Hornbill Compliance

Here at Hornbill we care deeply about security, quality and highly available service provision. There is only one way to do this well and that’s to have continued independent verification of the quality, operational and security practices we adopt and apply. We push ourselves for continuous improvement every day and as a result Hornbill has been accredited to industry standard and globally recognized levels of achievement.

• ISO27001 Hornbill is accredited under Certificate No: 588876
• ISO27018 a specification for handling & securing Personal Identifiable Information in the Cloud. Certificate No: 697007
• SSAE60 Our data centers are SSAE (Statement on Standards for Attestation Engagements) 16 Type II and CSAE (Canadian Standard on Assurance Engagements) 3416 certified. Certified Tier 3 Data Centers.
• G-Cloud The Hornbill Platform and Applications are certified and available via G-Cloud 13 (UK government’s cloud procurement framework)

Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process.

Our certificates are available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf and https://files.hornbill.com/misc/CyberEssentialsCert_HSML.pdf

We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)

Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month.

Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.

Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options

1. Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)? Yes
2. Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password? Yes
3. Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)? Yes always
4. Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? Yes always
5. Have firewall rules that are no longer required been removed or disabled? Yes
6. Are firewall rules subject to regular review? Yes
7. Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)? Yes
8. Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet? Yes
9. Does the administrative interface require second factor authentication or is access limited to a specific address? Yes
10. Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg. Guest, previous employees) removed or disabled? Yes always
11. Have default passwords for any user accounts been changed to a suitably strong password? Yes always
12. Are difficult to guess passwords defined in policy and enforced technically for all users and administrators? Yes always
13. Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)? Yes always
14. Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? Yes always
15. Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? Yes always
16. Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default? Yes always
17. Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate? Yes always
18. Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? Yes always
19. Are proxy servers used to provide controlled access to the Internet for relevant machines and users? Never
20. Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? Yes always
21. Is there a corporate policy on log retention and the centralised storage and management of log information? Yes always
22. Are log files retained for operating systems on both servers and workstations? Yes always
23. Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? Yes always
24. Are Internet access (for both web and mail) log files retained for a period of least three months? Yes always
25. Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft? Yes always
26. Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? Yes always
27. Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. Yes
28. Is user account creation subject to a full provisioning and approval process? Yes always
29. Are system administrative access privileges restricted to a limited number of authorised individuals? Yes always
30. Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone? Yes always
31. Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet? Yes always
32. Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts? 3 Failures
33. Is there a password policy covering the following points: Yes All 6 Points
34. Are users authenticated using suitably strong passwords, as a minimum, before being granted access to applications and computers? Yes always
35. Are user accounts removed or disabled when no longer required (eg. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (eg. 3 months)? Yes always
36. Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance? Yes always

Malware protection
37. Which of the following is in use within the organisation: a. Anti-virus or Malware protection (continue to Q37-40) Yes
38. Application whitelisting (Continue to Q41-43) Yes
39. Application Sandboxing (Continue to Q44) Yes
40. Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet? In most cases
41. Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)? Yes always
42. Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)? Yes always
43. Has malware protection software been configured to perform regular periodic scans (eg daily)? Yes always
44. Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms? Yes always
45. Does the organisation maintain a list of approved application? Yes
46. Are users prevented from installing any other applications and by what means? Yes
47. Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission? Yes

Patch management
48. Do you apply security patches to software running on computers and network devices? In most cases
49. Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available? In most cases
50. Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? In most cases
51. Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors? In most cases
52. Are all smart phones kept up to date with vendor updates and application updates? In most cases
53. Are all tablets kept up to date with vendor updates and application updates? In most cases
54. Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? Yes always
55. Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? Yes always

Hornbill is committed to and has implemented safeguards as set out in our Information Security Management System (ISMS) to ensure our services, websites and data systems are compliant with the regulations set out in the Health Insurance Portability and Availability Act of 1996 (HIPAA).

Hornbill, under ISO27001 and ISO27018, is committed to the continuous improvement of its services and processes to ensure data privacy and security measures.

Hornbills compliance with IS027001, ISO27018 and EU GDPR already go far beyond the requirements for HIPAA and these are externally audited\verified on an annual basis.

In terms of HIPAA Hornbill operates as a 'Business Associate' outlined under definition in the HIPAA, and is subject to the following controls (Note that this is not a definitive list of the measures taken to ensure your data is safe, but merely the controls required to meet the definition of 'Business Associate'):

Administrative Safeguards (HIPAA 164.308). Hornbill in compliance with ISO27001,ISO27018 and GDPR has already been fully audited to show that we have implemented policies to ensure appropriate assignment of data access permissions and proper movement and handling of that data. The policies are available via docs.hornbill.com and are reviewed annually. Data security training which includes HIPAA training is undertaken annually for all staff (Not just those who deal with data). All employees (regardless of status or ability to access to data) must undertake a security screening to BS7858:2012 standard. This includes, Proof of identity, Proof of residence, References, A copy of their police record, A statement of financial status, A history of all employment (going back five years or to 12 years’ old, whichever occurs first).

