Do your due diligence by verifying assessment responses. This is a defensible step that helps ensure you are getting truthful answers. We recommend that you add a few more requirements every year in order to gradually expand the body of evidence.

You can ask for evidence after the assessment has been submitted OR proactively set the requirements in an assessment template. This is the easier method. Learn how to set assessment requirements here.

The recommended list of internal technical requirements is below:

1.1 Internet (1)

1.2 Wide Area Network (WAN) (1)

1.3 Local Area Network (LAN) (1)

1.4 Wireless Local Area Network (WLAN) (1)

2.1 User Remote Access (2)

2.2 Third-Party Remote Access (2)

3.1 Directory Security (1)

3.2 Directory Policy (1)

4.1 Server Software (2)

4.3 Storage (1)

5.1 Client Software (2)

6.1 Phones and Tablets (2)

6.2 Laptops (1)

7.2 Events and Incidents (1)

8.1 Microsoft Software and Applications (2)

8.2 Non-Microsoft Operating Systems (2)

8.3 Validation (1)

9.1 Backups (2)

9.2 Backup Storage (2)

9.3 Disaster Recovery and Business Continuity (2)

9.4 Backup Validation (2)

Section 1.1 - Internet

All connectivity between public networks and internal networks is routed through a firewall or other packet filtering and control device.

If True, ask for a screenshot or formally documented validation of review of public networks and internal routing through firewall and/or packet filtering and control device

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

The recommended list of internal technical requirements is below:

Section 1.1 - Internet

All connectivity between public networks and internal networks is routed through a firewall or other packet filtering and control device.

Section 1.2 - Wide Area Network (WAN)

The organization has defined a set of information security policies that are formally approved by executive management.

Section 1.3 - Local Area Network (LAN)

Unmanaged network equipment (switches and hubs) is not employed for network connectivity; all network equipment is managed.

Section 1.4 - Wireless Local Area Network (WLAN)

Systems connecting to guest wireless networks cannot access internal network resources.

Section 2.1 - User Remote Access

Multi-factor authentication is used for all client remote access to the organization's network(s).

Remote access traffic is sufficiently encrypted.

Section 2.2 - Third-Party Remote Access

Third party remote access is only enabled when it is required for the conduct of authorized activities.

Multi-factor authentication is used for all third party client remote access connections.

Section 3.1 - Directory Security

Access to the Built-in Domain Administrator account is sufficiently limited.

Section 3.2 - Directory Policy

Strong password requirements are sufficiently enforced through Group Policy.

Section 4.1 - Server Software

Server operating systems are current and supported by the supplier/developer/manufacturer.

Servers have appropriate malware protection installed.

Section 4.3 - Storage

The organization regularly scans storage systems in search of unusual or unauthorized file storage.

Section 5.1 - Client Software

The client operating systems (workstation, laptop, etc.) used by your organization are currently supported by the manufacturer (updates/patches, technical support, etc., is available).

Users do not maintain, and cannot easily obtain, local administrative privileges on their workstations.

Section 6.1 - Phones and Tablets

The mobile devices that shows could contain sensitive information are protected with enforced authentication.

Remote wipe capabilities are available and used to protect data on lost and/or stolen mobile devices.

Section 6.2 - Laptops

Whole-disk encryption is employed to protect all data stored on laptop hard drives.

Section 7.2 - Events and Incidents

Critical systems administration personnel are immediately alerted to high-severity security-related events.

Section 8.1 - Microsoft Software and Applications

Critical-severity vulnerabilities are resolved in a timely manner.

A centralized patch management solution is leveraged by the organization.

Section 8.2 - Non-Microsoft Operating Systems

Critical non-Microsoft operating system vulnerabilities are patched in a timely manner

Patches are applied to infrastructure systems (firewalls, routers, switches, virtual host servers, etc.) in a timely manner.

Section 8.3 - Validation

Vulnerability scanning is conducted regularly, using tools separate from those used to remediate vulnerabilities.

Section 9.1 - Backups

A backup inventory is maintained and available, including backup contents and frequency.

Complete backups of all critical systems are taken regularly.

Section 9.2 - Backup Storage

Backup data is stored in a location that shows is sufficiently distanced from the primary operational facility.

Backup data is transported to the storage environment in an encrypted form.

Section 9.3 - Disaster Recovery and Business Continuity

Backups are taken in accordance with a documented disaster recovery and/or business continuity plan.

Backup data is encrypted while in storage and the encryption keys are accessible in a disaster situation.

Section 9.4 - Backup Validation

Backups are periodically tested and validated.

The restoration of entire servers from bare metal has been tested.

Related Items