Cyber Essentials Certification: Upcoming Changes
watch Claire and Graeme discuss the upcoming changes and answer some frequently asked questions: Cyber Essentials Update video
(you may need to unmute the video)
Cyber Essentials is a UK Government scheme which helps organisations protect themselves against cyber-attacks. It is required by the Scottish Government as part of their Cyber Resilience Plan and by some funders - find out more about Cyber Essentials
Edinburgh Napier’s Cyber Essentials certification expired at the end of June 2021.
Changes to the scope, policy and activities required to achieve reaccreditation were not achievable and we were forced to allow the certification to lapse - find out more about the scope changes
Since then, Information Services have made significant changes to our security posture and we will be submitting our request for recertification in early July 2022.
In order to meet the requirements of Cyber Essentials, there are some material implications for colleagues in professional services and some minor implications for academic colleagues.
These changes will be applied at the end of June
and are listed below. You will find further details along with answers to the frequently asked questions
on this page:
- Access to services from unmanaged devices for professional services staff will be withdrawn - this includes personal phones, tablets and laptops
- No connection to the core University network from an unmanaged device will be enabled for any user
- Software upgrades and security patches must be applied successfully to managed devices
- There will be a new solution for Privilege Access Management.
Access to services from unmanaged devices for professional services staff will be withdrawn
Only managed devices can be used to access organisational data. This includes data held on corporate systems such as HR Connect, Agresso and SITS, both hosted on premise and in software-as-a-service systems. It also includes Microsoft 365 and personal / shared drives for staff and pseudo staff accounts.
If you are already using a managed laptop: there is no further impact to your access to services. If you have not taken advantage of the managed service, you will find out more about the service on the Managed Laptop intranet page.
Unmanaged laptops and devices
We will remove access to Microsoft 365 from unmanaged devices for professional service staff. This includes personal mobile phones, tablets and computers.
You will still be able to access:
We are currently implementing an enhanced management service for all University-owned Apple devices so that they can continue to access organisational data. You will have been contacted by Apple if you are required to move your Apple ID away from your Napier email address. This is a simple and mandatory activity – find out more about the change to Apple IDs.
Mobile Device Management (MDM)
All University-owned devices used by professional services staff must be enrolled in the Mobile Device Management service (MDM) for continued access to services and data, and so that we can apply policies to ensure the device operates securely. This includes mobile phones and tablets – find out more about Mobile Device Management. Please note: you cannot currently enrol personal devices for MDM.
Access to devices
We are meeting with Heads of Service to understand the detailed impacts for each area. Those who require a University phone or tablet for accessing email, etc. can make a request under the End User Device Policy.
No connection to the core University network from an unmanaged device will be enabled for any user
We will be retiring the legacy Virtual Private Network (VPN) service for the small number of users who are still access the network this way. In order to ensure continuity of service, we have created a STAR (School Teaching And Research) network so that we can segregate services for research (and some learning & teaching) where access is required from unmanaged devices. We are working with colleagues in the schools to migrate services from the corporate network to the STAR network as required.
Software upgrades and security patches must be applied successfully
You will be asked to run in-place Windows 10 updates
if your managed laptop is running version 1909 or earlier. This upgrade is available now and we would encourage you to do so as soon as possible – find out more about updating your managed laptop
New solution for Privilege Access Management
A small number of colleagues have elevated privileged access to services so that you can manage the service as a super user. A new solution is being implemented to protect that access with Multi-Factor Authentication and enhanced password management. If you are one of those users, you will be contacted by Information Services.
Cyber Essentials is a UK Government scheme which helps organisations protect themselves against the most common types of cyber-attacks. The Scottish Government has asked all Scottish public sector organisations to achieve as part of its Public Sector Action Plan.
Cyber Essentials demonstrates that organisation’s cyber security has been verified by independent experts.
The scope now includes:
“Corporate networks excluding research networks at all university sites in Edinburgh and mobile devices used by university professional services staff in all locations”
This means that professional services staff will no longer be able to access University data and services from any unmanaged device. This includes personal phones, tablets and laptops.
To clarify, the professional services departments that are in scope are listed below. Schools and departments in the out of scope column will be able to access University data and services from unmanaged devices for the time being.
|Bright Red Triangle
|Department of Learning and Teaching Enhancement
||School of Applied Sciences|
||School of Arts and Creative Industries|
|Governance and Compliance
||School of Computing|
||School of Engineering and the Built Environment|
||School of Health and Social Care|
|International Operations & Student Recruitment
||The Business School|
|Marketing and External Relations
||International Partner Organisations|
|Planning and Business Intelligence
||Construction Scotland Innovation Centre|
|Property and Facilities
|Research, Innovation and Enterprise
|School Support Service
|Student Wellbeing and Inclusion
|University Secretary's Office
Student access to services is always out of scope as they are treated as “consumers” of service. Students can access Microsoft 365 and their own data held on corporate systems from unmanaged devices.
Yes, we have completed a full Equality Impact Assessment (EIA) to understand the impact on our colleagues.
There are positive impacts with colleagues less likely to “check in” with work outwith working hours, improving work / life balance. However, the EIA has identified two groups of colleagues that could potentially be negatively impacted, including:
- Those who are neuro diverse where the removal of access may lead to increased anxiety or a reduction in the quality of work
- Those with caring responsibilities where the need for simple and mobile access to certain platforms is seen as essential
For these colleagues we can mitigate the impact through the provision of a University mobile phone. Colleagues will need to make a request under the End User Device Policy, completing the relevant form linked to from the Request IT Equipment page. When making the request, colleagues will require Line Manager approval.
This is because MFA is not collecting, sharing or accessing any personal information.
We have an obligation to protect any system or service that contains sensitive data, therefore direct internet access by staff to business applications from any unmanaged device will be withdrawn on Monday 27 June 2022.
- SITS e:vision (which will be unavailable for a short period from 27 June to 18 July to allow us to make the necessary enhancements).
You will still be able to access much of the content on the My Account app on a personal device.
You will not be able to access your Edinburgh Napier University email account directly from a personal device (this includes phones, tablets and via the web interface). The only way you can access University services from a personal device is by using the VDS (Virtual Desktop Service).
You will not be able to access your Edinburgh Napier University MS Teams account directly from a personal device (this includes phones, tablets and via the web interface). The only way you can access University services from a personal device is by using the VDS (Virtual Desktop Service).
No, it is not currently possible to get a personal device managed.
Those who require a phone or tablet for accessing email, etc. can make a request under the End User Device Policy. Complete the form linked to from the Request IT Equipment page. When making the request, colleagues will require Line Manager approval.
We are working on a managed platform for Macs. We’re aiming to have this in place before the CE changes are implemented. You'll find more on the Apple Mac project page
We do keep a stock of laptops available for these situations, so you should be able to access a replacement quickly - go to the Request IT Equipment page to find out more. You will also be able to use any of the PCs on campus in the meantime.
If they have a business case to access University systems and services, they can get access to an Event Account
These are currently out of scope for Cyber Essentials accreditation.
The following emails have been sent to all colleagues:
Further help and support
This page was last updated on 28 June 2022.