Here at Hornbill we care deeply about security, quality and highly available service provision. There is only one way to do this well and that’s to have continued independent verification of the quality, operational and security practices we adopt and apply. We push ourselves for continuous improvement every day and as a result Hornbill has been accredited to industry standard and globally recognized levels of achievement.
Cyber Essentials is a government backed scheme that hopes to promote good Cyber security. Although its scope and depth is limited and in reality offers little protection from all but the most casual of attacks, we have undertaken the certification process.
Our certificate is available via https://files.hornbill.com/misc/CyberEssentialsCert_HTL.pdf
We understand that this some customers may require this and to this end we have completed the questionnaire for Cyber essentials below to provide you with the answers you may require (Note that we would strongly recommend that you refer to our ISO polices which outline full details for each control rather than the simple yes\no answers required by this scheme.)
Remote Vulnerability Scan (Stage 1 – Cyber Essentials) Available on request. Full VAS scan conducted every month.
Workstation Assessment (Stage 2 - Cyber Essentials PLUS only) Available on request. Full VAS scan conducted every month Cloud / Shared Services Assessment N\A.
Security Controls Questionnaire Boundary firewalls and Internet Gateways Question Response Options
Hornbill is committed to and has implemented safeguards as set out in our Information Security Management System (ISMS) to ensure our services, websites and data systems are compliant with the regulations set out in the Health Insurance Portability and Availability Act of 1996 (HIPAA).
Hornbill, under ISO27001 and ISO27018, is committed to the continuous improvement of its services and processes to ensure data privacy and security measures.
Hornbills compliance with IS027001, ISO27018 and EU GDPR already go far beyond the requirements for HIPAA and these are externally audited\verified on an annual basis.
In terms of HIPAA Hornbill operates as a 'Business Associate' outlined under definition in the HIPAA, and is subject to the following controls (Note that this is not a definitive list of the measures taken to ensure your data is safe, but merely the controls required to meet the definition of 'Business Associate'):
Administrative Safeguards (HIPAA 164.308). Hornbill in compliance with ISO27001,ISO27018 and GDPR has already been fully audited to show that we have implemented policies to ensure appropriate assignment of data access permissions and proper movement and handling of that data. The policies are available via wiki.hornbill.com/ISO and are reviewed annually. Data security training which includes HIPAA training is undertaken annually for all staff (Not just those who deal with data). All employees (regardless of status or ability to access to data) must undertake a security screening to BS7858:2012 standard. This includes, Proof of identity, Proof of residence, References, A copy of their police record, A statement of financial status, A history of all employment (going back five years or to 12 years’ old, whichever occurs first).
Physical Safeguards (HIPAA 164.310). Hornbills architecture (Both physical and software) ensure that private data is kept private. Again, under ISO27018 this is audited externally every 12 months to ensure that all strict controls are followed. Access to Hornbill facilities are all controlled with 24-hour security and strict access control. All our data centers are SOC 2 TYPE II and SOC 3 TYPE II certified and all have 24 hours monitoring, advanced fire protection systems, uninterruptible power and internet redundancy. Annual audit of the data centers and Hornbills security plan, disaster recovery plan, and contingency plans are in place.
Technical Safeguards (HIPAA 164.312). To protect private or sensitive data, Hornbill follows strict documented polices that cover all aspects of our service delivery (Failure to follow these processes will result in termination) and these therefore ensure full logging of all actions via audit trail (Not just from end user but also administration), verified backups (and audit of any attempts to restore), full encryption and security. A list of processes\polices in force is available via wiki.hornbill.com (see https://wiki.hornbill.com/index.php/ISO:Operations amongst others).
The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations. This group of experts over the last 50 years have created a set of ISO standards which are a series of frameworks that outline best practices and requirements against a number of key areas to ensure that, if adopted, a organization can run smoothly\securely and provide customers with the knowledge that a company is doing it right. ISO certification is proof that the standards are being adhered to and embedded in the organsisation.
ISO 27001 (formally known as ISO/IEC 27001:2005 currently ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. Being IS0 27001 accredited means that we have proven to an external body that we comply with all regulations and requirements, therefore ensuring that security (both information and physical)/risk management and other best practices are ingrained in everything we do through the processes we follow.
ISO 27018 is a specification for handling & securing Personal Identifiable Information in the Cloud. This goes side-by-side with ISO27001 & GDPR to ensure that we take all steps to secure your data, treat it with respect and guarantee that we will not use it for any purpose which we dont have specific consent . A successful external audit ensures that our polices & practices are correct and your data is safe with us.
Ultimately, the CEO (As all processes must be approved and Supported from the board of directors), however all members of the cloud team are committed to maintaining our certification and take active roles in designing\implementing processes and controls. Other aspects of the business also play a vital role from HR to Development ensuring all processes are followed and information security\risk assessment is incorporated into every action performed.
We are audited every 12 months and inorder to stay certified we must not only show the documented processes but also how these are implemented in the business and show that all those effected by the process understand its requirements and adhere to its contents. We must also show that, where necessary checks and controls are in place to ensure that the process can not be circumvented. Our last audit certificate along with other accreditations are available via Hornbill Trust Compliance
The list is below, however processes are expanded to include additions not necessarily covered by ISO but that are either deemed important or best practice.
We have a document for each of the above (summary available via link) , containing summary of requirements, outlining the responsibilities for each department\individual, detailing any actions that must be performed inorder to ensure the desired outcome is achieved and listing any checks or controls that must be performed. All Documents are reviewed at least once every 12 months and made available to appropriate employees via Hornbill Document manager. Every employee effected by one or more processes is provided training and tested to ensure they understand the process and its effects (Records of training then available to ISO certification team) .
The below links to sections\documents that are not covered by ISO, however are important to the way Hornbill operates\plans and provides services. This includes polices, guiding theologies or supporting documents that help show our commitment to security and your data.
We have hardware available for our expected growth of Hornbill and this is reviewed\increased every 3 months with the purchasing of additional hypervisors\rack space as required. If required we can also create a instance or complete replica of the Hornbill infrastructure in AWS (Same as in our DR Plan) in record time meaning that capacity and scalability is never an issue. This scalabity along with the underlying server code also removes all limitations for user increase as new servers can be added as demand increases.