News & Insights
Cyber Essentials Montpellier (3.1)
Cyber Essentials Montpellier (3.1) officially launched on April 24th, 2023. The ‘Montpellier’ question set will replace the current Evendine question set.
Any assessments started before the 24th of April will be assessed against Evendine, however those started after the 24th will be assessed against Montpellier.
This year, as advised by IASME the changes to the scheme are as follows:
1. The definition of ‘software’ has been updated to clarify where firmware is in scope
- Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware.
Why the change?
Firewall and router firmware is the operating system of those devices. As firewalls and routers are key security devices, their operating systems and whether they are kept up to date is extremely important from a security perspective.
And another thing…
Cyber Essentials will require that all applicants list their laptops, desktops, servers, computers, tablets and mobile phones, with details of the make and operating system. However, when it comes to firewalls and routers, the applicant will only be asked to list make and model, but not the specific version of the firmware. By asking for the make and model on these devices, the Assessor will be able to determine if the devices is still receiving security updates to the firmware.
2. Asset management is important in Cyber Essentials
In a similar vein to backing up data, asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.
Why is Asset Management important ?
The requirements clarify that asset management doesn’t mean making lists or databases that are never used, it means creating, establishing and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision making when you need it. Security experts often refer to asset management as a fundamental cyber hygiene practice that can help an organisation meet all of the Cyber Essentials five controls. Many major security incidents are caused by organisations having assets which are still connected to the network when that organisation is not aware the asset is still active. Effective asset management will help track and control devices as they’re introduced into your business.
3. Clarification on including third party devices
All end user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope. A new table is included for clarity on this subject
For devices not owned by your organisation, the table below explains what is in and out of scope: (use table from the requirements doc as the table should include crosses and ticks)
In scope = Green Tick
Out of scope = Red Cross
Why the change third party devices ?
The new table gives clarity on which third party devices are in scope for Cyber Essentials. It aims to answer the common questions about consultants, volunteers, and the much disputed, student devices. When the third-party device has a green tick, it is in scope and the applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy. For example, if an in scope third party BYOD connects to an organisational Office 365, the organisation can create a conditional access policy that says if the device doesn’t have a supported operating system, it won’t connect til the operating system is updated.
The devices of students that are not owned by the applicant organisation are not and have never been in scope.
4. ‘Device unlocking’ section has been updated to reflect that some configuration can’t be altered because of vendor restrictions
- When the vendor doesn’t allow you to configure the above, use the vendor’s default setting
Why?
Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements. One example of this is locking the device after 10 failed sign-in attempts. Samsung, possibly the largest provider of smartphones in the world, have set their minimum sign-in attempts at 15, with no option to alter this number. So, in this instance, Cyber Essentials would require that the applicant goes with the minimum number sign-in attempts allowed by the device before locking.
5. An updated ‘Malware protection’ section
You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products these options are built in to the software supplied. Alternatively, you can purchase products from a third-party provider. In all cases the software must be active, kept up to date in accordance with the vendors instructions, and configured to work as detailed below:
Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers)
If you use anti-malware software to protect your device it must be configured to:
- Be updated in line with vendor recommendations
- Prevent malware from running
- Prevent the execution of malicious code
- Prevent connections to malicious websites over the internet
Application allow listing (option for all in scope devices)
Only approved applications, restricted by code signing, are allowed to execute on devices. You must:
- Actively approve such applications before deploying them to devices
- Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature
Why the change to Applications ?
Questions have been raised about the efficacy of some of the controls to defend against malware. Requirements have been updated with the latest knowledge, research and recommendations from vendors.
6. Information about how using a zero trust architecture affects Cyber Essentials
Network architecture is changing. More services are moving to the cloud and use of Software as a Service (SaaS) continues to grow.
At the same time, many organisations are embracing flexible working, which means lots of different device types may connect to your systems from many locations. It’s also increasingly common for organisations to share data with their partners and guest users, which requires more granular access control policies.
Zero trust architecture is designed to cope with these changing conditions by enabling an improved user experience for remote access and data sharing.
A zero trust architecture is an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy. Confidence in a request is achieved by building context, which relies on strong authentication, authorisation, device health, and value of the data being accessed.
