This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Please include details in the notes.
Answer yes if your organisation keeps an up-to-date inventory of all data repositories within your IT estate, including any hosted within cloud services. The inventory must list an owner against each asset.
Answer yes if your organisation has a formal process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).
Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Please describe these processes within the notes and/or upload any relevant evidence.
Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence. If any generic or shared accounts are used, please specify what these are used for and any processes you have in place to minimise their usage.
Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).
Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. This should include audit of any shared or generic accounts. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.
Please state the number of times access audits are completed for users each year.
Please state the number of times access audits are completed for users each year.
Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Please describe your PAM controls in the notes section or provide a supporting document (as a PDF file) as evidence.
Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to reauthenticate.
Please state how long a user must be inactive for (in minutes) before the systems lock. If times vary between systems, please put the highest value and state the others in the notes.
Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.
Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.
Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.
Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Please describe how your secure configuration process is performed, including both automated and manual checks. Please upload any relevant documentation (as a PDF file) as evidence.
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates and are configured to scan files regularly (at least daily). Please provide details of your malware protection solutions in the notes section.
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of application whitelisting, restricting user installation rights, device management software etc. Please describe the nature of the controls in the notes.
Answer yes if your organisation allows the use of laptop devices for work purposes. In the notes, please describe whether these are typically company owned or personal devices.
Answer yes if your organisation enforces hard drive encryption on all laptop devices. In the notes, please include details of the encryption algorithm(s) used and how this is enforced.
Answer yes if your organisation has a process and technical solution that allows any lost or compromised laptop device to be remotely wiped.
Answer yes if your organisation allows access to company data or services (e.g. email) through mobile devices. In the notes, please briefly describe the nature of the data / services accessible and whether the mobile devices are company owned or employee personal devices.
Answer yes if your organisation requires technical enforcement of security controls on mobile phones and tablets before access to company data or services is granted. For example, this could be done through the use of MDM (Mobile Device Management) software. In the notes, please describe the nature of the controls, the method of enforcement and any related processes.
Answer yes if your organisation has a process and technical solution that allows any lost or compromised mobile phone or tablet to be remotely wiped.
Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Please describe your patch management processes in the notes section including how you ensure all systems are in scope, or upload supporting documents (as PDF files).
Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. In the notes, please describe how you discover & manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.
Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.
Answer yes if your organisation takes regular backups of its production data in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Please describe your backup processes including segregation, frequency, and any other controls in place.
Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.
Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.
Answer yes if your organisation has implemented enforced TLS on all of its email services. If not, please state in the notes whether or not opportunistic TLS is implemented instead.
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.
Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. In the notes, please describe the controls you have in place and how these are managed.