This Checklist has been written by Lead Assessor Jason McNicholas to inform all applicants of the Fail criteria in the Cyber Essentials Scheme at PLUS level (CE Plus).
This list is not exhaustive but highlights the common issues companies are finding – some of which pertain to the additional tests taken as part of the latest Cyber Essentials Montpellier requirements.
Applicants will be awarded a FAIL status in 2023 if:
- Administrators of Cloud Services do not have Multi Factor Authentication enabled.
Administrators of Cloud Services must have Multi Factor Authentication enabled.
Typical areas tested here include administrative users of:
- Accounting systems
- HR Systems
- Collaborative Platforms (such as Google Workspace and MS 365)
- Any other Cloud system where the administrative user can add/remove users and assign access rights.
An administrative account for each of the systems declared in A2.9 must be tested, so availability of relevant staff on the day of audit is very important.
- Users of Cloud Services do not have Multi Factor Authentication (MFA) enabled and the company has declared all accounts have MFA enabled in the CE Basic question A7.14
Multi Factor Authentication for standard user Cloud accounts will be tested if the applicant has stated “Yes” to A.7.14 Have you enabled multi-factor authentication (MFA) on all of your cloud services?
A FAIL will be awarded if a standard user account or administrator account is found not to have MFA implemented and where the applicant believes this to be the case.
- Administrators of cloud platforms and local devices do not have sufficient Account Separation.
Cloud Platforms are those systems that typically allow the configuration of multiple applications. CRMs and other Cloud Systems with separate modules are not included in these tests. Typical Cloud Platforms worthy of testing here include:
- Office 365
- Google Workspace
- Any other Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) where the user can perform administrative activities.
Account separation means that the user’s day to day accounts (used for producing office documents, web browsing, email retrieval etc) must not be able to perform administrative activities including adding/removing user accounts and granting permissions, enabling services etc.
- An external vulnerability scan finds a CVSSv3 Base Score of 7 or above.
Externally facing services will be scanned. The complexity of the attack required to exploit the vulnerability, or the availability of an exploit in the wild, is not considered. A score of 7 or above, regardless of attack vector and exploit difficulty, will be recorded as a Fail if there has been a fix available for 14 days or more. Please see fig 1. to see all the other possible FAIL scenarios regarding external scans:
Fig 1. Test Flowchart.
Taken from NCSC’s Illustrative Guide
- An internal, credentialed, vulnerability scan reports a CVSSv3 Base Score of 7 or above and is related to a missing patch or unsupported software is found on end user devices.
Applications and Operating Systems will be scanned to ensure they are up to date. The complexity of the attack required to exploit the vulnerability, or the availability of an exploit in the wild, is not considered. A score of 7 or above, regardless of attack vector and exploit difficulty, will be recorded as a Fail if there has been a fix available for 14 days or more.
- An internal, credentialed, vulnerability scan reports a CVSSv3 Base Score of 7 or above and is related to a missing patch or unsupported software is found on servers.
Applications and Operating Systems will also be scanned on a sample of servers to ensure they are up to date, whether the servers connect to the internet or not. These scans follow the same failure criteria as end user devices. This is a new test added in Montpellier and therefore is extremely important to check if your servers are regularly applying security updates within 14 days of release. If a vulnerability is found that meets the failure criteria on one of the servers sampled, a fail would be awarded for the assessment.
- Any of the Test Anti-Virus files are not blocked.
All AV files must not be allowed to execute (it is permitted to see the contents of the files in notepad application or browser if testing the .txt test file.
- It appears to the assessor that segregation of networks is not sufficient (if certifying just a sub-set of the company)
If the assessor notes that IT administrators (who are employees of the same company) can access the sub-set from another network, then the scope must need to be addressed and a FAIL will be awarded.
- The sample presented does not meet the stringent sampling requirements.
The sample will have been decided ahead of the Audit after the relevant assets have been identified on the Cyber Essentials Basic submission.
- Any of the required tests cannot be performed.
If a scan cannot be performed either externally due to incorrect information or internally due to insufficient credentials or other configuration issues, then a FAIL will be awarded. It also applies to tests that cannot access websites hosting our test files or if the necessary people are not available for account MFA and separation testing.
- Not all makes and models of firewall/router devices have been recorded.
The Certification Body must be able to ascertain whether the makes and models of all routers/firewalls to ensure that they are supported by the vendor.
This can be a large undertaking ahead of certification for larger organisations.