Security and Compliance
Introduction
A 30 user solicitor client wanted to gain the Cyber Essentials certification to satisfy guidance from the SRA.
The client were already using the full Office 365 suite including Exchange Online, OneDrive, SharePoint etc. with no onsite servers/systems. eXact advised them on the criteria, completed the questionnaire for the client and the client were awarded the Cyber Essentials accreditation. The accreditation was up for renewal and the NCSC’s requirements had changed to include more aspects of companies’ IT setup in the scope of the assessment, which they did not meet.
Areas where they failed the pre-assessment were:
- They did not have a written password policy
- They had no account lockout policy to combat brute force password cracking
- They had no mechanism to screen-lock their machines after a period of inactivity
Process
eXact provided the client with a written password policy tailored to their company.
The account lockout (also know as ‘password throttling’) was more complicated as they were operating without a local Microsoft Domain in their office so there was no mechanism in place to apply an account lockout policy locally.
By the same token there was no centrally-managed way to apply a screen-lock policy to their office machines after period of inactivity. (To unlock the device a PIN or biometric authentication must be used).
To solve these problems, eXact rolled out Intune to all the clients devices. (This had the benefit of providing an up-to-date asset register of all devices (which is a requirement of the certification) replacing the static asset register spreadsheet that they were keeping beforehand).
Intune allowed device policies to be pushed to all their machines including password throttling and screen-lock policies.
To achieve password throttling on a local PC Intune will reboot the PC and then require the Bitlocker recovery password.
eXact are in the process of taking the client through the assessment for Cyber Essentials Plus