• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Cyber Essentials internet boundary

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Cyber Essentials internet boundary

    I've been thinking about getting Cyber Essentials for my limited company (as a prelude to become an assessor). Part of this process involves defining the boundary of scope; in an office building, this would normally include all the network infrastructure (e.g. routers) as per the attached diagram.

    However, the documentation also says:
    "Alternatively, where an organisation does not control the network a device is connected to, a host-based firewall must be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured."

    When I'm working from home, I have a laptop (owned by MyCo) but I'm using my home internet connection. I'm paying for that internet connection personally (not through MyCo), because it's not "wholly and exclusively" for business use.

    So, does the network infrastructure [have to] fall within scope of Cyber Essentials? I.e. can I legitimately say "MyCo doesn't control the network" or is that splitting hairs?

    Has anyone else been through this process?
    Attached Files

    #2
    This ought to be in Technical. Could a mod do the needful please?

    I don't know the details of the Cyber Essentials certification but, to my simple brain, as an officer of the company controls the internet connection, I would say the company has control even if they don't pay for it. If your landlord (for example) paid for it then I'd agree with your interpretation.
    Last edited by ladymuck; 29 May 2021, 09:48.

    Comment


      #3
      Originally posted by hobnob View Post
      I've been thinking about getting Cyber Essentials for my limited company (as a prelude to become an assessor).
      surely to become an assessor you should have this knowledge already, rather than winging it on an internet forum...


      Any way. To answer the question.. descoping elements of a network, because they are provided by a 3rd party (you personally), won't pass muster I'm afraid. It will fail.
      It's wrong. but that's the way it is.

      My argument is that you could work from Starbucks and have zero trust in their network, and still be secure, but it still failed.

      Cyber Essentials is a BS tick box exercise, but you do have to tick the boxes.
      See You Next Tuesday

      Comment


        #4
        Originally posted by ladymuck View Post
        This ought to be in Technical. Could a mod do the needful please?
        I was originally going to post in Technical, but it's more about legislation/compliance than equipment/configuration. I'm happy for a mod to move it to a different forum (not that I get a vote!).

        Originally posted by Lance View Post
        surely to become an assessor you should have this knowledge already, rather than winging it on an internet forum...
        Yes and no - to become an assessor, you have to do an IASME training course and pass their exam:
        Become an Assessor - Iasme
        The basic training costs £800, which includes £300 for your company to get certified.

        So, I don't need the knowledge before I do the course, but I will need it before I take the exam.

        If/when I do the course, I fully intend to ask them about this (and a few other issues, e.g. "nested" software). In the meantime, I'd like to draft my answers to their self-assessment questionnaire.

        Any way. To answer the question.. descoping elements of a network, because they are provided by a 3rd party (you personally), won't pass muster I'm afraid. It will fail. It's wrong. but that's the way it is. My argument is that you could work from Starbucks and have zero trust in their network, and still be secure, but it still failed.
        That's interesting. How recently did you do your assessment? Their requirements were updated last month (April 2021), which explicitly includes clarification on the internet boundary:
        Changes to Cyber Essentials requirements - April 2021 update - Iasme

        "An example where an organisation legitimately does not control their network might be in the case of managed offices. With a managed office, an organisation might be buying an internet connection, but they would not be in charge of the boundary, and so would need to rely on their software firewall configurations."

        That's similar to what LadyMuck said about a landlord providing an internet connection.

        Comment


          #5
          Originally posted by hobnob View Post



          That's interesting. How recently did you do your assessment? Their requirements were updated last month (April 2021), which explicitly includes clarification on the internet boundary:
          Changes to Cyber Essentials requirements - April 2021 update - Iasme

          "An example where an organisation legitimately does not control their network might be in the case of managed offices. With a managed office, an organisation might be buying an internet connection, but they would not be in charge of the boundary, and so would need to rely on their software firewall configurations."

          That's similar to what LadyMuck said about a landlord providing an internet connection.
          May 2021....
          The marking was done by an idiot if you want my opinion. The idiot said things like "there is still a firewall" and there is "still a network".
          It wasn't for my company. IMO Cyberessentials is BS.
          CE+ is better as it involves an independent assessment.
          It may also be that teh company paid to mark the results was using a version older than April. Dunno really.
          See You Next Tuesday

          Comment


            #6
            Following up on this old post, the rules are changing in Jan 2022:
            The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today's digital environment - Iasme

            In particular:

            Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.

            Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it.
            So, I think that clarifies the scenario I mentioned before: if MyCo had its own internet connection then the network infrastructure would be in scope, but anything that's shared with household use is out of scope.

            Comment

            Working...
            X