E. IT Operations

This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.

01) Does your organisation keep an up-to-date inventory of all IT hardware assets with assigned owners?

Answer yes if your organisation keeps an up-to-date inventory of all hardware assets within your IT estate. The inventory must list an owner against each asset.

IT Operations
Hardware Asset Database
CMDB
Read more

02) Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?

Answer yes if your organisation keens an up-to-date inventory of all data repositories within your IT estate. The inventory must list an owner against each asset.

IT Operations
Data Repository Inventory
Read more

03) Does your organisation have a formal leaver's process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?

Answer yes if your organisation has a formal leaver's process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).

IT Operations
Leaver's Process
Read more

04) Does your organisation have a process for editing or removing employee access to business confidential information (whether digital or physical) when they are changing role or leaving the company?

Answer yes if your organisation has a formal process that ensures employees, contractors and third party users have all access to business information removed when they leave the organisation.

IT Operations
Access Removal
Read more

05) Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?

Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.

IT Operations
Secure Media Disposal
Secure Destruction
Read more

06) Does your organisation take regular backups of its digital production data?

Answer yes if your organisation takes regular backups of its production data. Please provide a document stating the frequency of backups (as a PDF file) or describe the frequency of the backups in the notes section.

IT Operations
Backups
Read more

07) Does your organisation encrypt the backups to prevent unauthorised access to the backup data?

Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.

IT Operations
Backup Encryption
Read more

08) Does your organisation regularly test backups to ensure their effectiveness?

Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.

IT Operations
Backup Testing
Read more

09) Does your organisation have a documented process for the provisioning and removal of user accounts for all of your IT services that includes a secure logon with unique user IDs?

Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.

IT Operations
Secure Logon
Joiner/Mover/Leaver
Read more

10) Does your organisation enforce multi-factor authentication on all remotely accessible services (both within your internal IT systems and on third party services)?

Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).

IT Operations
MFA
Multi-Factor Authentication
Read more

11) Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?

Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.

IT Operations
Privileged Access Authorisation
Read more

12) Does your organisation review employee access rights for all IT services (whether internal or third party based) at regular intervals?

Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.

IT Operations
Access Review
Read more

13) How many access audits does your organisation conduct each year, for regular employee accounts?

If your organisation does conduct regular access audits of employee accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).

IT Operations
Access Review
Read more

14) How many access audits does your organisation conduct each year, for privileged employee accounts?

If your organisation does conduct regular access audits of privileged accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).

IT Operations
Access Review
Read more

15) Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?

Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to reauthenticate.

IT Operations
Screen Lock
System Lock
Read more

16) For how many minutes does a user have to be inactive before the system is locked?

How long must a user be inactive for (in minutes) before the systems lock (if times vary between systems, please put the highest value and state the others in the notes). If no screen lock is implemented, please put 0 (zero).

IT Operations
Screen Lock
System Lock
Read more

17) Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?

Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.

IT Operations
Password Manager
Read more

18) Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems?

Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.

IT Operations
Auto-Run
Read more

19) Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?

Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.

IT Operations
Local Administrator
Read more

20) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems, including systems hosted in a cloud environment?

Answer yes if your organisation has a configuration checklist that is completed for all IT equipment used by the business. These checklists should disable unneeded services, removing any unnecessary vulnerabilities.

IT Operations
Secure Configuration
Read more

21) Do all systems (such as network devices) have their default credentials changed on installation or provision?

Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.

IT Operations
Default Credentials
Read more

22) Does your organisation have a formal change management process that gives consideration to information security?

Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.

IT Operations
Change Management
Read more

23) Does your organisation use anti-malware controls to protect all of its endpoints and internal IT infrastructure?

Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates.

IT Operations
Anti-Malware
Anti-Virus
Endpoint Protection
Read more

24) Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.

IT Operations
Application Whitelisting
Read more

25) Does your organisation have procedures in place to control the installation of software on user endpoint systems?

Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems (for example, through the use of application whitelisting or through restricting user installation rights). Please describe the nature of the controls in the notes.

IT Operations
Application Whitelisting
Read more

26) Does your organisation allow employees to access company data (including email) through their mobile phones?

Answer yes if your organisation allows access to company data (including email) through their mobile phones.

IT Operations
Mobile Phone Access
Read more

27) Does your organisation control the use of mobile phones using mobile device management (MDM) software which enforces a password policy for all devices?

Answer yes if your organisation has implemented MDM (Mobile Device Management) software on all employee phones with access to company data, and if they use the MDM software to enforce a pincode, password, or biometric authentication on all devices.

IT Operations
MDM
Mobile Device Management
Read more

28) Can your organisation remotely wipe company data on compromised mobile devices?

Answer yes if your organisation has a process or technical solution that allows all lost and compromised devices to be remotely wiped.

IT Operations
Remote Wipe
Read more

29) Do employees in your organisation use laptop devices?

Answer yes if your organisation allows the use of, or issues employees with laptop devices.

IT Operations
Laptops
Read more

30) Are all of the laptop hard drives encrypted?

Answer yes if all laptop devices have their hard drive encrypted with a suitable encryption algorithm before they are issued to employees.

IT Operations
Laptop Drive Encryption
Read more

31) Does your organisation encrypt client data on its IT systems?

Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.

IT Operations
Data Encrption
Encryption at Rest
Read more

32) Does your organisation ensure that all IT systems used are regularly patched with security patches in line with vendor recommendations, including user end point devices, network devices, and servers?

Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance.

IT Operations
Patch Management
Read more

33) Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?

Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. If yes, please state in the notes any other compensatory controls you have in place to protect these systems.

IT Operations
Unsupported Applications
Unsupported Systems
Read more

34) Has your organisation configured its email services to use enforced TLS?

Answer yes if your organisation has implemented enforced TLS on all of its email services. If not, please state in the notes whether or not opportunistic TLS is implemented instead.

IT Operations
TLS
Email Security
Read more

35) Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?

Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.

IT Operations
SPF
DKIM
DMARC
Read more