NCSC and IASME have considered the alignment of Cyber Essentials with the zero trust architecture models. We are confident that implementing the Cyber Essentials technical controls does not prevent you from using a zero trust architecture as defined by the NCSC guidance.
7. The illustrative specification document for CE+ has been updated and is published on January 23rd.
The changes regarding malware protection affect how a CE+ Assessor carries out the malware protection tests. At the point of CE+ audit, the Assessor will discuss further if required.
8. A number of style and language changes have been made to make the document more readable
The requirements document has been updated in line with plain English and accessibility guidelines.
9. The technical controls have been reordered to align with the self-assessment question set
You can find the new question set here: Question Set: Montpellier
If you’re looking to achieve Cyber Essentials or Cyber Essentials Plus for your organisation – please do get in touch with us if you would like to discuss further, you can reach us on: hello@fourtify.co.uk / 0330 122 1241.
Categories
- Consultancy
- The Importance of an Incident Response Plan for Small and Medium Businesses
- What is Malware?
- Is Vulnerability Scanning important to your business?
- Cyber Essentials for Accountancy Sector
- IASME Cyber Baseline FAQs
- Cyber Essentials for Small Businesses
- Funded Cyber Essentials Programme
- Cyber Essentials – Grace Period for Technical Controls
- IASME and British Chamber of Commerce: Chamber Cyber Essentials Partnership
- Cyber Assurance Level 1 & Level 2 Certification: FAQs
- The IASME Cyber Assurance Standard
- Fourtify’s Cyber Security FAQ’s
- E-mail Security
- The rise of Ransomware-as-a-Service (RaaS)
- Cyber Essentials & Cyber Essentials Plus
- Cyber Awareness
- The Importance of an Incident Response Plan for Small and Medium Businesses
- Whats your Cyber Secure Score?
- Fourtify achieve Certification Body status for Cyber Essentials Plus
- Is Vulnerability Scanning important to your business?
- Cyber Essentials / IASME Cyber Assurance: Price Increase from April 2nd 2024
- Sophos Intercept X achieves ‘AAA’ Protection
- Cyber Essentials FAQs
- What is the difference between Phishing and Blagging?
- Diminish Cyber Threats with Sophos Intercept X
- Cyber Assurance Level 1 & Level 2 Certification: FAQs
- The IASME Cyber Assurance Standard
- Fourtify’s Cyber Security FAQ’s
- E-mail Security
- The rise of Ransomware-as-a-Service (RaaS)
- Cyber Essentials 3.0 will be launching in January 2022
- Stay Safe Online this Christmas.
- Cyber Essentials & Cyber Essentials Plus
- Cyber Essentials
- Whats your Cyber Secure Score?
- Fourtify achieve Certification Body status for Cyber Essentials Plus
- What is Malware?
- Cyber Essentials for Accountancy Sector
- Cyber Essentials / IASME Cyber Assurance: Price Increase from April 2nd 2024
- Lexcel and Cyber Essentials: Strengthening Your Legal Practice’s Security.
- Cyber Essentials Montpellier (3.1)
- Cyber Security for Charities
- Cyber Essentials for Small Businesses
- Funded Cyber Essentials Programme
- Cyber Essentials – Grace Period for Technical Controls
- Cyber Essentials FAQs
- IASME and British Chamber of Commerce: Chamber Cyber Essentials Partnership
- What is the difference between Phishing and Blagging?
- Diminish Cyber Threats with Sophos Intercept X
- The IASME Cyber Assurance Standard
- Fourtify’s Cyber Security FAQ’s
- Update to Fees for Cyber Essentials Certification
- Cyber Essentials 3.0 will be launching in January 2022
- Cyber Essentials & Cyber Essentials Plus
- IASME Cyber Assurance
- Cyber Essentials / IASME Cyber Assurance: Price Increase from April 2nd 2024
- IASME Cyber Assurance & Privacy Commissioner, Bermuda.
- Cyber Security for Charities
- What is the difference between Phishing and Blagging?
- Diminish Cyber Threats with Sophos Intercept X
- Cyber Assurance Level 1 & Level 2 Certification: FAQs
- The IASME Cyber Assurance Standard
- IASME Cyber Baseline
- Remote Working