Many organisations have sought to achieve Cyber Essentials Plus (CE+) certification remotely (as opposed to on-site) due to the Covid-19 Pandemic. As most staff have continued to work from home, this remote assessment option becomes necessary in order to maintain compliance and assure clients/suppliers that baseline security requirements are being met.
Simple steps to complete the remote assessment
1. Scope: Since many companies have moved their staff to work from home, the UK Government’s National Cyber Security Centre (NCSC) and IASME – the CE/CE+ Accrediting Body – have tried to be pragmatic and flexible in its scope requirements. However, the guiding principles of what is in-scope remain unchanged.
The following would usually be in scope unless clearly segregated from the rest of the infrastructure:
a. All End User Devices (EUDs), including mobile, that are permitted to access company information, whether belonging to/managed by the company or the end-use
b. Services with externally accessible IP addresses owned and/or managed by the client
c. Client owned/managed servers with user access to the desktop environment, including cloud infrastructure (IaaS)
d. Client owned and/or managed network perimeter devices, such as firewalls and routers, excluding switches and WAPs
e. User owned and/or managed network perimeter devices (ISP routers) used at home where no corporate VPN is in use
All the above would need to be listed in the questionnaire. Devices such as firewalls, VPN servers, web servers (b. & d.) would need to be scanned for vulnerabilities. A sample of EUDs and certain servers (a. & c.) would be subject to the internal credentialed patch audit and malware checks. The good news is, following some revised guidance from IASME, homeworker’s personal perimeter devices (home routers, firewalls etc.) will not be subject to any manual checks/scanning/verification if their use is regulated at the policy level. Software as a service (SaaS) and custom-built applications are usually out of scope.
2. ‘Dress rehearsal’ audit and assessments: This is by no means required but highly recommended to ensure there are no surprises during the actual assessment. Even pre-lockdown, this would usually be done remotely via a (video) call. An assessor should go through the questionnaire, probe the client’s readiness to provide evidence, confirm devices in scope, connectivity and method of assessment (VPN, video call, remote desktop etc.) The dress rehearsal should give the client a good idea of what the actual assessment will look like and what would be required of them on the day.
3. Internal & external vulnerability assessment: Connectivity and access issues tend to arise at this stage. This has been the case since the start of the pandemic. To pass, the client will be required to provide access to the minimum necessary sample number of devices/services at an appropriate level.
To begin with, the assessor will confirm, based on the scope information the client provided in the self-assessment CE questionnaire, what devices and services need to be scanned. Completing an external vulnerability scan is generally straightforward– the client provides target IPs, ensures assessor’s scanning source IPs can access all TCP and UDP ports on the targets, the assessor receives permission to scan and off they go. The client will have 30 days to remediate any High or Critical (CVSS v3.0 ≥ 7.0) vulnerabilities detected.
For the internal patch audit, an assessor would need to scan a sample of each build (OS type and version) with local or domain admin privileges. The sample size will depend on the number of devices of a certain build type. How a credentialed patch audit of the internal (end-user, servers etc.) devices is performed will depend on your network set-up. If your staff use VPN to access the corporate network, one option is to grant the assessor access to the sampled devices via the given VPN. Please note, they will require at least local admin access to complete the scan. If you cannot provide the assessor with VPN access, they can guide (video call, remote desktop etc.) one of your staff with such access to perform the scan from their machine themselves. It gets trickier if you don’t use a VPN and/or don’t have a corporate network to connect to, i.e. everyone simply logs -in directly to business cloud services (Office 365, SharePoint, Jira, Salesforce etc.) via their browser. In this case, the assessor would need a way to connect to each device in the sample. The way they achieve this will depend on the type of scanning tools they’re using. Some cloud scanning tools can remotely scan separate internal devices (i.e. home worker’s laptops) by design. All the end-user would have to do is download and run a simple program (scanning tool’s “agent”) for the assessor’s scanning tool to access the device. For tools without such inbuilt capability, Certification Bodies have had to develop an easy to use script or program. Once run on the EUD it establishes a connection between the EUD and the assessor’s environment from which a scan can be conducted. As with the external scan, the client will have 30 days to remediate any High or Critical (CVSS v3.0 ≥ 7.0) vulnerabilities detected. There are some exceptions to this requirement, but it will depend on the exact vulnerability.
3. Audit and assessments: While scans are essential, they are only a part of the assessment. The assessor will also need to check sampled devices for anti-malware protection, response to simulated malware delivered via email and each browser in use and device’s security updates settings. The assessor will also need to check to ensure your mobile devices meet the minimum requirements. For example, are your iOS devices jailbroken? Are your Android devices rooted and/or is developer mode enabled? And, of course, everyone’s favourite – the length of passwords/PINs on sampled devices…make sure they’re 8 characters or more! As with scanning, if the assessor finds areas that warrant a fail, a client will have 30 days to remediate.
4. Certification: There is no limit, except for cost implications, to how many times a client can fail and request a retest. The assessor will have to log and submit each assessment in a separate report but as long the client remediates within 30 days of the 1st fail the CE Plus certificate will be issued once the final report with a Pass has been submitted.
Once you choose remote, you must stay remote
Once you commit to remote certification, the entire process must be completed remotely. Risk Crew does recommend that you try to facilitate this on-site as you’ll receive the extra benefits of having an assessor viewing office practices firsthand and sharing their experience and advice with you.
However, if remote certification is the best (or only) route for you, we will work with you to ensure you achieve this effectively and efficiently.
Do you have more specific questions on remote certification? Please reach out to us and we’ll be happy to provide answers and advice.