Cyber Essentials Series: Deep dive into Cyber Essentials Plus (CE+)

What is CE and CE+?

To recap, CE is a certification aimed at "providing organizations ranging from SMBs to large enterprises the basic requirements necessary to achieve cyber resilience" against the most common cyber threats in the wild.

CE is a self-assessment of your organizational standing based on the criteria set forth by the governing body, in this case, the National Cyber Security Centre (NCSC), a UK-based government agency that provides "guidance for developing a strong security baseline within your organization." CE+ is based on CE but dives deeper into the certification process by requiring that organizations seeking certification undergo an audit of their security controls by a third party authorized by the NCSC to prove compliance with their security requirements.

Security controls necessary to comply with CE

As we mentioned in the first blog, CE and CE+ are identical to each other where the requirements for security controls are concerned. The singular difference between them is that CE certification (i.e., Level 1) is verified through self-assessment. CE+ certification (i.e., Level 2) is obtained only after passing an assessment performed by a third party authorized by the NCSC.

In this section, we focus exclusively on the five security controls and their requirements. It is important to note that, according to the most recent version of the Cyber Essentials Requirements for IT Infrastructure, the guidance provided is scoped to desktops and mobile devices, including BYO devices. Despite personal ownership, BYOD that connects to business resources still presents a risk vector to data security and user privacy that needs to be mitigated (as demonstrated in the table below).

1. Network security

Only safe and necessary network services and communications can be accessed from the internet.

Though a broad term, network security in the context of the CE+ centers on your Firewall and, more specifically, how it's configured. Some examples of considerations critical to network security and protecting your organization from network-based threats are:

• Changing default passwords by making them more complex and safeguarding those credentials.
• Establish connectivity rules that filter inbound communications and are approved and documented by authorized individuals.
• Enable and harden host-based Firewalls on devices to block access to unauthorized services and untrusted networks.

2. Data confidentiality

Uninstall unnecessary services, user accounts and software, while those required for business are locked down to minimize data loss.

A simple way to approach this requirement is to think of it within the context of securely configuring endpoints. The act of hardening devices requires admins to perform a number of tasks to shore up security in the name of minimizing risk. Some of the critical tasks for computers and mobile devices are:

• Removing and/or disabling unnecessary software and services to reduce the attack surface.
• Enabling and managing business critical services and functionalities, like turning on volume encryption and making complex passcodes a requirement to access data.
• Establish a baseline security posture by disabling guest accounts or changing default passwords for common service accounts, like SSH.

3. Secure authentication

User accounts are provisioned to authorized individuals only, with access to business resources limited to the needs of the user to fulfill their job function - nothing more.

Identity and Access Management (IAM) is a crucial component of meeting the CIA Triad. Access controls are table stakes to any cybersecurity strategy, ensuring that:

• Account provisioning occurs when users need it, enabling them to be productive and stay that way - not waiting for a help desk ticket to be processed - before they can get to work.
• Only authorized users may interact with the business resources that are necessary for them to perform their job tasks.
• Device and credential health are both verified before users are granted access to devices, apps or confidential data.

4. Patch management

Devices and software run optimally and are not vulnerable to known security issues.

Another word for this requirement is security updates and on the criticality scale, it is one of (if not) the highest priorities facing IT and Security admins. Devices missing system, security and/or application patches are, in the best of cases, vulnerable; in the worst case, doorways for threat actors to exploit. To prevent this, ensure that:

• Patches are deployed to endpoints within fourteen (14) days of an update being released.
• When no longer supported, unused apps are removed from devices to reduce the threat from unsupported apps leading to a data breach.
• Mitigate the risk posed by unofficial apps (such as those made available through third-party app stores) by always deploying applications that are scanned and known to be free from compromises to their integrity, such as those sourced directly from developers or native app stores.

5. Threat prevention

Execution of known malware and untrusted software is restricted to prevent malicious code from causing damage and/or accessing sensitive data.

