D. IT Operations
This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
01) Does your organisation keep an up-to-date inventory of all IT assets with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all hardware and software assets within your IT estate, including cloud services. The inventory must list an owner against each asset. It should also list other details about the assets such as version numbers, business usage & location. Please include details in the notes.
02) Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all data repositories within your IT estate, including any hosted within cloud services. The inventory must list an owner against each asset.
03) Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?
Answer yes if your organisation has a formal process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).
04) Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?
Answer yes if your organisation has a formal process that ensures all access to your organisation's systems & information (this includes, but is not limited to corporate endpoints, networks, offices and third party services) is removed when employees, contractors and third party users leave the organisation and is updated when they change roles. Please describe these processes within the notes and/or upload any relevant evidence.
05) Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs?
Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence. If any generic or shared accounts are used, please specify what these are used for and any processes you have in place to minimise their usage.
06) Does your organisation enforce multi-factor authentication on all remotely accessible services (both within your internal IT systems and on third party services)?
Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).
07) Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
08) Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)?
Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. This should include audit of any shared or generic accounts. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.
09) How many access audits does your organisation conduct each year, for regular employee accounts?
Please state the number of times access audits are completed for users each year.
10) How many access audits does your organisation conduct each year, for privileged employee accounts?
Please state the number of times access audits are completed for users each year.
11) Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?
Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Please describe your PAM controls in the notes section or provide a supporting document (as a PDF file) as evidence.
12) Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to reauthenticate.
13) For how many minutes does a user have to be inactive before the system is locked?
Please state how long a user must be inactive for (in minutes) before the systems lock. If times vary between systems, please put the highest value and state the others in the notes.
14) Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?
Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.
15) Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems?
Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.
16) Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?
Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.
17) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?
Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Please describe how your secure configuration process is performed, including both automated and manual checks. Please upload any relevant documentation (as a PDF file) as evidence.
18) Do all systems (such as network devices) have their default credentials changed on installation or provision?
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
19) Does your organisation have a formal change management process that gives consideration to information security?
Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
20) Does your organisation use anti-malware controls to protect all of its endpoints and internal IT infrastructure?
Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates and are configured to scan files regularly (at least daily). Please provide details of your malware protection solutions in the notes section.
21) Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.
22) Does your organisation have procedures in place to control the installation of software on user endpoint systems?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems, including desktop PCs, laptops & mobile devices. This could be done through the use of application whitelisting, restricting user installation rights, device management software etc. Please describe the nature of the controls in the notes.
23) Does your organisation use laptop devices?
Answer yes if your organisation allows the use of laptop devices for work purposes. In the notes, please describe whether these are typically company owned or personal devices.
24) Are all of the laptop hard drives encrypted?
Answer yes if your organisation enforces hard drive encryption on all laptop devices. In the notes, please include details of the encryption algorithm(s) used and how this is enforced.
25) Can your organisation remotely wipe company data on laptop devices?
Answer yes if your organisation has a process and technical solution that allows any lost or compromised laptop device to be remotely wiped.
26) Does your organisation allow employees to access company data or services through mobile phones or tablets?
Answer yes if your organisation allows access to company data or services (e.g. email) through mobile devices. In the notes, please briefly describe the nature of the data / services accessible and whether the mobile devices are company owned or employee personal devices.
27) Does your organisation technically enforce security controls on mobile phones and tablets before allowing access to company data or services?
Answer yes if your organisation requires technical enforcement of security controls on mobile phones and tablets before access to company data or services is granted. For example, this could be done through the use of MDM (Mobile Device Management) software. In the notes, please describe the nature of the controls, the method of enforcement and any related processes.
28) Can your organisation remotely wipe company data on mobile phones and tablets?
Answer yes if your organisation has a process and technical solution that allows any lost or compromised mobile phone or tablet to be remotely wiped.
29) Does your organisation encrypt client data on its IT systems?
Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.
30) Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Please describe your patch management processes in the notes section including how you ensure all systems are in scope, or upload supporting documents (as PDF files).
31) Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?
Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. In the notes, please describe how you discover & manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.
32) Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?
Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.
33) Does your organisation take regular backups of its digital production data in line with current best practise guidelines?
Answer yes if your organisation takes regular backups of its production data in line with best practice guidelines, for example by following the '3-2-1' rule and segregating the backups from your main environment. Please describe your backup processes including segregation, frequency, and any other controls in place.
34) Does your organisation encrypt the backups to prevent unauthorised access to the backup data?
Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.
35) Does your organisation regularly test backups to ensure their effectiveness?
Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.
36) Has your organisation configured its email services to use enforced TLS?
Answer yes if your organisation has implemented enforced TLS on all of its email services. If not, please state in the notes whether or not opportunistic TLS is implemented instead.
37) Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.
38) Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?
Answer yes if your organisation has any form of Data Loss Prevention (DLP) controls in place to ensure only authorised data is transferred outside of your organisation. In the notes, please describe the controls you have in place and how these are managed.