Cyber Essentials: Difference between revisions
No edit summary |
|||
| (10 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
=== Cyber Essentials=== | === Cyber Essentials=== | ||
Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. | Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process. | ||
Our certificates are available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf and https://files.hornbill.com/misc/CyberEssentialsCert_HSML.pdf | |||
We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.) | |||
| Line 19: | Line 21: | ||
Question Response Options | Question Response Options | ||
1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? '''Yes''' | 1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? '''Yes''' | ||
2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? '''Yes''' | 2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? '''Yes''' | ||
3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? '''Yes always''' | 3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? '''Yes always''' | ||
4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? '''Yes always''' | 4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? '''Yes always''' | ||
5. Have firewall rules that are no longer required been | |||
removed or disabled? | 5. Have firewall rules that are no longer required been removed or disabled? '''Yes''' | ||
Yes | |||
6. Are firewall rules subject to regular review? '''Yes''' | |||
6. Are firewall rules subject to regular review? Yes | 7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? '''Yes''' | ||
8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? '''Yes''' | |||
7. Have computers that do not need to connect to the Internet | |||
been prevented from initiating connections to the Internet | 8a. Does the administrative interface require second factor authentication or is access limited to a specific address? '''Yes''' | ||
(Default deny)? | |||
Yes | 9. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? '''Yes always''' | ||
8. Has the administrative interface used to manage the | 10. Have default passwords for any user accounts been changed to a suitably strong password? '''Yes always''' | ||
boundary firewall been configured such that it is not | |||
accessible from the Internet? | 11. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? '''Yes always''' | ||
8a. Does the administrative interface require second factor | |||
authentication or is access limited to a specific address? | 12. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? '''Yes always''' | ||
Yes | |||
13. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? '''Yes always''' | |||
14. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? '''Yes always''' | |||
9. Are unnecessary user accounts on internal workstations (or | 15. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? '''Yes always''' | ||
equivalent Active Directory Domain) (eg. Guest, previous | |||
employees) removed or disabled? | 16. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? '''Yes always''' | ||
Yes always | |||
17. Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? '''Yes always''' | |||
18. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? '''Never''' | |||
10. Have default passwords for any user accounts been | 19. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? '''Yes always''' | ||
changed to a suitably strong password? | |||
Yes always | 20. Is there a corporate policy on log retention and the centralised storage and management of log information? '''Yes always''' | ||
21. Are log files retained for operating systems on both servers and workstations? '''Yes always''' | |||
22. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? '''Yes always''' | |||
23. Are Internet access (for both web and mail) log files retained for a period of least three months? '''Yes always''' | |||
11. Are difficult to guess passwords defined in policy and | 24. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? '''Yes always''' | ||
enforced technically for all users and administrators? | |||
Yes always | 25. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? '''Yes always''' | ||
26. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. '''Yes''' | |||
27. Is user account creation subject to a full provisioning and approval process? '''Yes always''' | |||
12. Has the auto-run feature been disabled (to prevent software | |||
programs running automatically when removable storage | 28. Are system administrative access privileges restricted to a limited number of authorised individuals? '''Yes always''' | ||
media is connected to a computer or network folders are | |||
mounted)? | 29. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? '''Yes always''' | ||
Yes always | |||
30. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? '''Yes always''' | |||
31. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? '''3 Failures''' | |||
13. Has unnecessary (frequently vendor bundled) software been | 32. Is there a password policy covering the following points: - '''Yes All 6 Points''' | ||
removed or disabled and do systems only have software on | |||
them that is required to meet business requirements? | 33. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? '''Yes always''' | ||
Yes always | |||
34. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (eg. 3 | |||
months)? '''Yes always''' | |||
35. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? '''Yes always''' | |||
14. Is all additional software added to workstations approved by | |||
IT or Management staff prior to installation and are standard | |||
users prevented from installing software? | |||
Yes always | |||
15. Has a personal firewall (or equivalent) been enabled on | |||
desktop PCs and laptops, and configured to disable (block) | |||
unapproved connections by default? | |||
Yes always | |||
16. Are all user workstations built from a fully hardened base | |||
platform to ensure consistency and security across the | |||
estate? | |||
Yes always | |||
17. Are Active Directory (or equivalent directory services tools) | |||
controls used to centralise the management and deployment | |||
of hardening and lockdown policies? | |||
Yes always | |||
18. Are proxy servers used to provide controlled access to the | |||
