Proactively share your Security Profile with anyone, at any time. Learn More

G. Network and Cloud Security

This domain covers the security controls you have implemented to maintain the security and integrity of your corporate network and any cloud infrastructure.

00) Does your organisation own or maintain a corporate network, cloud environment, or any application hosting infrastructure?

Answer yes if your organisation maintains a corporate network that allows user devices to connect and communicate with any network based storage or internal services, or if your organisation maintains any application hosting infrastructure (cloud or otherwise).

Network and Cloud Security
Scoping
Read more

01) Are all of your organisation's network perimeter ingress and egress points protected by firewalls?

Answer yes if your organisation has secured all of the perimeter ingress and egress points of its corporate network and IT environments with firewalls.

Network and Cloud Security
Firewalls
Read more

02) Were the firewalls implemented using a deny all policy, with rules built around your organisation’s requirements?

Answer yes if the firewalls were implemented with a 'deny all' policy, and if the firewall rules were only added when a business requirement was identified that required the rule to be created.

Network and Cloud Security
Firewall Rules
Read more

03) Does your organisation review its firewall rules at least annually?

Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

Network and Cloud Security
Firewall Rule Review
Read more

04) Does your organisation have web application firewalls (WAFs) implemented to protect critical web applications?

Answer yes if your organisation hosts any web applications, and if these web applications are protected with WAFs (web application firewalls).

Network and Cloud Security
Web Application Firewalls
WAFs
Read more

05) Were the WAFs implemented using a deny all policy, with rules built around your organisation’s requirements?

Answer yes if the WAFs were implemented with a 'deny all' policy, and if the WAF rules were only added when a business requirement was identified that required the rule to be created.

Network and Cloud Security
Web Application Firewall Rules
WAF Rules
Read more

06) Does your organisation review its WAF rules at least annually?

Answer yes if your organisation undertakes an annual WAF rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.

Network and Cloud Security
WAF Rule Review
Web Application Firewall Rule Review
Read more

07) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?

Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal network and the public network).

Network and Cloud Security
DMZ
Read more

08) Does your organisation secure and encrypt remote connections to its network (for example, by using VPNs or SSH connections)?

Answer yes if your organisation forces all remote connections to its network infrastructure to be secured with a suitable solution such as a VPN or SSH connection.

Network and Cloud Security
Encryption in Transit
Read more

09) Does your organisation secure remote access to its network using multi-factor authentication?

Answer yes if your organisation forces all remote connections to its network to be secured using two factor authentication.

Network and Cloud Security
MFA
Remote Access
Read more

10) Has your organisation implemented any network monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?

Answer yes if your organisation has implemented any network monitoring solutions (either in house or via a third party service provider). Please state in the notes how these solutions are monitored and confirm whether or not alerts are investigated appropriately.

Network and Cloud Security
IDS
IPS
SIEM
Network Monitoring
Read more

11) Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?

Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.

Network and Cloud Security
IDS
IPS
SIEM
Network Monitoring
Read more

12) Has your organisation implemented any internal network segmentation and segregation?

Answer yes if your organisation has segmented its network based on internal security requirements, and appropriately segregated each network segment to restrict the level of access to sensitive information, hosts, and services.

Network and Cloud Security
Network Segmentation
Network Segregation
Read more

13) Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS)?

Answer yes if all data transfers to and from your organisation are secured with a control that implements an appropriately level of authentication and encryption (such as HTTPS for web traffic and SFTP for file transfers). Please describe the nature of these controls in the notes section.

Network and Cloud Security
Encryption in Transit
Secure Protocols
Read more

14) Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?

Answer yes if your organisation has implemented controls to protect its services against DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks. Please describe the nature of these controls in the notes section.

Network and Cloud Security
DoS
DDoS
Read more

15) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?

Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.

Network and Cloud Security
Approved Network Connection List
Read more

16) Is each of the approved network connections subject to a risk assessment?

Answer yes if your organisation completes a risk assessment for each identified network connection between your network and any third party network.

Network and Cloud Security
Network Connections Risk Assessment
Read more

17) Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings?

Answer yes if your organisation conducts regular external vulnerability scans of its public IP infrastructure and remediates the findings.

Network and Cloud Security
External Vulnerability Scans
Read more

18) How many external automated vulnerability scans does your organisation conduct each year?

Please state the number of scans completed every year.

Network and Cloud Security
External Vulnerability Scans
Read more

19) Does your organisation conduct regular internal automated vulnerability scans of its IT infrastructure and remediate any findings?

Answer yes if your organisation conducts regular internal vulnerability scans of its internal IP infrastructure and remediates the findings.

Network and Cloud Security
Internal Vulnerability Scans
Read more

20) How many internal automated vulnerability scans does your organisation conduct each year?

Please state the number of scans completed every year.

Network and Cloud Security
Internal Vulnerability Scans
Read more

21) Does your organisation conduct regular penetration tests of its public facing IT infrastructure?

Answer yes if your organisation conducts regular penetration tests of its public facing IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Network and Cloud Security
Pentest
Penetration Test
Read more

22) Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)?

Answer yes if your organisation conducts regular penetration tests of its internal IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Network and Cloud Security
Pentest
Penetration Test
Internal
Read more

23) Does your organisation record and store user activity logs for the network and associated services?

Answer yes if your organisation conducts regular penetration tests of its internal IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

Network and Cloud Security
Network Logs
Read more

24) For how many months does your organisation store its user activity logs?

Please state how many months the logs are kept for.

Network and Cloud Security
Network Logs
Read more

25) Does your organisation record and store the logs of root/super user/administrator actions for the network and associated services?

Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.

Network and Cloud Security
Administrator Network Logs
Read more

26) For how many months does your organisation stores its root/super-user/administrator logs?

Please state how many months the logs are kept for.

Network and Cloud Security
Administrator Network Logs
Read more

27) Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?

Answer yes if your organisation stores all recorded logs on dedicated servers that are logically separate from your production systems, and hardened.

Network and Cloud Security
Secure Log Server
Read more

28) Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?

Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of applications to mitigate any adverse impact this may have on the operation or security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.

Network and Cloud Security
Testing
Read more

29) Does your organisation segregate its production environment from any testing or development environments?

Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).

Network and Cloud Security
Segregated Hosting
Read more

30) Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?

Answer yes if your organisation has controls in place to monitor the capacity of its IT production systems to make sure that they can cope with the load. Please describe the controls in the notes section.

Network and Cloud Security
Load Monitoring
System Capacity
Read more

31) Does your organisation manage and control the use of, and access to, any cryptographic keys?

Answer yes if your organisation controls the use of, and access to, cryptographic keys. These keys are typically used to access IT infrastructure and services. Please provide a supporting document (as a PDF file) outlining the process, or describe the process in the notes section as evidence.

Network and Cloud Security
Cryptographic Key Management
Read more