1

Background

I've recently joined a rapidly growing small business (from 4 to 20 people in last 12 months) with a very DIY IT setup. It's fallen to me (I'm a developer so I just happen to be sitting nearest IT world...) to improve their security and specifically we are aiming to achieve compliance with Cyber Essentials (we are in the UK).

The general mode of operation is that every employee is on a MacOS or Windows8+ laptop (some purchased by the company, some personal devices), and all work takes place within Google Workspace. People also connect to Google Apps like Gmail on their personal phones. There is an internet connection and wireless router in the office, but not other infrastructure to speak of.

The Question

I have prepared a long list of "to-do's" for the users of these laptops which would bring them in line with Cyber Essentials requirements, but I wondered what the guidance would be on employees "self-managing" these things (with formal training, assistance and regular check-ins). There is no device management in place and everyone just uses them like their own devices.

It could make sense to recall, wipe, set up device management of some sort, and re-issue the laptops to employees - but this would be incredibly disruptive and met with much resistance so I am keen to either avoid that or make sure I am 100% sure before requesting it.

I wondered if the protections offered by Google Workspace's endpoint protection/device management would be considered sufficient, given that business data never leaves Google Workspace (and indeed the new policy would be that this act would be a HARD no for employees!). Obviously this leaves tasks like running updates, keeping security features turned on, etc up to the employee - but that's no different to a BYOD situation - right?

I would be keen to know if anyone out there has been in a similar position. I do feel like the hard way is probably the right way but any advice would go a long way to helping my argument for this with management.

schroeder
  • 123,438
  • 55
  • 284
  • 319
El-9876
  • 11
  • 2

1 Answers1

1

Since COVID, many places have the same scenario. CE assessors can guide you through options.

The main thing is that you can know what devices you have that are in scope and that you can assess patch levels and software inventories. Whatever method you have where you can do that and show that devices in scope are updated, you have covered most of the device-level requirements.

With the new question set, any device that accesses company data (even if you are 100% SaaS) is in scope, so you need to show some sort of control over those devices.

You are basically in a BYOD scenario, so use the BYOD guidance. Staff need a combination of training and policy, and technical requirements need to be met.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Yes, software versions are required. It's the 2nd question in the technical part of the assessment. And with the new CE update (a.k.a "Beacon") it is not just critical updates, but any update (like a service pack) that does not specify if it is a security update, so, yes, versions are required. – schroeder Jul 21 '21 at 21:44
  • Don't assume I do anything out of spite. Your answer is technically incorrect. That is all. – schroeder Jul 21 '21 at 21:44
  • I'm a certified CE assessor and run a team doing assessments. I know the question set ... again, do not assume I am doing anything out of spite ... – schroeder Jul 21 '21 at 21:55
  • And ***that*** was both spite and snark. Do not push things. You are focused on me and not the topic. – schroeder Jul 21 '21 at 22:01
  • Training and policy are undefined in the standard. They need to match the goals of the CE standard, that's about it. The technical controls are laid out in the CE standard. And you've reframed my comments about software inventories. I do not need to show you anything saying that it is required. The requirement of the standard is to run up-to-date software. You will discover that your assessor will want that evidenced. That means an inventory. And, as I said, the assessor and the Board of the company is likely not going to want user self-audits of company devices. – schroeder Jul 21 '21 at 22:08
  • 1
    Uh, sure, but I'm not sure how/why that is relevant. You want to know what device has what version. You can report a range, but ***you*** need the data. – schroeder Jul 21 '21 at 22:12
  • Then you will be surprised when you are asked for evidence of your assertions, evidence that your intended controls are working, and that your Board will have to sign off on the truthfulness of the claims. And for all the other stuff you've come back with, you have failed to read my comments. I can't help you there. – schroeder Jul 22 '21 at 09:48