How to create a subset

by | Oct 5, 2022 | Uncategorized

How to create a subset

Deciding what is in scope for you Cyber Essentials assessment

The scope of your Cyber Essentials assessment and certification should ideally cover the whole of the IT infrastructure used to perform your business. Including your ‘whole organisation’ in the scope of the assessment, gives you the most protection and also means you qualify for cyber liability insurance *included with your Cyber Essentials certification. (*if your annual turnover is less than £20 million and you are domiciled in the UK).

In some cases, it is not possible to have the whole organisation in scope, for example, if some of your volunteers or employees use old, out of support software for a particular project. In this case, you must have a way to securely separate this part of the business from the rest of your business. The only solution to achieve Cyber Essentials compliance would be to use a technical configuration on a *firewall or  *VLAN to create a well-defined and separately managed sub-set or network segment, which separates the ‘out of scope’ network from the rest of the business. This would protect the ‘in scope’ business network from any vulnerabilities introduced by the unsupported software.  A subset can be used to certify different sites, departments or networks individually. You must be able to clearly describe what the scope is (eg ‘our office in London only’) and how it is separated from any out of scope part of your organisation.  Any assessment scope without a technical network boundary is not acceptable, for example, an individual project team will not be an acceptable scope unless the IT systems associated with that team is in a separate technical network subset.

If you have a complex company structure and believe the assessment would not cover the whole of your organisation, you may need to seek professional advice on how you would apply controls to a subset of your organisation to allow part of it to be in scope for Cyber Essentials.

There are nearly 300 specially trained cyber security companies around the UK who are licensed to certify against the Government’s Cyber Essentials Scheme. They can offer help and support in preparation for the assessment. Find one near you.

 

A simple way to create a subset, or segregate your network

 A flat network is when all devices in an organisation communicate across a single network which has not been segmented to improve security. This scenario has risks because if there is a vulnerability anywhere in the network, it threatens the security of everything. A notorious cyber attack against Sony Pictures in 2014 demonstrated to the world the dangers of a flat network. Attackers entered Sony’s network in one part of the business but, due to the flat network structure across the whole of Sony, they were able steal music, films and confidential documents from their servers all over the business and across the world.

Network segmentation would make it very difficult for an attacker to move from one part of the business to another. A firewall or VLAN can be used to create separate physical networks that do not communicate directly.

One simple way to move some laptops or mobile devices onto a network that is separate from your main business network is to create a guest network.  You may already have come across guest networks when signing in to a student network at a school or university or when using the internet at your library or in a hotel. Although you are connected to the internet, you will not be on the main business network and therefore not able to access (or provide an access point) to their organisational data.

 How to set up a guest network on your router

 Most modern internet routers allow you to create a guest network, but as different routers use different software, this varies from router to router. First, type your router’s IP address into the search bar of any browser, this is a long number such as 192.168.1.1 . You can find your router’s web address by searching online, ‘what is Plusnet/ BT/ Virgin Media router’s address?’ Once you have entered the address and are on your router’s web page, you will need to log in as an administrator to your router account by entering the admin password.

You will have the details of the password from the Internet Service Provider you use or the manual which comes with the router.

  • Log into your router account
  • Look for the guest network settings under the WIFI or Wireless settings.
  • Enable the guest WiFi access by switching a toggle or checking a box.
  • You will need to set the guest WiFi network name and guest WiFi password. (Be sure that you don’t use the same password for your guest network as your main network.)
  • Now save your settings.
  • You can share the WiFi name and password of your guest network with your volunteers or workers and their devices that you want to keep separate from your main network.  

Please note, your particular router may not have the option to create a guest network.

What is a *Firewall?

A firewall is a piece of hardware or software that filters incoming and outgoing network traffic to keep malware and attackers out. Security administrators can set rules about what is and isn’t allowed through the firewalls. A boundary firewall or an internal firewall can be used to create a well-defined and separately managed sub-set or network segment to separate an ‘out of scope’ network from the rest of the business.  A software firewall is not acceptable for this role.

What is a *VLAN?

Your Local Area Network (LAN) is everything inside of the router that your internet service provider has given you to connect to the wider internet. It might include all the computers, mobile devices and IoT devices in your home or office. 
VLAN stands for Virtual Local Area Network. It is a technology that allows you to split a network into segments using low cost switches. Computers, servers and other network devices can be connected or separated regardless of their physical location. Even if these devices are scattered in different locations, it wouldn’t matter because a VLAN can group them into separate virtual networks.  You can use VLANs to improve network security by, essentially, putting all sensitive information and the users who have access to it on a separate network. No other types of information can travel on that VLAN and only authorised users have access to it.

Whether it’s a guest network or a VLAN to separate your work and home devices when your office is at home, the separation means that devices on separate networks can’t communicate directly. Instead, the data has to go through firewalls which can protect the network.  This ensures that if malware infects a device in one network, the devices in the other, separate network, will be protected.