||A device is in scope if it has access to both the Internet and company data
||A device is in scope if it meets at least one of the following conditions:
– It can accept incoming network connections from untrusted Internet-connected hosts
– It can establish user-initiated outbound connections to devices via the Internet
– It controls the flow of data between any of the above devices and the Internet
All applications must now include the number of End-User devices in the scope. Scopes such as Azure-only, or DMZ-only are no longer acceptable and will not achieve compliance.
||Permissible to de-scope devices by using firewall rules to block Internet traffic to and from one or more devices
||Individual firewall rules are no longer an acceptable method to de-scope devices.
Sub-sets (defined as a part of the organization whose network is segregated from the rest of the org by a firewall or VLAN) are used to determine scope.
If one device in a sub-set is in scope, all devices in that sub-set will also be included in the scope.
Devices which an applicant would like to de-scope must be placed in a separate subset, i.e. in a segregated VLAN or behind a dedicated firewall.
||Not required to be in scope
||1 YEAR GRACE PERIOD:
From Jan 2022 – Jan 2023: in scope, but questions are informational only. This will not cause an application to fail if insecurely configured.
From Jan 2023 onwards: in scope, must be supported and receiving security updates
||Left up to the applicant to decide whether in scope
||Always included in the scope: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)
||Unsupported software causes a major non-compliance, which increases the likelihood of an overall fail if other areas of the scope are also non-compliant
||1 YEAR GRACE PERIOD:
From Jan 2022 – Jan 2023: unsupported software will attract two major non-compliances, which means the rest of the scope must be compliant to avoid a Fail.
From Jan 2023: Unsupported software found on an in-scope device will cause an automatic fail.
||Networks controlled by home workers (e.g. home broadband and associated routers) were originally in-scope. This involved configuration checks such as ensuring all home-workers had changed their default home router password
||Home-workers’ personal home networks are now explicitly excluded from the scope. This is due to potential legal concerns under GDPR, as details of ISP-provided home routers can be considered personally Identifying Information (PII). Corporate-provided routers are in-scope.
Home workers’ devices (i.e. workstations and mobile devices) are still in scope.
Home workers will rely on either their software firewalls on their corporate device(s), or the use of a corporate VPN.
||This is a new section: device locking is now included with in secure configuration control.
Acceptable locks for a device are PINs, biometrics, and passwords. If this lock is solely used to unlock the device, the minimum length of PIN or password is 6 digits or characters, respectively.
When the credentials are used elsewhere (e.g. a Windows SSO password), the full password requirements must be applied – see “Password Requirements” section below.
||Passwords must be 8 characters long and difficult to guess
||Accounts must be protected against brute-forcing with one or more of the following:
– Multi-factor authentication
– Account lockout
– Login Throttling
The minimum password length is 8 characters if one or both of the following apply:
– MFA (Multi Factor Authentication) is used
– Common passwords are disallowed
If neither of the above solutions is in place, the minimum password length is 12 characters
|Bring-Your-Own-Device (BYOD) Mobile Devices
||A BYOD device is not in scope if it is used solely for native voice (i.e. telephone) applications, text (i.e. SMS) applications, MFA applications, or a combination of these. Use of non-native telephone or SMS apps, such as WhatsApp, for business use will bring the BYOD device back into scope.
|Security Update Management
||All in-scope software must be:
– removed from devices when they become unsupported OR the device removed from scope by using a defined subset that prevents all traffic to and from the Internet
– have automatic updates enabled where possible
– critical updates must be applied within 14 days
Firmware will also be expected to be up to date as well
||This is a new section intended to encourage good practice or highlight areas where backup procedures could be added or improved. The questions are informational only, and your answers will not cause you to fail the assessment, although this may change in future questions sets.