We are often asked about what our assessors can access and what data is "exposed" when completing a CE+ Assessment.
VULNERABILITY SCANNING
To complete a Cyber Essentials Plus assessment, we are required to complete a fully authenticated vulnerability assessment, which we complete, generally, via the installation of an agent onto your systems.
This agent runs continuously until we complete the assessment, and we ask the agent to "self-uninstall" and it sends data into our platform approximately every 4 to 5 hours.
During the vulnerability assessment process, the agent will scan you devices for installed software and its associated components, will identify the IP address that the device has internally, and its externally facing IP address (your router) and will be able to identify the device name and the last known user.
No actual company data is identified, scanned or assessed, this is an assessment of your device's operating system and any installed software, and the device configuration in relation to the software.
INTERACTIVE TESTING
During the interactive testing you are working with one of our assessors, and at this point, they will be accessing your devices. We may use any number of connectivity solutions for this including:
- GoToAssist
- TeamViewer
- Google Remote Desktop
- QuickAssist
- Teams Remote Control
Whilst the assessor is connected to your system, you and/or your users will also be able to see everything that is happening, and the only requirement where your data could be exposed, is when we are in your Inbox, to complete the email platform tests, however, the assessor is only interested in emails that they are sending you and not anything else within your system.
Outside of the email tests, we are looking to ensure your device is set up securely, so will look at the admin account setup and user account setup, the status of the anti-virus and testing all browsers installed on the device (whether used or not) to ensure they do not allow virus files to execute and do not just run software on a single click.
At no point do we have remote access to your systems without you being on the device, as you initiate the connection with our assessment team, and we have no way to initiate a connection to you.
MOBILE DEVICE TESTS
If it is possible to assess your devices (required if you have over 40 devices) via a Mobile Device Management Solution (MDM) we will do so, however, if we have to access the devices remotely (using one of the tools listed above) we require you to initiate the connection with our assessor, and again they will have no access without you initiating the connection.
Once connected our assessor will be able to see what apps are installed on the phone and also any background image you may have on the desktop, but that is the limit of any data that they can see on your device, aside from its setup, such as the operating system and whether you have Jailbroken or Rooted the device, for example.