eAssessor Pro Cyber Security Questions
This guide will walk you through some Cyber Security Answers for eAssessor Pro.
What has changed for Cyber Essentials?
If eAssessor Pro is deemed one of your core systems, you will be required to either use SSO or MFA if the system has this available.
How are users authenticated?
Username and Password, on creation of an account, an email is sent to the user for them to set their own password.
eAssessor Pro | How to Create a Learner
eAssessor Pro | How to Create a Learner
How can a user reset their password?
Any user can reset their own password from the login page if their email address is correct on the system. If the email address is incorrect, the college/training provider administrators can update the email address and trigger the reset password email.
The reset link in these emails is only valid for 24 hours.
eAssessor Pro | Resetting Your Own Password
eAssessor Pro | Resetting Your Own Password
Can we send notification emails from a College/Training Provider email address?
Yes, you can edit the default from email address that is noreply@eassessorpro.co.uk, but we recommend that if you do update this, to contact your IT Team to let them know and to ensure that the email address used has a SPF record or emails will not be received by learners.
We use SPF as we only send notification emails from eAssessor Pro, and they do not contain any personal data/attachments so do not require encryption.
What are out SPF details?
The mail server IP is:
app.eassessorpro.co.uk
198.244.156.129
What is an SPF?
SPF or Sender Policy Framework (SPF) is an email authentication protocol that allows the owner of a domain to specify which email servers are permitted to send emails from their domain. As the email is being delivered, SPF allows the recipient email server to verify whether the email claiming to be from a specific sender is actually from an IP address that is authorized to send emails on the domain’s behalf.
Messages sent from a company’s domain that does not have SPF configured are more likely to be flagged as spam by recipient mail servers.
Do we use Multi-Factor Authentication (MFA)?
Not currently, but we do offer Single Sign On (SSO) using Microsoft Azure.
We will be introducing MFA in the near future.
What is Multi-Factor Authentication?
This is an authentication method that uses two or more distinct mechanisms to validate a user's identity, rather than relying on just a simple username and password combination. MFA helps prevent unauthorised access to applications sensitive data, helping organisations defend against identity theft, cyber-attacks, and data breaches.
What is Single Sign On (SSO)?
SSO is an authentication scheme that allows a user to log-in with a single ID to any of several related, yet independent, software systems.
To be able to use this, your College/Training Provider must already have Microsoft Azure set up and be providing learners with College/Training Provider email accounts. If you are a College/Training Provider and are interested in using Single Sign On (SSO), please send a request to our helpdesk on eAssessorPro@learningcurvegroup.co.uk.
What is Send Grid?
Send Grid is a customer communication platform for transactional and marketing email.
What standard of Web Content Accessibility Guidelines (WCAG) does eAssessorPro conform to?
WCAG 2.1
How is system maintenance managed?
Any maintenance is completed out of hours, changes are authorised by LCG before made live and we have a slave DB which is a real time replication and is there for DR and back up purposes.
Does maintenance take place during business hours?
No. Any planned maintenance will be out of business hours.
How are incidents, fixes and developments logged - is a ticketing system in place?
A ticketing system is in place to log all incidentes, bugs, fixes and developments.
Are all incidents, fixes and developments recorded in a retrievable audit trail?
Yes.
Is eAssessor Pro Cloud-based or On-Premise?
Cloud-based.
How are developments managed for eAssessor Pro?
Development is performed on local developer systems. UAT environment is a separate physical server on a different network. The production environment is on a dedicated virtual network.
Does eAssessor Pro depend on other systems or applications?
No.
Do we have a Data Protection Officer? please provide Name, Email and Telephone.
Neil Whittaker
01388 436274
Are we registered with the ICO?
Yes, we are, our registration number is Z904602X.
Do you maintain a Breach Register?
Yes.
Have you had a reportable breach in the last 3 years?
No.
Do you have a document Data Protection Policy?
Have we had a Penetration Test in the last year performed by an accredited CREST (or similar) Penetration Tester?
External testing by CREST certified partner and all critical and high risks are actioned within 2 weeks.
Do we screen employees prior to employment?
Yes.
Does this include identity checks?
Yes.
Does this include 'right to work' checks?
Yes.
Does this include prior employment checks?
Yes - employment history (at least 3 years minimum)
Does this include criminal record checks, and at regular intervals thereafter?
Staff are DBS checked within Enhanced DBS for those in learner facing roles.
Who in addition to us can access this data?
SkillsLogic, who develop and host the system for us could access this data, we have a contract in place with our third-party development team which includes an NDA and a data processing agreement.
What is the purpose of sharing this data?
To ensure that learners can complete their learning on the chosen LMS.
What is the lawful basis for processing this data?
To undertake approved courses that are funded by ESFA.
Are we able to comply with the Data Subject's rights? (GDPR Section 2)
Yes.
Is the data processed outside the UK?
No.
How long is the data retained for?
We have a retention schedule to ensure data is removed when it is no longer required.
Is the personal data kept on permise or online?
Online, hosted by SkillsLogic
Are we ISO 27001 Certified? (Information Security Management)
No, LCG are not ISO 27001 certified however we do align ourselves to this.
Is your company certified to a similar standard or frameworks (e.g. NIST, SOC2, CSA, HITRUST, etc) If so, please provide.
No.
Please supply contact details of who is responsible for your ISMS.
Hannah Marshall, CTO.
Do we have Cyber Essentials at any Level?
Are regular Penetration Tests undertaken by a qualified (CREST or Similar) third-party?
Yes.
External testing by CREST certified partner and all critical and high risks are actioned within 2 weeks.
Are regular vulnerability scans undertaken?
We undertake vulnerability scans on a regular basis for our systems.
What are our Information Security and resilience arrangements?
These are covered in our Business Continuity Plan as well as our Disaster Recovery plan.
Have the Information Security and Resilience Arrangements been reviewed/audited in the last 12 months.
We are currently undertaking a full review of our BCP/DR planning, we do this every 12 months but this may be sooner if there is a significant change to the threat landscape.
Do we have a threat management program in place?
Yes, we utilise various technical and non-technical security controls.
How have we implemented the principle of least privilege?
Yes, we have role-based controls in place with administrator accounts provisioned for those that require it.
What controls are in place to apply access controls to the application, what restrictions are in place?
Access is via a web browser and all users have a username and password. Least privilege principle applied across the application.
Does eAssessor Pro maintain an audit trail of user access for monitoring purposes?
Yes.
Is access to the system contingent upon access through the enterprise domain or can it be accessed remotely?
Can be accessed remotely with credentials.