Malware in all its current and growing variations is consistently evolving to circumvent security protections on modern operating systems. Regardless of whether malicious code seeks to cripple a device, steal sensitive data, infringe user privacy - or all the above - the best safeguard to employ against malware is to prevent it from running on your devices. Organizations can do just this by:

• Ensuring endpoint security is installed and actively monitoring all devices, consistently gathering and analyzing endpoint health telemetry for compliance-impacting incidents.
• Allow listing only approved applications and connections to services on managed devices to minimize exposure and occurrences of other security concerns, like shadow IT, introducing threats into the organization.
• Blocking access to malicious websites, including known URLs used by threat actors in phishing campaigns, to mitigate the risk of phished credentials.

Auditing is an essential part of the path to CE+ certification

As stated prior, the differences between CE and CE+ boil down to one crucial difference: validation performed on the prior is largely a self-assessment by your organization to ascertain that it meets the requirements set forth by NCSC. CE+ certification differs by mandating a rigorous test of your organization's cybersecurity systems by an external auditor that assesses your security controls to ensure that your organization is protected against the most common threats and phishing attacks.

Who performs the technical assessment?

The assessment is performed by a third-party entity authorized by the NCSC; in this case, the certification body tasked with these assessments is an NCSC partner called IASME.

Why is the assessment necessary if CE and CE+ both have the same requirements?

The purpose of the technical audit is to independently verify that the required controls are in place and configured to meet the desired security posture. But there is a secondary reason that favors an independent assessment versus the self-assessment: demonstrating compliance to all stakeholders, including partners, customers and any organizations that your company may be conducting business with now or in the future.

Is there a fee involved in certifying with CE/CE+?

Yes, CE pricing information is displayed prominently on the IASME website and is broken down into the following four categories:

• Micro (0-9 employees)
• Small (10-49 employees)
• Medium (50-249 employees)
• Large (250+ employees)

For CE+, IASME requires seeking organizations to submit a request for a quote, since technical assessment is more involved than CE, and highly dependent according to the size and complexity of your network.

What is checked during the technical assessment?

While certainly not an exhaustive list, the points below provide prospective organizations with an idea of what the technical audit will target and how assessors will go about the process of verifying your organization's compliance with CE+.

Key aspects of the technical assessment include:

• Vulnerability scans
  • Internal: Analyze system configurations and patching levels from inside the network.
  • External: Determine if any vulnerabilities are present for public-facing IP-based services.
• Evaluations
  • Access controls: Evaluate user account management and permission levels set (i.e., least privilege).
  • Email handling tests: Analyze how email servers handle suspicious email messages and their attachments.
  • File download tests: Assess how servers and end-user devices handle potentially unwanted and malicious files from the internet.
• Network configurations
  • Firewall rules: Assess the configuration of rules and examine their effectiveness closely.
  • Network segmentation: Assess configuration of network appliances and examine their effectiveness to prevent network-based threats.
• Patch management
  • Practices: Checks the efficacy of the patch management practice to keep systems up to date.
  • System and application updates: Determine the update status of servers, network and end-user devices.
  • Security fixes: Assess if any vulnerabilities are present on servers, network and end-user devices used internally.

How Jamf helps you meet CE/CE+ requirements

Regardless of whether your organization is looking to conduct a self-assessment to achieve Cyber Essentials (Level 1) certification or intent on obtaining Cyber Essentials Plus (Level 2) certification, Jamf solutions help your company to meet the requirements set forth by NCSC by:

• Simplify the deployment of secure configurations to all your devices.
• Ensuring only authorized user credentials and devices are allowed to access business resources.
• Endpoints are actively monitored against myriad threats, like preventing malware and mitigating risk from vulnerable, out-of-date apps.
• Establish a baseline security posture to maintain compliance with NCSC requirements and other regulatory requirements your organization may be subject to.

Jamf keeps your Apple device fleet compliant with CE/CE+

NCSC has not outlined any specific requirements tailored to any specific operating system. Instead, it relies on general security principles, technical controls and best practices that are applicable across all operating systems.

