This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.
Answer yes if your organisation maintains a corporate network that allows user devices to connect and communicate with any network based storage or internal services, or if your organisation maintains any application hosting infrastructure (cloud or otherwise). You should answer yes to this question if you use a public cloud to host applications since you are responsible for implementing security controls within your environment.
Answer yes if your organisation has secured all of the ingress and egress points of its corporate network and IT environments with firewalls.
Answer yes if the firewalls were implemented with a 'deny all' policy, and each rule was only added when a business requirement was identified, documented and approved by an authorised individual.
Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
Answer yes if all web applications hosted by your organisation are protected with WAFs (web application firewalls). If your organisation does not host any web applications, answer 'No' and state this in the notes section.
Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.
Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).
Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection.
Answer yes if your organisation forces all remote connections to its network or cloud environment to be secured using two factor authentication.
Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Please describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).
Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.
Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.
Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.
Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Please describe the nature of these controls in the notes section.
Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.
Answer yes if your organisation completes a risk assessment for each identified network connection between your network and any third party network.
Answer yes if your organisation conducts regular external vulnerability scans of its public IP infrastructure and remediates the findings.
Please state the number of scans completed every year.
Answer yes if your organisation conducts regular internal vulnerability scans of its internal IP infrastructure and remediates the findings.
Please state the number of scans completed every year.
Answer yes if your organisation conducts regular penetration tests of its public facing IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
Answer yes if your organisation conducts regular penetration tests of its internal IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.
Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.
Answer yes if your organisation records and stores administrator activity logs for its IT production systems, network devices and endpoint devices.
Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.
Please state how many months the logs are kept for.
Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.
Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of applications to mitigate any adverse impact this may have on the operation or security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.
Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.
Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.