Internet for relevant machines and users? | |||
19. Is an offline backup or file journaling policy and solution in | |||
place to provide protection against malware that encrypts | |||
user data files? | |||
Yes always | |||
20. Is there a corporate policy on log retention and the | |||
centralised storage and management of log information? | |||
Yes always | |||
21. Are log files retained for operating systems on both servers | |||
and workstations? | |||
Yes always | |||
22. Are log files retained for relevant applications on both | |||
servers (including DHCP logs) and workstations for a period | |||
of at least three months? | |||
Yes always | |||
23. Are Internet access (for both web and mail) log files retained | |||
for a period of least three months? | |||
Yes always | |||
24. Are mobile devices and tablets managed centrally to provide | |||
remote wiping and locking in the event of loss or theft? | |||
Yes always | |||
25. Is a Mobile Device Management solution in place for | |||
hardening and controlling all mobile platforms in use within | |||
the organisation? | |||
Yes always | |||
26. Remote (Internet) access to commercially or personal | |||
sensitive data and critical information requires | |||
authentication. | |||
Yes | |||
27. Is user account creation subject to a full provisioning and | |||
approval process? | |||
Yes always | |||
28. Are system administrative access privileges restricted to a | |||
limited number of authorised individuals? | |||
Yes always | |||
29. Are user accounts assigned to specific individuals and are | |||
staff trained not to disclose their password to anyone? | |||
Yes always | |||
30. Are all administrative accounts (including service accounts) | |||
only used to perform legitimate administrative activities, with | |||
no access granted to external email or the Internet? | |||
Yes always | |||
31. Are system administrative accounts (including service | |||
accounts) configured to lock out after a number of | |||
unsuccessful attempts? | |||
3 Failures | |||
32. Is there a password policy covering the following points: | |||
All 6 | |||
33. Are users authenticated using suitably strong passwords, as | |||
a minimum, before being granted access to applications and | |||
computers? | |||
Yes always | |||
34. Are user accounts removed or disabled when no longer | |||
required (eg. when an individual changes role or leaves the | |||
organisation) or after a predefined period of inactivity (eg. 3 | |||
months)? | |||
Yes always | |||
35. Are data shares (shared drives) configured to provide | |||
access strictly linked to job function in order to maintain the | |||
security of information held within sensitive business | |||
functions such as HR and Finance? | |||
Yes always | |||
Malware protection | Malware protection | ||
36. Which of the following is in use within the organisation: | 36. Which of the following is in use within the organisation: | ||
a. Anti-virus or Malware protection (continue to Q37-40) | a. Anti-virus or Malware protection (continue to Q37-40) - '''Yes''' | ||
b. Application whitelisting (Continue to Q41-43) | |||
c. Application Sandboxing (Continue to Q44) | b. Application whitelisting (Continue to Q41-43) - '''Yes''' | ||
c. Application Sandboxing (Continue to Q44) - '''Yes''' | |||
37. Has anti-virus or malware protection software been installed | 37. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? '''In most cases''' | ||
on all computers that are connected to or capable of | |||
connecting to the Internet? | 38. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? '''Yes always''' | ||
In most cases | 39. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? '''Yes always''' | ||
40. Has malware protection software been configured to perform regular periodic scans (eg daily)? '''Yes always''' | |||
38. Has anti-virus or malware protection software (including | 41. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? '''Yes always''' | ||
program/engine code and malware signature files) been | |||
kept up-to-date (either by configuring it to update | 42. Does the organisation maintain a list of approved application? '''Yes''' | ||
automatically or through the use of centrally managed | |||
service)? | 43. Are users prevented from installing any other applications and by what means? '''Yes''' | ||
Yes always | |||
44. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? '''Yes''' | |||
39. Has anti-virus or malware protection software been | |||
configured to scan files automatically upon access (including | |||
when downloading and opening files, accessing files on | |||
removable storage media or a network folder) and scan web | |||
pages when accessed (via a web browser)? | |||
Yes always | |||
40. Has malware protection software been configured to | |||
perform regular periodic scans (eg daily)? | |||
Yes always | |||
41. Are all applications which execute on devices approved by | |||
the business and restricted by code signing or other | |||
protection mechanisms? | |||
Yes always | |||
42. Does the organisation maintain a list of approved | |||
application? | |||
Yes | |||
43. Are users prevented from installing any other applications | |||
and by what means? | |||
Yes | |||
44. Is any unknown code limited to execute within a sandbox | |||
and cannot access other resources unless the user grants | |||
explicit permission? | |||
Yes | |||
Patch management | Patch management | ||
45. Do you apply security patches to software running on | 45. Do you apply security patches to software running on computers and network devices? '''In most cases''' | ||
computers and network devices? | |||
46. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? '''In most cases''' | |||
In most cases | |||
47. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? '''In most cases''' | |||
48. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? '''In most cases''' | |||
46. Has software running on computers that are connected to or | |||
capable of connecting to the Internet been licensed and | 49. Are all smart phones kept up to date with vendor updates and application updates? '''In most cases''' | ||
supported (by the software vendor or supplier of the | |||
