Documentation

{{docApp.title}}

{{docApp.description}}

How can we help?

{{docApp.searchError}}
{{product.name}}

Searching in {{docApp.searchFilterBySpecificBookTitle}}

{{docApp.searchResultFilteredItems.length}} results for: {{docApp.currentResultsSearchText}} in {{docApp.searchFilterBySpecificBookTitle}}
Search results have been limited. There are a total of {{docApp.searchResponse.totalResultsAvailable}} matches.

You have an odd number of " characters in your search terms - each one needs closing with a matching " character!

{{docApp.libraryHomeViewProduct.title || docApp.libraryHomeViewProduct.id}}

{{docApp.libraryHomeViewProduct.description}}

  1. {{book.title}}

{{group.title || group.id}}

{{group.description}}

  1. {{book.title}}

{{group.title}}

Cyber Essentials

Cyber Essentials is a government backed scheme that hopes to promote good cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process.

Our certificates are available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf and https://files.hornbill.com/misc/CyberEssentialsCert_HSML.pdf

We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)

Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month

Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.

Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options

  1. Have one or more firewalls (or similar network device) been installed on the boundary of the organization’s internal network(s)? Yes

  2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? Yes

  3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorized business representative and documented (including an explanation of business need)? Yes always

  4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? Yes always

  5. Have firewall rules that are no longer required been removed or disabled? Yes

  6. Are firewall rules subject to regular review? Yes

  7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? Yes

  8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? Yes

8a. Does the administrative interface require second factor authentication or is access limited to a specific address? Yes

  1. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? Yes always

  2. Have default passwords for any user accounts been changed to a suitably strong password? Yes always

  3. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? Yes always

  4. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? Yes always

  5. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? Yes always

  6. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? Yes always

  7. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? Yes always

  8. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? Yes always

  9. Are Active Directory (or equivalent directory services tools) controls used to centralize the management and deployment of hardening and lockdown policies? Yes always

  10. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? Never

  11. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? Yes always

  12. Is there a corporate policy on log retention and the centralized storage and management of log information? Yes always

  13. Are log files retained for operating systems on both servers and workstations? Yes always

  14. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? Yes always

  15. Are Internet access (for both web and mail) log files retained for a period of least three months? Yes always

  16. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? Yes always

  17. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organization? Yes always

  18. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. Yes

  19. Is user account creation subject to a full provisioning and approval process? Yes always

  20. Are system administrative access privileges restricted to a limited number of authorized individuals? Yes always

  21. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? Yes always

  22. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? Yes always

  23. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? 3 Failures

  24. Is there a password policy covering the following points: - Yes All 6 Points

  25. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? Yes always

  26. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organization) or after a predefined period of inactivity (eg. 3 months)? Yes always

  27. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? Yes always

Malware protection

  1. Which of the following is in use within the organization: a. Anti-virus or Malware protection (continue to Q37-40) - Yes

b. Application whitelisting (Continue to Q41-43) - Yes

c. Application Sandboxing (Continue to Q44) - Yes

  1. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? In most cases

  2. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? Yes always

  3. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? Yes always

  4. Has malware protection software been configured to perform regular periodic scans (eg daily)? Yes always

  5. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? Yes always

  6. Does the organization maintain a list of approved application? Yes

  7. Are users prevented from installing any other applications and by what means? Yes

  8. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? Yes

Patch management

  1. Do you apply security patches to software running on computers and network devices? In most cases

  2. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? In most cases

  3. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? In most cases

  4. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? In most cases

  5. Are all smart phones kept up to date with vendor updates and application updates? In most cases

  6. Are all tablets kept up to date with vendor updates and application updates? In most cases

  7. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? Yes always

  8. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? Yes always

In This Document