Physical Safeguards (HIPAA 164.310). Hornbills architecture (Both physical and software) ensure that private data is kept private. Again, under ISO27018 this is audited externally every 12 months to ensure that all strict controls are followed. Access to Hornbill facilities are all controlled with 24-hour security and strict access control. All our data centers are SOC 2 TYPE II and SOC 3 TYPE II certified and all have 24 hours monitoring, advanced fire protection systems, uninterruptible power and internet redundancy. Annual audit of the data centers and Hornbills security plan, disaster recovery plan, and contingency plans are in place.

Technical Safeguards (HIPAA 164.312). To protect private or sensitive data, Hornbill follows strict documented polices that cover all aspects of our service delivery (Failure to follow these processes will result in termination) and these therefore ensure full logging of all actions via audit trail (Not just from end user but also administration), verified backups (and audit of any attempts to restore), full encryption and security. A list of processes\polices in force is available via docs.hornbill.com (see https://docs.hornbill.com/hornbill-cloud/iso/operations amongst others).

Hornbill is registered under European Data Protection rules with the Information Commissioners Office as a Tier 1 data processor. Registration is a legal requirement that ensures we are identified as a data processor by the ICO. Our current registration certificates are here:

• Hornbill Corporate Limited
• Hornbill Technologies Limited

The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations. This group of experts over the last 50 years have created a set of ISO standards which are a series of frameworks that outline best practices and requirements against a number of key areas to ensure that, if adopted, a organization can run smoothly\securely and provide customers with the knowledge that a company is doing it right. ISO certification is proof that the standards are being adhered to and embedded in the organisation.

ISO 27001 (formally known as ISO/IEC 27001:2005 currently ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. Being IS0 27001 accredited means that we have proven to an external body that we comply with all regulations and requirements, therefore ensuring that security (both information and physical)/risk management and other best practices are ingrained in everything we do through the processes we follow.

ISO 27018 is a specification for handling & securing Personal Identifiable Information in the Cloud. This goes side-by-side with ISO27001 & GDPR to ensure that we take all steps to secure your data, treat it with respect and guarantee that we will not use it for any purpose which we don't have specific consent . A successful external audit ensures that our polices & practices are correct and your data is safe with us.

Ultimately, the CEO (As all processes must be approved and Supported from the board of directors), however all members of the cloud team are committed to maintaining our certification and take active roles in designing\implementing processes and controls. Other aspects of the business also play a vital role from HR to Development ensuring all processes are followed and information security\risk assessment is incorporated into every action performed.

We are audited every 12 months and in order to stay certified we must not only show the documented processes but also how these are implemented in the business and show that all those effected by the process understand its requirements and adhere to its contents. We must also show that, where necessary checks and controls are in place to ensure that the process can not be circumvented. Our last audit certificate along with other accreditations are available via Hornbill Trust Compliance

The list is below, however processes are expanded to include additions not necessarily covered by ISO but that are either deemed important or best practice.

• ISO:Risk Management
• ISO:Information Security
• ISO:Management Systems
• ISO:Mobile Security
• ISO:HR Security
• ISO:Asset Management
• ISO:Information Classification & Handling
• ISO:Access Control
• ISO:Network Policy
• ISO:Cryptography Controls and Usage
• ISO:Physical and Environment Security
• ISO:Operations
• ISO:Communications
• ISO:Supplier Relationships and Procurement
• ISO:Incident Reporting\Handling and Management
• ISO:Change Reporting\Handling\Planning and Management
• ISO:Business Continuity and Disaster Recovery
• ISO:Compliance and Regulatory Requirements - Geographical

We have a document for each of the above (summary available via link) , containing summary of requirements, outlining the responsibilities for each department\individual, detailing any actions that must be performed inorder to ensure the desired outcome is achieved and listing any checks or controls that must be performed. All Documents are reviewed at least once every 12 months and made available to appropriate employees via Hornbill Document manager. Every employee effected by one or more processes is provided training and tested to ensure they understand the process and its effects (Records of training then available to ISO certification team) .

Other

The below links to sections\documents that are not covered by ISO, however are important to the way Hornbill operates\plans and provides services. This includes polices, guiding theologies or supporting documents that help show our commitment to security and your data.

• Data Security Commitment
• Application and Interface Security
• FAQ:Data_Centres
• Cyber Essentials
• Penetration Tests

We have hardware available for our expected growth of Hornbill and this is reviewed\increased every 3 months with the purchasing of additional hypervisors\rack space as required. If required we can also create a instance or complete replica of the Hornbill infrastructure in AWS (Same as in our DR Plan) in record time meaning that capacity and scalability is never an issue. This scalability along with the underlying server code also removes all limitations for user increase as new servers can be added as demand increases.