Cyber Essentials: Difference between revisions
No edit summary |
|||
(One intermediate revision by one other user not shown) | |||
Line 2: | Line 2: | ||
Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process. | Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process. | ||
Our | Our certificates are available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf and https://files.hornbill.com/misc/CyberEssentialsCert_HSML.pdf | ||
We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.) | We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.) | ||
Line 135: | Line 135: | ||
52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? '''Yes always''' | 52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? '''Yes always''' | ||
[[Category:HDOC]] | |||
<!-- /hornbill-cloud/cyber-essentials --> |
Latest revision as of 20:55, 17 July 2023
Cyber Essentials
Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process.
Our certificates are available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf and https://files.hornbill.com/misc/CyberEssentialsCert_HSML.pdf
We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)
Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month
Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.
Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options 1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? Yes
2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? Yes
3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? Yes always
4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? Yes always
5. Have firewall rules that are no longer required been removed or disabled? Yes
6. Are firewall rules subject to regular review? Yes
7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? Yes
8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? Yes
8a. Does the administrative interface require second factor authentication or is access limited to a specific address? Yes
9. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? Yes always
10. Have default passwords for any user accounts been changed to a suitably strong password? Yes always
11. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? Yes always
12. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? Yes always
13. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? Yes always
14. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? Yes always
15. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? Yes always
16. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? Yes always
17. Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? Yes always
18. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? Never
19. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? Yes always
20. Is there a corporate policy on log retention and the centralised storage and management of log information? Yes always
21. Are log files retained for operating systems on both servers and workstations? Yes always
22. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? Yes always
23. Are Internet access (for both web and mail) log files retained for a period of least three months? Yes always
24. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? Yes always
25. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? Yes always
26. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. Yes
27. Is user account creation subject to a full provisioning and approval process? Yes always
28. Are system administrative access privileges restricted to a limited number of authorised individuals? Yes always
29. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? Yes always
30. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? Yes always
31. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? 3 Failures
32. Is there a password policy covering the following points: - Yes All 6 Points
33. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? Yes always
34. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (eg. 3 months)? Yes always
35. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? Yes always
Malware protection
36. Which of the following is in use within the organisation: a. Anti-virus or Malware protection (continue to Q37-40) - Yes
b. Application whitelisting (Continue to Q41-43) - Yes
c. Application Sandboxing (Continue to Q44) - Yes
37. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? In most cases
38. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? Yes always
39. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? Yes always
40. Has malware protection software been configured to perform regular periodic scans (eg daily)? Yes always
41. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? Yes always
42. Does the organisation maintain a list of approved application? Yes
43. Are users prevented from installing any other applications and by what means? Yes
44. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? Yes
Patch management
45. Do you apply security patches to software running on computers and network devices? In most cases
46. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? In most cases
47. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? In most cases
48. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? In most cases
49. Are all smart phones kept up to date with vendor updates and application updates? In most cases
50. Are all tablets kept up to date with vendor updates and application updates? In most cases
51. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? Yes always
52. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? Yes always