The first step in a Cyber Essentials assessment is to determine what organisational data and organisational services are used in your business, writes Cyber Security Technician Tom Boughton.
Common examples of organisational data are emails, documents, database data, or financial data, with common examples of organisational services being software applications, cloud applications, cloud services, and device management solutions used to manage devices.
While identifying these can appear to be straightforward, for some companies it can become ambiguous and frustrating. For example, if a smart TV has Teams installed, should it be included within scope? Or a desk IP Telephony device with Teams functionality? What about a smart car that can connect to a work mobile device?
I’ll address the common irregular device queries that we receive below.
Smart Cars and other related systems
For a device to be considered in scope in Cyber Essentials, it must meet at least one of the three definitions:
- Can establish Internet connections to untrusted Internet-connected hosts.
- Can establish user-initiated outbound connections to devices via the Internet.
- Control the flow of data between any of the above devices and the Internet.
By this definition a smart car, which only projects data that is stored on a mobile device when paired together, would not be included within scope.
Desk Phones and IP Telephony
If an IP telephony device connects to Internet-connected services such as Teams, then the devices need to be declared within scope. These devices would need to be declared in A2.4 and require the manufacturer name and operating system and operating system version.
To get information about the operating system and operating system version you may need to go to the settings page on the phone. Please note that some manufacturers may use, what appears to be, unsupported versions of operating systems on their devices. For example, a desk-phone may be running under Android 8, which was discontinued by Google some time ago but, due to the Licensing agreement the manufacturer has with Google, the manufacturer may still maintain the Operating System and release security updates. This would be compliant and would need to be stated in A2.4, and you would need to declare that this has been confirmed in your submission, for example Yealink has issued this document that is sufficient (as long as the device itself is still supported).
If your device runs an unsupported operating system, and isn’t being patched by the manufacturer, it is possible to descope the telephones onto their own VLAN network. Please see here for more information about scoping in Cyber Essentials for Montpellier and Evendine.
Smart TVs and games consoles
Smart TVs are an ongoing topic for which we are still awaiting official guidance from the National Cyber Security Centre’s Cyber Essentials Delivery Partner. For now, we recommend removing these devices from scope by placing them onto their own separate network or by removing all organisational data from them. These types of devices can act as barriers for certification, even when the rest of the submission is compliant.
In conclusion, irregular devices can cause problems during Cyber Essentials assessment, and may need to be treated on a case-by-case basis. Indelible Data offers a one-to-one support call as part of the Cyber Essentials Gold package, where an experienced Cyber Technician will explain and resolve all queries for an assessment.