Cyber Essentials

QG PDF Template AP

Organisation Details

Organisation Name (legal entity): The Abbey Theatre
Sector: Performance and Arts
Size of Organisation: Medium (250 Employees)
point of Contact Name: Aaron Nolan
Position: Security Analyst
Email Address: aaron.nolan@spector.ie
Phone Number: 016644190
Address

26/27 Abbey Street Lower, North City, Dublin 1, D01 K0F1

Certifying Body (CB): Certification Europe
CB Reference Number hh2f0
Date of Application August 22, 2017 at 13:57
Date of Last Update November 28, 2017 at 13:06

Business Scope

The scope of this will be our whole office of The Abbey Theatre at 26/27 Abbey Street Lower, Dublin 1. There are 100 computers running Windows 8, 10 and Mac OS They are connected to the internet via a physical Firewall. Internet connectivity is provided by Host Ireland, Eircom and Magnet. Most users have an Office 365 account for email. We have a third party managed services provider called Spector who look after our services such as internet, telephony and IT support issues. These services are all subject to a Service License Agreement so any changes are subject to a review and agreement process.

Conformance Statement

Do you wish to be included in the list of certified companies?

From time to time government departments and other interested bodies may wish to use your company for marketing/research purpose. If you do not wish to be promoted/utilised in this way please enter NO in the box. If this is left blank you imply your consent.

Password Based Authentication

2.1 If applicable describe the technical controls used to enforce the password policy.
2.2 If applicable describe paper based controls used to enforce the password policy.
2.3 Confirm that you have implemented a password policy which meets the requirements of the Password-based authentication requirements (above)

Firewalls

3.1 Describe how your firewalls are placed in your network

Switch name and model number Lancom GS-2326P+ x 10
Firewall name and model number Fortinet FortiGate 100D x 1
Access Points and model number Lancom GS-2326P+ x 9

3.2 Tick all that apply
3.3 All default administrative passwords must be changed to an alternative password that is difficult to guess in line with your password policy, is this the case?
3.4 How is each firewall administrative interface protected from direct access via the internet?
3.5 All unauthenticated inbound connections must be blocked by default, is this the case?
3.6 If inbound firewall rules are configured, they must be approved and documented, is this the case?
3.7 Are firewall rules no longer required removed quickly?

Secure Configuration

4.1 Do you have a ‘documented’ password policy that contains the requirements of section 2?
4.2 All unnecessary user accounts (eg guest accounts and unnecessary administrative accounts) must be removed or disabled on all devices. Is this the case?

(we) the clients utilise Spector as the Managed Service to run a system health check quarterly called IT Admin. This checks user accounts on computers and network hardware devices. This is carried out by their helpdesk team on a quarterly basis and is part of our service license agreement with Spector.

4.3 All default or guessable passwords for user accounts on all devices must be changed to an alternative password in line with your password policy. Is this the case?
4.4 Unnecessary software (including applications, system utilities and network services) must be removed or disabled, is this the case?

(we) the clients utilise Spector as the Managed Service to run a system health check quarterly called IT Admin. This checks applications installed, operating system utilities and network services. This is carried out by the Spector helpdesk team on a quarterly basis and we receive a IT Admin report.

4.5 In order to prevent untrusted programs running automatically, (including those from the internet) either the auto-run feature must be disabled or user authorisation must be actioned before file execution. Describe how this has been achieved.

Due to the nature of our business we would allow all groups access to use of removable media and USB ports. We do however disable the auto run feature using groups policy turning off the auto play feature.

User Access Control

5.1 It is a requirement that you have identified all locations where sensitive and businesses critical information is stored digitally. (email, web and application servers, data shares, end user devices etc) Has this been done?
5.2 Does the organisation have a user account creation and approval process?

(we) the clients utilise Spector as the Managed Service to manage all user accounts. All accounts are created on that day the employee joins the company. All users are disabled when the day they leave the company. This is done by a joiners and leavers policy. All accounts are deleted within 3 months of the employee leaving the company. Movers and leavers will then also be caught on the IT admin cleanse quarterly.

5.3 Does the organisation authenticate users before granting access in compliance with the defined password policy?

All users are required to authenticate with their unique username eg Joeblogs@theabbeytheatre.ie, their strong mixed 7-character password. Password policy outlines the importance of not showing or telling others their passwords.

5.4 Has the organisation removed or disabled user accounts when no longer required?

(we) the clients utilise Spector as the Managed Service to run a system health check quarterly called IT Admin. This checks user accounts on computers and network hardware devices. This is carried out by their helpdesk team on a quarterly basis and is automatically schedule. The Account Use subsection covers the pre-defined time for inactivity users to be disabled or deleted. It is 90days to be deactivated and 180 days to be deleted but first we would check to ensure the employee is not still in the business ie not of leave or maternity.

5.5 Where available, has the organisation implemented two factor authentication?
5.6 Are administrative accounts used to perform administrative activities ONLY? (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).

(we) the clients utilise Spector as the Managed Service to run a system health check quarterly called IT Admin. This checks user accounts on computers and network hardware devices. This is carried out by their helpdesk team on a quarterly. Admin accounts on our networks do not have internet or email access

5.7 Does the organisation remove or disable special access privileges when no longer required?

Malware Protection

6.1.1 How is the daily update of the anti-malware software (and all associated malware signature files) managed?
6.1.2 Is the software configured to scan files automatically upon access (including when downloading and opening files, and accessing files on a network folder)?
6.1.3 Are web pages scanned automatically upon access either by the web browser itself, the anti-malware software or by a third party service?
6.1.4 Does the software prevent connections to malicious websites by means of blacklisting?
6.2.1 Are only approved applications, restricted by code signing, allowed to execute on devices?
6.2.2 Does the organisation actively approve such applications before deploying them to devices?
6.2.3 Does the organisation maintain a current list of approved applications?
6.2.4 Are users able to install any application that is unsigned or has an invalid signature?
6.3 Is all code of unknown origin run within a ‘sandbox’ that prevents access to other resources unless permission is granted by the user? (including other sandboxed applications, data stores, such as those holding documents and photos, sensitive peripherals, such as the camera, microphone and GPS or local network access

Patch Management

7.1 Is all software licensed and supported?

There is a mobile device policy in place in the company. The device must be encrypted before you can read your emails and you should have remote wipe capabilities. All devices are registered before they can access the company network. All mobile devices must have Webroot installed on them.

7.2 Is software patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity that the product vendor describes as ‘critical’ or ‘high risk’

(we) the clients utilise Spector as the Managed Service provider to apply application patch management. Application patch management is controlled by a software called Heimdal pro.

7.3 Is all software removed from devices in scope when no longer supported?

All critical and security updates are rolled out within the 14days once the patch has been tested in a controlled environment. All installations of software are subject to approval and allowed permissions.

© 2017 Certification Europe Ltd.