This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
Answer yes if your organisation keeps an up-to-date inventory of all hardware assets within your IT estate. The inventory must list an owner against each asset.
Answer yes if your organisation keens an up-to-date inventory of all data repositories within your IT estate. The inventory must list an owner against each asset.
Answer yes if your organisation has a formal leaver's process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).
Answer yes if your organisation has a formal process that ensures employees, contractors and third party users have all access to business information removed when they leave the organisation.
Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.
Answer yes if your organisation takes regular backups of its production data. Please provide a document stating the frequency of backups (as a PDF file) or describe the frequency of the backups in the notes section.
Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.
Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.
Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).
Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.
If your organisation does conduct regular access audits of employee accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).
If your organisation does conduct regular access audits of privileged accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).
Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to reauthenticate.
How long must a user be inactive for (in minutes) before the systems lock (if times vary between systems, please put the highest value and state the others in the notes). If no screen lock is implemented, please put 0 (zero).
Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.
Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.
Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.
Answer yes if your organisation has a configuration checklist that is completed for all IT equipment used by the business. These checklists should disable unneeded services, removing any unnecessary vulnerabilities.
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates.
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems (for example, through the use of application whitelisting or through restricting user installation rights). Please describe the nature of the controls in the notes.
Answer yes if your organisation allows access to company data (including email) through their mobile phones.
Answer yes if your organisation has implemented MDM (Mobile Device Management) software on all employee phones with access to company data, and if they use the MDM software to enforce a pincode, password, or biometric authentication on all devices.
Answer yes if your organisation has a process or technical solution that allows all lost and compromised devices to be remotely wiped.
Answer yes if your organisation allows the use of, or issues employees with laptop devices.
Answer yes if all laptop devices have their hard drive encrypted with a suitable encryption algorithm before they are issued to employees.
Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance.
Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. If yes, please state in the notes any other compensatory controls you have in place to protect these systems.
Answer yes if your organisation has implemented enforced TLS on all of its email services. If not, please state in the notes whether or not opportunistic TLS is implemented instead.
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.