• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > IT > Cyber Security > Cyber Essentials - upcoming changes

Cyber Essentials Certification: Upcoming Changes


New: watch Claire and Graeme discuss the upcoming changes and answer some frequently asked questions: Cyber Essentials Update video (you may need to unmute the video)


 

Cyber Essentials logoCyber Essentials is a UK Government scheme which helps organisations protect themselves against cyber-attacks. It is required by the Scottish Government as part of their Cyber Resilience Plan and by some funders ​- find out more about Cyber Essentials.  

Edinburgh Napier’s Cyber Essentials certification expired at the end of June 2021.

Changes to the scope​, policy and activities required to achieve reaccreditation were not achievable and we were forced to allow the certification to lapse - find out more about the scope changes

Since then, Information Services have made significant changes to our security posture and we will be submitting our request for recertification in early July 2022. 

In order to meet the requirements of Cyber Essentials, there are some material implications for colleagues in professional services and some minor implications for academic colleagues. 

These changes will be applied at the end of June and are listed below.  You will find further details along with answers to the frequently asked questions​ on this page:
  • Access to services from unmanaged devices for professional services staff will be withdrawn - this includes personal phones, tablets and laptops
  • No connection to the core University network from an unmanaged device will be enabled for any user
  • Software upgrades and security patches must be applied successfully to managed devices
  • There will be a new solution for Privilege Access Management. 

Access to services from unmanaged devices for professional services staff will be withdrawn


Only managed devices can be used to access organisational data.  This includes data held on corporate systems such as HR Connect, Agresso and SITS, both hosted on premise and in software-as-a-service systems.  It also includes Microsoft 365 and personal / shared drives for staff and pseudo staff accounts.

Managed laptops

If you are already using a managed laptop:   there is no further impact to your access to services.  If you have not taken advantage of the managed service, you will find out more about the service on the Managed Laptop intranet page​

Unmanaged laptops and devices

We will remove access to Microsoft 365 from unmanaged devices for professional service staff. This includes personal mobile phones, tablets and computers. 

You will still be able to access:

Apple devices

We are currently implementing an enhanced management service for all University-owned Apple devices so that they can continue to access organisational data. You will have been contacted by Apple if you are required to move your Apple ID away from your Napier email address. This is a simple and mandatory activity – find out more about the change to Apple IDs.​

Mobile Device Management (MDM)

All University-owned devices used by professional services staff must be enrolled in the Mobile Device Management service (MDM) for continued access to services and data, and so that we can apply policies to ensure the device operates securely. This ​includes mobile phones and tablets – find out more about Mobile Device Management​. Please note: you cannot currently enrol personal devices for MDM. 

Access to devices

We are meeting with Heads of Service to understand the detailed impacts for each area. Those who require a University phone or tablet for accessing email, etc. can make a request under the End User Device Policy.


No connection to the core University network from an unmanaged device will be enabled for any user


We will be retiring the legacy Virtual Private Network (VPN) service for the small number of users who are still access the network this way.  In order to ensure continuity of service, we have created a STAR (School Teaching And Research) network so that we can segregate services for research (and some learning & teaching) where access is required from unmanaged devices.  We are working with colleagues in the schools to migrate services from the corporate network to the STAR network as required.


Software upgrades and security patches must be applied successfully


You will be asked to run in-place Windows 10 updates if your managed laptop is running version 1909 or earlier. This upgrade is available now and we would encourage you to do so as soon as possible – find out more about updating your managed laptop​.


New solution for Privilege Access Management


A small number of colleagues have elevated privileged access to services so that you can manage the service as a super user. A new solution is being implemented to protect that access with Multi-Factor Authentication and enhanced password management.  If you are one of those users, you will be contacted by Information Services.


Frequently Asked Questions




What is Cyber Essentials, and why do we need it? 

Cyber Essentials​ is a UK Government scheme which helps organisations protect themselves against the most common types of cyber-attacks. The Scottish Government has asked all Scottish public sector organisations to achieve as part of its Public Sector Action Plan.  

Cyber Essentials demonstrates that organisation’s cyber security has been verified by independent experts.

How has the Cyber Essentials scope changed?

The scope now includes:

     “Corporate networks excluding research networks at all university sites in Edinburgh and mobile devices used by university professional services staff in all locations” 

This means that professional services staff will no longer be able to access University data and services from any unmanaged device.  This includes personal phones, tablets and laptops.   

To clarify, the professional services departments that are in scope are listed below.  Schools and departments in the out of scope column will be able to access University data and services from unmanaged devices for the time being. 

Which departments are in scope, and which out of scope?


