E. IT Operations
This domain covers the security controls you have implemented to maintain the health of your IT systems and processes.
01) Does your organisation keep an up-to-date inventory of all IT hardware assets with assigned owners?
Answer yes if your organisation keeps an up-to-date inventory of all hardware assets within your IT estate. The inventory must list an owner against each asset.
02) Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
Answer yes if your organisation keens an up-to-date inventory of all data repositories within your IT estate. The inventory must list an owner against each asset.
03) Does your organisation have a formal leaver's process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?
Answer yes if your organisation has a formal leaver's process that ensures employees, contractors and third party users return all IT assets when they leave the organisation (this usually takes the form of a checklist).
04) Does your organisation have a process for editing or removing employee access to business confidential information (whether digital or physical) when they are changing role or leaving the company?
Answer yes if your organisation has a formal process that ensures employees, contractors and third party users have all access to business information removed when they leave the organisation.
05) Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?
Answer yes if your organisation has a process to securely destroy all media that may hold business information. If a third party is used, only answer yes if your organisation receives certificates of destruction. Please provide a document outlining the process (as a PDF file) as evidence or describe the process in the notes section.
06) Does your organisation take regular backups of its digital production data?
Answer yes if your organisation takes regular backups of its production data. Please provide a document stating the frequency of backups (as a PDF file) or describe the frequency of the backups in the notes section.
07) Does your organisation encrypt the backups to prevent unauthorised access to the backup data?
Answer yes if your organisation encrypts the backups to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.
08) Does your organisation regularly test backups to ensure their effectiveness?
Answer yes if your organisation regularly tests its backup data to ensure that the backups are effective and can be used when required. Please state the frequency of the tests in the notes section.
09) Does your organisation have a documented process for the provisioning and removal of user accounts for all of your IT services that includes a secure logon with unique user IDs?
Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
10) Does your organisation enforce multi-factor authentication on all remotely accessible services (both within your internal IT systems and on third party services)?
Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).
11) Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.
12) Does your organisation review employee access rights for all IT services (whether internal or third party based) at regular intervals?
Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.
13) How many access audits does your organisation conduct each year, for regular employee accounts?
If your organisation does conduct regular access audits of employee accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).
14) How many access audits does your organisation conduct each year, for privileged employee accounts?
If your organisation does conduct regular access audits of privileged accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).
15) Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
Answer yes if your organisation's systems automatically lock after a period of inactivity and require the user to reauthenticate.
16) For how many minutes does a user have to be inactive before the system is locked?
How long must a user be inactive for (in minutes) before the systems lock (if times vary between systems, please put the highest value and state the others in the notes). If no screen lock is implemented, please put 0 (zero).
17) Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?
Answer yes if your organisation provides staff with a password management solution to help facilitate password complexity and uniqueness.
18) Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems?
Answer yes if your organisation has disabled auto-run on all of its IT systems. Autorun is a feature on Windows’ operating systems that automatically executes code present on external devices when they are plugged into a PC.
19) Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?
Answer yes if your organisation provides users who do not require local administrator privileges with user accounts (without administrator rights) on their endpoint systems.
20) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems, including systems hosted in a cloud environment?
Answer yes if your organisation has a configuration checklist that is completed for all IT equipment used by the business. These checklists should disable unneeded services, removing any unnecessary vulnerabilities.
21) Do all systems (such as network devices) have their default credentials changed on installation or provision?
Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.
22) Does your organisation have a formal change management process that gives consideration to information security?
Answer yes if your organisation has a formal change management process that includes a step to assess any security risks that the change may impact, and that requires a rollback plan. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.
23) Does your organisation use anti-malware controls to protect all of its endpoints and internal IT infrastructure?
Answer yes if your organisation has deployed anti-malware solutions on all user endpoints and IT systems, and if these solutions receive regular signature updates.
24) Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on production systems (for example, through the use of application whitelisting on servers). Please describe the nature of the controls in the notes.
25) Does your organisation have procedures in place to control the installation of software on user endpoint systems?
Answer yes if your organisation has controls in place to monitor and restrict the installation of software on user endpoint systems (for example, through the use of application whitelisting or through restricting user installation rights). Please describe the nature of the controls in the notes.
26) Does your organisation allow employees to access company data (including email) through their mobile phones?
Answer yes if your organisation allows access to company data (including email) through their mobile phones.
27) Does your organisation control the use of mobile phones using mobile device management (MDM) software which enforces a password policy for all devices?
Answer yes if your organisation has implemented MDM (Mobile Device Management) software on all employee phones with access to company data, and if they use the MDM software to enforce a pincode, password, or biometric authentication on all devices.
28) Can your organisation remotely wipe company data on compromised mobile devices?
Answer yes if your organisation has a process or technical solution that allows all lost and compromised devices to be remotely wiped.
29) Do employees in your organisation use laptop devices?
Answer yes if your organisation allows the use of, or issues employees with laptop devices.
30) Are all of the laptop hard drives encrypted?
Answer yes if all laptop devices have their hard drive encrypted with a suitable encryption algorithm before they are issued to employees.
31) Does your organisation encrypt client data on its IT systems?
Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.
32) Does your organisation ensure that all IT systems used are regularly patched with security patches in line with vendor recommendations, including user end point devices, network devices, and servers?
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance.
33) Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?
Answer yes if your organisation uses any applications or systems for which the vendors do not provide regular security updates. If yes, please state in the notes any other compensatory controls you have in place to protect these systems.
34) Has your organisation configured its email services to use enforced TLS?
Answer yes if your organisation has implemented enforced TLS on all of its email services. If not, please state in the notes whether or not opportunistic TLS is implemented instead.
35) Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?
Answer yes if your organisation has implemented effective SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records within its DNS services. Please state in the notes the type of DMARC policy set.