The CDR Rules state that the CDR data environment means ‘the information technology systems used for, and processes that relate to, the management of CDR data’.
Whereas the ‘CDR - Supplementary accreditation guidelines information security’ states that the boundaries of the CDR data environment ‘involves identifying the people, processes, technology and infrastructure that manages, secures, stores or otherwise interacts with CDR data,…may include infrastructure owned by, and management provided by, an outsourced service provider or third party’. The guidelines further state that an accredited person can limit the size of its CDR data
environment through segregation of the environment from other systems.
Schedule 2 Part 2 has a number of controls for end-user devices. If an end-user device is not directly connecting to the CDR data environment but instead a virtual desktop is being presented on the end-user device, e.g. AWS Amazon WorkSpaces, which is presenting CDR data, is the end-user device in scope for the CDR data environment and the Schedule 2 Part 2 controls?
One of the control objectives relating to end user devices is taking steps to secure network and systems within the CDR Data Environment.
Relevant considerations for whether the end-user device may be in scope for the CDR Data Environment may include:
- whether CDR data being presented can be removed from the virtual desktop
- to what extent can CDR data be seen/viewed/used via the virtual desktop environment.
If the end user device is in scope for the CDR Data Environment the schedule 2 controls will apply.