CYBER ESSENTIALS MYTHCONCEPTION 6: End-of-Life Operating Systems or Software
This post in our series on Cyber Essentials "Mythconceptions", tackles the myth:
"The existence of end-of-life operating systems or software in our organisation means we can never be compliant"
This myth is only partly true. Many organisations have business-critical systems that will never pass compliance. If you have end-of-life operating systems or software in scope, then that scope cannot pass compliance. But there are ways to place those systems out of scope and certify the rest of the organisation.
You can still achieve compliance by logically or physically separating the non-compliant systems from the rest of the in-scope network. This can be done using hardware firewalls or VLANs with appropriate ACLs and routing rules. This segmented network becomes a "subset".
Then, there is a scoping question to be asked:
If the segmented subset does NOT have internet access, then the applicant can apply for a "whole organisation" certification.
If the segmented subset HAS internet access, then the applicant cannot apply for a "whole organisation" certification and must have a scoping statement that explains what was been excluded from the scope.
The intent of this rule is very clear: the out-of-scope subsets must be their own, separate networks and treated as though they are untrusted. The in-scope network must be properly protected from the non-compliant, out-of-scope subset.
In previous years, a software firewall on the non-compliant system, if configured correctly to segment the system from the network, would pass compliance. This has changed. The firewall that segments the out-of-scope network must be a separate hardware firewall.
For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,
or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.