F. Network and Cloud Security
This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.
00) Does your organisation own or maintain a corporate network, cloud environment, or any application hosting infrastructure?
Answer yes if your organisation maintains a corporate network that allows user devices to connect and communicate with any network based storage or internal services, or if your organisation maintains any application hosting infrastructure (cloud or otherwise). You should answer yes to this question if you use a public cloud to host applications since you are responsible for implementing security controls within your environment.
01) Are all ingress and egress points for traffic through your network or cloud environment protected by firewalls?
Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments with firewalls.
02) Were the firewalls implemented using a deny all policy, with rules built around your organisation’s requirements?
Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.
03) Does your organisation review its firewall rules at least annually?
Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
04) Does your organisation have web application firewalls (WAFs) implemented to protect web applications?
Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls). If your organisation does not host any web applications, answer 'No' and state this in the notes section.
05) Were the WAFs implemented using a deny all policy, with rules built around your organisation’s requirements?
Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.
06) Does your organisation review its WAF rules at least annually?
Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
07) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?
Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).
08) Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs or SSH connections)?
Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection.
09) Does your organisation secure remote access to its network or cloud environment using multi-factor authentication?
Answer yes if your organisation forces all remote connections to its network or cloud environment to be secured using two factor authentication.
10) Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?
Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Please describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).
11) Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?
Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.
12) Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?
Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.
13) Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?
Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.
14) Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?
Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Please describe the nature of these controls in the notes section.
15) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?
Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.
16) Is each of the approved network connections subject to a risk assessment?
Answer yes if your organisation completes a risk assessment for each identified network connection between your network and any third party network.
17) Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings?
Answer yes if your organisation conducts regular external vulnerability scans of its public IP infrastructure and remediates the findings.
18) How many external automated vulnerability scans does your organisation conduct each year?
Please state the number of scans completed every year.
19) Does your organisation conduct regular internal automated vulnerability scans of its IT infrastructure and remediate any findings?
Answer yes if your organisation conducts regular internal vulnerability scans of its internal IP infrastructure and remediates the findings.
20) How many internal automated vulnerability scans does your organisation conduct each year?
Please state the number of scans completed every year.
21) Does your organisation conduct regular penetration tests of its public facing IT infrastructure?
Answer yes if your organisation conducts regular penetration tests of its public facing IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
22) Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)?
Answer yes if your organisation conducts regular penetration tests of its internal IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
23) Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?
Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.
24) Does your organisation record and store user activity logs for all cloud environments, networks and associated services?
Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.
25) Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services?
Answer yes if your organisation records and stores administrator activity logs for its IT production systems, network devices and endpoint devices.
26) Does your organisation record and store the logs of root/super user/administrator actions for the network and associated services?
Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.
27) For how many months does your organisation stores its root/super-user/administrator logs?
Please state how many months the logs are kept for.
28) Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?
Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.
29) Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?
Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of applications to mitigate any adverse impact this may have on the operation or security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.
30) Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?
Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.
31) Does your organisation manage and control the use of, and access to, any cryptographic keys?
Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.