective. Is there a specific template policy available to help enforce a minimum acceptable standard?
Yes - book a call with Laurence to show you here.
If you have any other questions please do not hesitate to contact us.
