The client were already using the full Office 365 suite including Exchange Online, OneDrive, SharePoint etc. with no onsite servers/systems. Exact advised them on the criteria, completed the questionnaire for the client and the client were awarded the Cyber Essentials accreditation. The accreditation was up for renewal and the NCSC’s requirements had changed to include more aspects of companies’ IT setup in the scope of the assessment, which they did not meet.
Areas where they failed the pre-assessment were:
Exact provided the client with a written password policy tailored to their company.
The account lockout (also know as ‘password throttling’) was more complicated as they were operating without a local Microsoft Domain in their office so there was no mechanism in place to apply an account lockout policy locally.
By the same token there was no centrally-managed way to apply a screen-lock policy to their office machines after period of inactivity. (To unlock the device a PIN or biometric authentication must be used).
To solve these problems, Exact rolled out Intune to all the clients devices. (This had the benefit of providing an up-to-date asset register of all devices (which is a requirement of the certification) replacing the static asset register spreadsheet that they were keeping beforehand).
Intune allowed device policies to be pushed to all their machines including password throttling and screen-lock policies.
To achieve password throttling on a local PC Intune will reboot the PC and then require the Bitlocker recovery password.
Exact are in the process of taking the client through the assessment for Cyber Essentials Plus