When seeking CE/CE+ certification, organizations that rely on Apple and mobile OS's need to ensure that this guidance extends to those devices and that all in-scope systems are compliant. Below are the key areas where Jamf solutions can directly apply CE/CE+ requirements while managing them and ensuring they are compliant:

Boundary Firewalls and Internet Gateways

• Jamf can enforce network restrictions across managed Apple and mobile devices communicating through the corporate Firewall via Zero Trust Network Access (ZTNA) and VPN connections.
• You can create configuration profiles to ensure the macOS firewall is enabled and that ports and services are locked down.

ProTip: Of the five benchmarks for CE/CE+ certification, only Firewalls are generally considered out of scope for mobile devices due to their lack of configurable host-based firewalls and remote usage, often seeing users utilize network connections like public hotspots and cellular networks, which bypass company Firewall rules. However, users that use mobile devices on company networks, including remote users communicating over ZTNA and VPN connections, are considered in-scope of the Firewall criteria.

Secure Configuration

• Jamf enables the enforcement of secure configurations by deploying profiles that:
  • Disable unnecessary services (e.g., AirDrop, file sharing or remote desktop).
  • Manage system preferences to ensure compliance (e.g., requiring strong passwords, controlling application permissions).
• With Jamf Connect, you can configure Single Sign-On (SSO) settings, which support secure configurations for login and user accounts.

Access Control

• Jamf Connect is particularly useful here:
  • It integrates with cloud identity providers (e.g., Azure AD, Okta) to enforce central authentication and manage access controls.
  • Enables Single Sign-On (SSO) and password synchronization across devices and services.
  • Implements Passwordless Authentication workflows, eliminating the need for users to input passwords to access company resources.
  • Simplifies management of admin and standard user accounts by dynamically assigning roles.
• Jamf also allows enforcement of password policies and Multi-Factor Authentication (MFA).

Patch Management

• Jamf Pro provides robust patch management:
  • Automates native and third-party application updates.
  • Ensures devices are running the latest software and security patches.
  • Offers dashboards and reporting to monitor compliance.

Malware Protection

• Jamf Protect offers advanced endpoint protection tailored for Apple and mobile devices:
  • Provides real-time monitoring for malicious activities and compliance breaches.
  • Integrates with Apple’s native security frameworks like XProtect and Gatekeeper.
  • Delivers detailed threat intelligence and remediation capabilities.
• It fulfills CE+ requirements for having active malware defenses beyond the protections built into the OS.

Device Encryption

• Jamf Pro ensures that volume encryption is enabled on all managed Apple devices:
  • Automatically enforces encryption policies during device provisioning.
  • Stores recovery keys securely in escrow, helping maintain encryption compliance.

Secure Remote Access

• Jamf Connect includes ZTNA functionality that leverages the latest Apple Network Relays functionality to ensure that all Apple devices have secure access to company resources immediately upon activation without any end-user interaction required.
• You can enforce MFA and strong password policies for remote connections through Jamf Connect and identity provider integration.

Logging and Monitoring

• Jamf Protect excels in this area:
  • Provides advanced logging, including system and security events.
  • Allows integration with Security Information and Event Management (SIEM) tools for centralized monitoring and alerting.
  • Monitors compliance violations and unusual activity in real time.

User Awareness

• While Jamf doesn’t directly provide user training, it can:
  • Deploy custom messages, reminders or links to training content via managed devices.
  • Ensure users are aware of their cybersecurity responsibilities through enforced notifications.
  • Provide end users context-rich dialog notifications relating to information critical to cybersecurity initiatives (e.g., reminding users to update their Mac and mobile devices to the latest version or to change their password before it expires).

In short, with Jamf on your side, organizations looking to certify in Cyber Essentials or Cyber Essentials Plus can easily implement the controls required by the NCSC with the granularity necessary to configure devices as needed, while the built-in flexibility of our solutions permits organizations to customize protections to suit their unique needs. Check back for the next blog in the series, where we look beyond certification, emphasizing the importance of compliance and how we support continuous improvement, threat visibility and incident response for your Apple ecosystem.