Cloud advice

Road to Cyber Essentials: The Start

Jisc are Cyber Essentials compliant, this will be a series of blog posts on how we achieved this.

To start off you need to evaluate your digital estate, start small and expand from there.  Your IdP will be your biggest asset in assisting with CE, make sure your systems use your IdP for login, try to avoid LDAP/Active Directory lookups.

Asset management plays a bit part of a Cyber Essentials submission, so you need some way of controlling/tracking who has access to what and on what device.  We supplement our AAD with additional data around device warranty and device support dates scraping various internet sources for that information so it appears all in one place, more on that in a later blog post in this series.

To start, have a meeting with the stakeholders whom are needed for CE certification: this will include, but not limited to, IT technical leads; Senior Management; Data Protection Officers and any Cyber security specialists.  Get around a table (virtually and/or physically) and talk, CE is not something that can be implemented in a silo.

The biggest first step is MFA, get everyone on MFA ASAP.

If you haven’t implemented MFA here are a few basic steps (note I’m a 365 Architect so that’s where this will be aimed at):

In future blog posts we’ll go into the written policies as well as technical controls.

If you need any assistance with anything discussed in this post please feel free to reach out to your Jisc Relationship Manager.

By Nick Brown

Senior M365 Developer and Architect @ Jisc Cloud Solutions.
Find me on twitter @techienickb

Leave a Reply

Your email address will not be published. Required fields are marked *