​In Scope Out of Scope​​
​Bright Red Triangle​ ​Equate Scotland​
Department of Learning and Teaching Enhancement​ ​School of Applied Sciences
​Finance School of Arts and Creative Industries​
​Governance and Compliance​ School of Computing​
​Human Resources ​School of Engineering and the Built Environment​
Information Services​ ​School of Health and Social Care
​International Operations & Student Recruitment ​The Business School
​Marketing and External Relations International Partner Organisations​
Planning and Business Intelligence​ ​Construction Scotland Innovation Centre
Principal's Office
Property and Facilities
Research, Innovation and Enterprise
School Support Service​
Strategy Hub
​Student Futures
​Student Wellbeing and Inclusion
University Secretary's Office
​Robin MacKenzie Partnership​
    

Are students in scope?

Student access to services is always out of scope as they are treated as “consumers” of service.  Students can access Microsoft 365 and their own data held on corporate systems from unmanaged devices.  

Has an Equality Impact Assessment (EIA) been completed?

Yes, we have completed a full Equality Impact Assessment (EIA) to understand the impact on our colleagues.  

There are positive impacts with colleagues less likely to “check in” with work outwith working hours, improving work / life balance.  However, the EIA has identified two groups of colleagues that could potentially be negatively impacted, including:
  • Those who are neuro diverse where the removal of access may lead to increased anxiety or a reduction in the quality of work
  • Those with caring responsibilities where the need for simple and mobile access to certain platforms is seen as essential
For these colleagues we can mitigate the impact through the provision of a University mobile phone.  Colleagues will need to make a request under the End User Device Policy, completing the relevant form linked to from the Request IT Equipment page.  When making the request, colleagues will require Line Manager approval. 

Can I still use the Authenticator app for Multi-Factor Authentication (MFA) on my personal device?

Yes, you can still use the Authenticator app for Multi-Factor Authentication on your personal device. 

Why is it OK to access MFA from my personal device but not other University services?

This is because ​MFA is not collecting, sharing or accessing any personal information. 

Can I access business applications from an unmanaged device?

We have an obligation to protect any system or service that contains sensitive data, therefore direct internet access by staff to business applications from any unmanaged device will be withdrawn on Monday 27 June 2022. 

This means that you will need to use an on-campus desktop, managed laptop or the Virtual Desktop Service​ (VDS) to access business applications. These include but are not limited to:
  • Tracker
  • SITS e:vision (which will be unavailable for a short period from 27 June to 18 July to allow us to make the necessary enhancements). 

Can I still access the Edinburgh Napier app from my personal device?

You will still be able to access much of the content on the My Account app ​on a personal device.

Can I check my emails and calendar on my personal device?

You will not be able to access your Edinburgh Napier University email account directly from a personal device (this includes phones, tablets and via the web interface). The only way you can access University services from a personal device is by using the VDS (Virtual Desktop Service).

Can I join an MS Teams call on my personal device?

You will not be able to access your Edinburgh Napier University MS Teams account directly from a personal device (this includes phones, tablets and via the web interface). The only way you can access University services from a personal device is by using the VDS (Virtual Desktop Service)​.

Can I access email / calendar / MS Teams from a University owned mobile device?

​Yes, you can access these from a University owned mobile device (e.g. phone) as long as it is enrolled in  Mobile Device Management (MDM).​  

Is there a way I can get my personal device 'managed', so I can access email etc. on my phone?

No, it is not currently possible to get a personal device managed. 

Can I request a University mobile phone?

​Those who require a phone or tablet for accessing email, etc. can make a request under the End User Device Policy.  Complete the form linked to from the Request IT Equipment page​.  When making the request, colleagues will require Line Manager approval. ​

I have an unmanaged University Mac – can I use this?

We are working on a managed platform for Macs.  We’re aiming to have this in place before the CE changes are implemented.  You'll find more on the Apple Mac project page

I have a University iPad – can I use this?

Yes, but it will need to be enrolled for Mobile Device Management (MDM).   

How quickly could I get a replacement laptop if it was to break as I will be reliant on it for all access?

We do keep a stock of laptops available for these situations, so you should be able to access a replacement quickly - go to the Request IT Equipment page​ to find out more. You will also be able to use any of the PCs on campus in the meantime. 

Will associate staff including visiting lecturers, examiners etc. be able to access University services?

Yes, they can use the Virtual Desktop Service if they don’t have managed access. 

What about visitors to the University?

If they have a business case to access University systems and services, they can get access to an Event Account

What about partner institutions overseas?

These are currently out of scope for Cyber Essentials accreditation. 

What communications have gone out about this change?

The following emails have been sent to all colleagues:


Further help and support


If you have any questions or require further information, please contact the IS Service Desk​
 

 

This page was last updated on 28 June 2022. 

​​
​​​​​​​​​​​​​​
​​​
​​​​​​