Skip to main content
All CollectionsS2VENDORAdministration
Internal Technical Controls - Requirements
Internal Technical Controls - Requirements

Verify assessment answers by asking for evidence

Kevin avatar
Written by Kevin
Updated over 2 years ago

Do your due diligence by verifying assessment responses. This is a defensible step that helps ensure you are getting truthful answers. We recommend that you add a few more requirements every year in order to gradually expand the body of evidence.

You can ask for evidence after the assessment has been submitted OR proactively set the requirements in an assessment template. This is the easier method. Learn how to set assessment requirements here.

The recommended list of internal technical requirements is below:


Section 1.1 - Internet

All connectivity between public networks and internal networks is routed through a firewall or other packet filtering and control device.

If True, ask for a screenshot or formally documented validation of review of public networks and internal routing through firewall and/or packet filtering and control device

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 1.2 - Wide Area Network (WAN)

The organization has defined a set of information security policies that are formally approved by executive management.

If True, ask for a screenshot or formally documented validation of review that shows remote sites are unable to access untrusted networks

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 1.3 - Local Area Network (LAN)

Unmanaged network equipment (switches and hubs) is not employed for network connectivity; all network equipment is managed.

If True, ask for a screenshot or formally documented validation that shows all network equipment is managed

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 1.4 - Wireless Local Area Network (WLAN)

Systems connecting to guest wireless networks cannot access internal network resources.

If True, ask for a screenshot or formally documented validation that shows guest wireless networks cannot access internal networks

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 2.1 - User Remote Access

Multi-factor authentication is used for all client remote access to the organization's network(s).

If True, ask for a screenshot or formally documented validation that shows multi-factor is used for all client remote access

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Remote access traffic is sufficiently encrypted.

If True, ask for a screenshot or formally documented validation that shows all remote access traffic is sufficiently encrypted

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 2.2 - Third-Party Remote Access

Third party remote access is only enabled when it is required for the conduct of authorized activities.

If True, ask for a screenshot or formally documented validation that shows third party remote access is only enabled when conducting authorized activities

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Multi-factor authentication is used for all third party client remote access connections.

If True, ask for a screenshot or formally documented validation that shows multi-factor authentication is in place for all third party access

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 3.1 - Directory Security

Access to the Built-in Domain Administrator account is sufficiently limited.

If True, ask for a screenshot or formally documented validation that shows the Domain Administrator is sufficiently limited

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 3.2 - Directory Policy

Strong password requirements are sufficiently enforced through Group Policy.

If True, ask for a screenshot or formally documented validation that strong password requirements are enforced through Group Policy

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 4.1 - Server Software

Server operating systems are current and supported by the supplier/developer/manufacturer.

If True, ask for a screenshot or formally documented validation that shows server operating systems are currently supported by the supplier/developer/manufacturer

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Servers have appropriate malware protection installed.

If True, ask for a screenshot or formally documented validation that shows servers have appropriate malware protection installed

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 4.3 - Storage

The organization regularly scans storage systems in search of unusual or unauthorized file storage.

If True, ask for a screenshot or formally documented validation that shows scans are conducted on a regular basis looking for unusual or unauthorized file storage

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 5.1 - Client Software

The client operating systems (workstation, laptop, etc.) used by your organization are currently supported by the manufacturer (updates/patches, technical support, etc., is available).

If True, ask for a screenshot or formally documented validation that shows client operating systems are currently supported by the supplier/developer/manufacturer

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Users do not maintain, and cannot easily obtain, local administrative privileges on their workstations.

If True, ask for a screenshot or formally documented validation that shows users do not have local administrative privileges on their workstations

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 6.1 - Phones and Tablets

The mobile devices that shows could contain sensitive information are protected with enforced authentication.

If True, ask for a screenshot or formally documented validation that shows mobile devices that could contain sensitive information are protected with enforced authentication

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Remote wipe capabilities are available and used to protect data on lost and/or stolen mobile devices.

If True, ask for a screenshot or formally documented validation that shows remote wipe capabilities are available and used to protect data on lost and/or stolen mobile devices

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 6.2 - Laptops

Whole-disk encryption is employed to protect all data stored on laptop hard drives.

If True, ask for a screenshot or formally documented validation that shows whole-disk encryption is employed to protect all data stored on laptop hard drives

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 7.2 - Events and Incidents

Critical systems administration personnel are immediately alerted to high-severity security-related events.

If True, ask for a screenshot or formally documented validation that shows critical systems administration personnel are immediately alerted to high-severity security-related events

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 8.1 - Microsoft Software and Applications

Critical-severity vulnerabilities are resolved in a timely manner.

If True, ask for a screenshot or formally documented validation that shows critical-severity vulnerabilities are resolved in a timely manner

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

A centralized patch management solution is leveraged by the organization.

If True, ask for a screenshot or formally documented validation that shows a centralized patch management solution is leveraged by the organization

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 8.2 - Non-Microsoft Operating Systems

Critical non-Microsoft operating system vulnerabilities are patched in a timely manner

If True, ask for a screenshot or formally documented validation that shows critical non-Microsoft operating system vulnerabilities are patched in a timely manner

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Patches are applied to infrastructure systems (firewalls, routers, switches, virtual host servers, etc.) in a timely manner.

If True, ask for a screenshot or formally documented validation that shows patches are applied to infrastructure systems (firewalls, routers, switches, virtual host servers, etc.) in a timely manner

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 8.3 - Validation

Vulnerability scanning is conducted regularly, using tools separate from those used to remediate vulnerabilities.

If True, ask for a screenshot or formally documented validation that shows vulnerability scanning is conducted regularly, using tools separate from those used to remediate vulnerabilities

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 9.1 - Backups

A backup inventory is maintained and available, including backup contents and frequency.

If True, ask for a screenshot or formally documented validation that shows a backup inventory is maintained and available, including backup contents and frequency

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Complete backups of all critical systems are taken regularly.

If True, ask for a screenshot or formally documented validation that shows complete backups of all critical systems are taken regularly

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 9.2 - Backup Storage

Backup data is stored in a location that shows is sufficiently distanced from the primary operational facility.

If True, ask for a screenshot or formally documented validation that shows backup data is stored in a location that shows is sufficiently distanced from the primary operational facility

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Backup data is transported to the storage environment in an encrypted form.

If True, ask for a screenshot or formally documented validation that shows backup data is transported to the storage environment in an encrypted form

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 9.3 - Disaster Recovery and Business Continuity

Backups are taken in accordance with a documented disaster recovery and/or business continuity plan.

If True, ask for a screenshot or formally documented validation that shows backups are taken in accordance with a documented disaster recovery and/or business continuity plan

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

Backup data is encrypted while in storage and the encryption keys are accessible in a disaster situation.

If True, ask for a screenshot or formally documented validation that shows backup data is encrypted while in storage and the encryption keys are accessible in a disaster situation

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Section 9.4 - Backup Validation

Backups are periodically tested and validated.

If True, ask for a screenshot or formally documented validation that shows backups are periodically tested and validated

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability

The restoration of entire servers from bare metal has been tested.

If True, ask for a screenshot or formally documented validation that shows the restoration of entire servers from bare metal has been tested

If False, consider pursuing in remediation

If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability


Related Items


โ€‹

Did this answer your question?