When undergoing a Cyber Essentials assessment, businesses may need to ensure that certain devices are restricted from the assessment’s scope writes Assessor James Galbraith. This is generally done when there is a business requirement to use an unsupported application, or an unsupported operating system. Within Cyber Essentials this is called a sub-set, and the most common way of creating a sub-set is through the use of Virtual Local Area Networks (VLANs).
What are VLANs?
A Virtual Local Area Network (VLAN) is a way to logically separate devices on a network, without making any changes to the physical network itself.
How VLANs can help you achieve Cyber Essentials compliance?
In the context of Cyber Essentials, VLANs are particularly useful at managing devices or systems that run unsupported software. Unsupported applications or operating systems don’t receive security updates, making them more vulnerable to exploitation from hackers. These systems may be business-critical, so cannot be removed from the network entirely – this is where VLANs come in.
There are two common ways to exclude systems that are running unsupported software:
Exclusion Via Subset:
- This method uses VLANs to place the unsupported software in a separate sub-set of the network. This approach allows you to logically segregate the devices, limiting their access to the wider network. This is a compliant option for Cyber Essentials, however if you have unsupported software that has been segregated this way, you will need to declare it in your scope. For example, if you had a developers’ network that had unsupported software on devices, you would segregate these devices by placing them behind a VLAN, and then adding an excluding statement to your scope description, such as “Head Office Network, excluding Development Network”. This allows you to prevent devices running unsupported software from interacting with the rest of your compliant network.
Removing Internet Access:
- Another method of exclusion is to place non-compliant devices into a VLAN that has no internet access. If a device is unable to connect to the internet, it poses a significantly lower risk since external threats cannot exploit it – it’s important to mention that the Cyber Essentials scheme is primarily concerned with commodity attacks that can be launched externally, from the internet. Due to this, if you have unsupported software that is segregated behind a VLAN with no internet access, you will not need to declare it within your Cyber Essentials assessment and can apply for “whole organisation” status.
Conclusion:
Whilst not the only valid way of excluding devices from the scope (the use of a firewall also achieves this), if you have unsupported software in your organisation, implementing VLANs is a great way of achieving Cyber Essentials compliance. It’s also important to remember that where devices using unsupported software are connected to the internet, these must be excluded.
You can purchase Cyber Essentials here