software) to ensure security patches for known | 50. Are all tablets kept up to date with vendor updates and application updates? '''In most cases''' | ||
vulnerabilities are made available? | |||
51. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? '''Yes always''' | |||
In most cases | |||
52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? '''Yes always''' | |||
[[Category:HDOC]] | |||
47. Has out-date or older software been removed from | <!-- /hornbill-cloud/cyber-essentials --> | ||
computer and network devices that are connected to or | |||
capable of connecting to the Internet? | |||
In most cases | |||
48. Have all security patches for software running on computers | |||
and network devices that are connected to or capable of | |||
connecting to the Internet been installed within 14 days of | |||
release or automatically when they become available from | |||
vendors? | |||
In most cases | |||
49. Are all smart phones kept up to date with vendor updates | |||
and application updates? | |||
In most cases | |||
50. Are all tablets kept up to date with vendor updates and | |||
application updates? | |||
In most cases | |||
51. Do you perform regular vulnerability scans of your internal | |||
networks and workstations to identify possible problems and | |||
ensure they are addressed? | |||
Yes always | |||
52. Do you perform regular vulnerability scans (annual or more | |||
frequent) of your external network to identify possible | |||
problems and ensure they are addressed? | |||
Yes always | |||
Latest revision as of 20:55, 17 July 2023
Cyber Essentials
Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process.
Our certificates are available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf and https://files.hornbill.com/misc/CyberEssentialsCert_HSML.pdf
We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)
Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month
Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.
Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options 1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? Yes
2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? Yes
3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? Yes always
4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? Yes always
5. Have firewall rules that are no longer required been removed or disabled? Yes
6. Are firewall rules subject to regular review? Yes
7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? Yes
8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? Yes
8a. Does the administrative interface require second factor authentication or is access limited to a specific address? Yes
9. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? Yes always
10. Have default passwords for any user accounts been changed to a suitably strong password? Yes always
11. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? Yes always
12. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? Yes always
13. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? Yes always
14. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? Yes always
15. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? Yes always
16. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? Yes always
17. Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? Yes always
18. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? Never
19. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? Yes always
20. Is there a corporate policy on log retention and the centralised storage and management of log information? Yes always
21. Are log files retained for operating systems on both servers and workstations? Yes always
22. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? Yes always
23. Are Internet access (for both web and mail) log files retained for a period of least three months? Yes always
24. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? Yes always
25. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? Yes always
26. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. Yes
27. Is user account creation subject to a full provisioning and approval process? Yes always
28. Are system administrative access privileges restricted to a limited number of authorised individuals? Yes always
29. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? Yes always
30. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? Yes always
31. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? 3 Failures
32. Is there a password policy covering the following points: - Yes All 6 Points
33. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? Yes always
34. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (eg. 3 months)? Yes always
35. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? Yes always
Malware protection
36. Which of the following is in use within the organisation: a. Anti-virus or Malware protection (continue to Q37-40) - Yes
b. Application whitelisting (Continue to Q41-43) - Yes
c. Application Sandboxing (Continue to Q44) - Yes
37. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? In most cases
38. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? Yes always
39. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? Yes always
40. Has malware protection software been configured to perform regular periodic scans (eg daily)? Yes always
41. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? Yes always
42. Does the organisation maintain a list of approved application? Yes
43. Are users prevented from installing any other applications and by what means? Yes
44. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? Yes
Patch management
45. Do you apply security patches to software running on computers and network devices? In most cases
46. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? In most cases
47. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? In most cases
48. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? In most cases
49. Are all smart phones kept up to date with vendor updates and application updates? In most cases
50. Are all tablets kept up to date with vendor updates and application updates? In most cases
51. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? Yes always
52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? Yes always