By Tony Wilson
This Checklist has been written to inform all applicants of the Fail criteria of the Cyber Essentials Scheme at PLUS level (CE Plus).
This list is not exhaustive, but highlights the common issues companies are finding – some of which pertain to the additional tests taken as part of the latest Evendine requirements .
Applicants will be awarded a FAIL status in 2022 if:
- A next generation AV Product such as CrowdStrike is used that has not been installed and receiving updates in accordance with vendor guidelines.
As not all “next generation” anti-virus software use definition files to compare malicious files against, applicants must be able to demonstrate that such anti-virus products are configured in accordance with vendor recommendations and are being regularly updated.
- Administrators of Cloud Services do not have Multi Factor Authentication enabled.
Administrators of Cloud Services must have Multi Factor Authentication enabled.
Typical areas tested here include administrative users of:
- Accounting systems
- HR Systems
- Collaborative Platforms (such as Google Workspace and MS 365)
- Any other Cloud system where the administrative user can add/remove users and assign access rights.
An administrative account for each of the systems declared in A2.9 must be tested, so availability of relevant staff on the day of audit is very important.
- Administrators of cloud platforms and local devices do not have sufficient Account Separation.
Cloud Platforms are those systems that typically allow the configuration of multiple applications. CRMs and other Cloud Systems with separate modules are not included in these tests. Typical Cloud Platforms worthy of testing here include:
- Office 365
- Google Workspace
- Any other Infrastructure as a Service (Iaas) or Platform as a Service (PaaS) where the user can perform administrative activities.
Account separation means that the user’s day to day accounts (used for producing office documents, web browsing, email retrieval etc) must not be able to perform administrative activities including adding/removing user accounts and granting permissions, enabling services etc.
- Users of Cloud Services do not have Multi Factor Authentication (MFA) enabled and the company has declared all accounts have MFA enabled in the CE Basic question A7.14
Multi Factor Authentication for standard user Cloud accounts will be tested if the applicant has stated “Yes” to A.7.14 Have you enabled multi-factor authentication (MFA) on all of your cloud services?
A FAIL will be awarded if a standard user account is found not to have MFA implemented and where the applicant believes this to be the case.
- An external vulnerability scan finds a CVSSv3 score of 7 or above.
Externally facing services will be scanned. The complexity of the attack required to exploit the vulnerability, or the availability of an exploit in the wild, is no longer considered. A score of 7 or above, regardless of attack vector and exploit difficulty, will be recorded as a Fail if there has been a fix available for 14 days or more. Please see fig 1. to see all the other possible FAIL scenarios regarding external scans:
- An internal, credentialed, vulnerability scan reports a CVSSv3 score of 7 or above.
Applications will be scanned to ensure they are up to date. It is possible that unpatched software may be found. The complexity of the attack required to exploit the vulnerability, or the availability of an exploit in the wild, is no longer considered. A score of 7 or above, regardless of attack vector and exploit difficulty, will be recorded as a Fail if there has been a fix available for 14 days or more
- Any of the Test Antivirus files are not blocked.
All AV files must not be allowed to execute (it is permitted to see the contents of the files in notepad application or browser if testing the .txt test file.
Please also see Point 1 (above) stating CrowdStrike may not meet the requirements of the CE Plus testing criteria unless additional configuration has been performed.
- It appears to the assessor that segregation of networks is not sufficient (if certifying just a subset of the company)
If the assessor notes that IT administrators (who are employees of the same company) can access the subset from another network, then the scope must need to be addressed and a FAIL will be awarded.
- The sample presented does not meet the stringent sampling requirements.
The sample will have been decided ahead of the Audit after the relevant assets have been identified on the Cyber Essentials Basic submission.
- Any of the required tests cannot be performed.
If a scan cannot be performed either externally due to incorrect information or internally due to insufficient credentials or other configuration issues, then a FAIL will be awarded. It also applies to tests that cannot access websites hosting our test files or if the necessary people are not available for account MFA and separation testing.
- Not all makes and models of devices have been recorded (including BYOD)
The Certification Body must be able to ascertain whether the makes and models of all devices (corporately owned mobiles/laptops/desktops/routers/firewalls and BYOD laptops/mobiles/desktops) can run a supported Operating System.
This can be a large undertaking ahead of certification for larger organisations.