Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576974115/Scope+FAQ#

QUESTION

ANSWER

What does whole organisation mean?

What is a virtual desktop?

What is meant by ‘data and services’?

What does BYOD mean?

What is a MAC address?

What is a server?

What is a virtual server?

What is a hypervisor?

What is a switch?

Are personally-owned (BYOD) devices in scope?

Yes

If a home-worker has a firewall that wasn’t provided by their ISP or their company (for example they have bought their own) would this be in scope of the assessment?

They should make sure that the software firewalls on their devices are switched on. All widely used operating systems nowadays have a built-in firewall (e.g. Windows Defender).

Are virtual machines and containers in scope for Cyber Essentials?

Yes, they are and the controls should be applied to them just as for any other device. It’s important to make sure that the end-point devices are protected as these could contain vulnerabilities. 

Are end user devices connecting to virtual desktops in scope?

End user devices accessing services or data via virtual desktops are in scope and need to have the Cyber Essentials controls applied to them.

Are switches in scope for Cyber Essentials?

No

Are printers in scope for Cyber Essentials?

No, printers are not deemed to be in the scope of Cyber Essentials. 

Yes, personally-owned devices must be kept up to date if they are being used to access organisational data and services.

A segregated network is part of a network that is behind a firewall or separated using a VLAN. If you are using this to remove devices from scope, any internet connections must also be blocked by the firewall or VLAN.

If the network is not located in the UK, does this make a difference?

No, there are no location restrictions on Cyber Essentials. 

What is the definition of third party contractor?  For us, would that include external examiners, visiting lecturers, etc?

It is up to the applicant organisation to determine if they are a 3rd party contractor, not the CE requirements. 

When segmenting a part of a network to remove it from scope, what are the rules about internet access for this segment?

No internet access means that all inbound and outbound connections must be blocked at the boundary of the segregated network. 

Is a third party also BYOD?

Third party device is owned and administered by another organisation,  BYOD is owned by an individual.

A device owned by third party  used by student/Staff is out of scope for CE?

A device owned by a 3rd party would not come into scope for your certification.  How you handle these devices as part of your supply chain is up to the certifying organisation, but they still present same the risks that CE controls is trying to prevent. 

  • No labels