Introduction
Technical debt and out of support software can be a challenge when considering Cyber Essentials certification. This summary demystifies the topic, with advice, explanation and an example – aimed to help and inform.
Out of support software and technical debt
There are plenty of examples of organisations needing to retain end of support software (including operating systems), such as:
- Financial constraints
- Resource constraints
- Operational needs
- Lack of expertise to replace / retire
- Poor documentation leading to migration challenges
- Replacement systems haven’t been designed, or simply can’t replace
A sub-set could help
- A sub-set is described as “a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN”
- Out of support (technical debt) systems can be located in sub-set in order to support certification and reduce risk
Note – deploying a firewall on the boundary of that VLAN will help control traffic going in and out and further reduce risk
Cyber Essentials, out of support software and technical debt
So it is possible to achieve and maintain Cyber Essentials certification with technical debt and network segregation – detail to further assist:
- Technical debt is located in a Virtual LAN (VLAN), so it’s at least ‘one hop’ away from the network being assessed for Cyber Essentials, and is de-scoped from the assessment
- Once segregated, a couple of options may then exist:
- Internet connectivity remains between out of support software devices and the internet
- Internet connectivity is blocked at the boundary of the segregated network, so there’s no inbound / outbound internet communication – this lowers the risk of internet based threats and the out of support software devices
- Depending upon whether internet connectivity remains for the sub-set or not, leads onto how the organisation can then apply scope for Cyber Essentials:
- If internet connectivity is blocked at the boundary of the sub-set – the whole of the organisation can be in scope for the assessment (as there is no internet connectivity to the out of support devices, which means they are out of scope)
- If internet connectivity remains in place for the sub-set – then the whole organisation cannot be in scope and there needs to be an ‘exclusion of network’ statement in the scope description – it also means higher risk and that an organisation would not qualify for free cyber liability insurance
Considerations and Key Notes
When a ‘network is excluded’ for Cyber Essentials:
- A boundary firewall or VLAN is in place between ‘network1’ (main network in scope and ‘network2’ (network being de-scoped)
- End of support devices located on ‘network2’ can communicate with the internet
- Devices on ‘network1’ and ‘network2’ can communicate with each other
- The description of the scope could be “whole organisation excluding network2’
When the whole organisation can still be considered for scope:
- A boundary firewall or VLAN is in place between ‘network1’ (main network in scope) and ‘network2’ (network being de-scoped)
- End of support devices on ‘network2’ can not communicate with the internet
- Devices on ‘network1’ and ‘network2’ can communicate with each other
- The description of the scope could be “whole organisation”
Key Notes
- See the Cyber Essentials Knowledge Hub for a number of excellent scenario descriptions to support the use of sub-sets
- Reference to cloud and student networks in the Cyber Essentials Knowledge Hub too
Example Scenario
Organisation ABC uses an out of support server and application to support operations and can’t replace it within the timescales proposed for Cyber Essentials certification
- For this environment, focus is on the end of support server and application
- The server and application is deployed into a VLANX, with a firewall controlling traffic in / out of VLANX
- Firewall rules are applied at the boundary of VLANX that prevents internet connectivity to / from VLANX
- Firewall rules also allow traffic from VLANX to the rest of the environment, in order to support ongoing organisational operations
- Organisation ABC submits a scope of “Whole organisation” as there is no internet connectivity for the out of support server / application in VLANX
Tips and Recommendations
- Plan ahead and replace software / hardware ahead of time – check vendor notifications and ensure a suitable timeline and budget can agreed to avoid issues
- Consider the risks associated with technical debt and apply additional technical controls wherever possible – to protect the device, prevent exploitation of weakness and alert should exploitation occur
- Seek guidance and support from a NCSC Cyber Advisor – such as RB Consultancy Ltd
For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials
How We Help
At RB Consultancy Ltd we support organisations by securing environments and assisting with Cyber Essentials and Cyber Essentials Plus requirements:
- We explain the importance of security updates and risks of technical debt
- We help ensure sub-sets are applied in the event technical debt remains
- We explain why the Cyber Essentials questions are being asked and how they intend to protect organisations in different ways
- We ensure the use of sub-sets align with Cyber Essentials guidelines
- We assess and issue organisations with Cyber Essentials and Cyber Essentials Plus certifications
Conclusion
- It is possible for organisations to achieve Cyber Essentials certification with out of support software and technical debt – deployment of a sub-set is required
- The risk is higher for end of support equipment with internet connectivity – rather than this being blocked
- If internet connectivity is blocked at the boundary of the sub-set that’s being de-scoped, then the risk is lower and the Cyber Essentials certification can cover the ‘whole of the organisation’
- By ensuring compliance with Cyber Essentials technical controls, organisations can significantly reduce their cyber risk
If you need any assistance with sub-setting, or Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.
