Do your due diligence by verifying assessment responses. This is a defensible step that helps ensure you are getting truthful answers. We recommend that you add a few more requirements every year in order to gradually expand the body of evidence.
You can ask for evidence after the assessment has been submitted OR proactively set the requirements in an assessment template. This is the easier method. Learn how to set assessment requirements here.
The recommended list of internal technical requirements is below:
1.1 Internet (1)
4.3 Storage (1)
6.2 Laptops (1)
8.3 Validation (1)
9.1 Backups (2)
Section 1.1 - Internet
All connectivity between public networks and internal networks is routed through a firewall or other packet filtering and control device.
If True, ask for a screenshot or formally documented validation of review of public networks and internal routing through firewall and/or packet filtering and control device
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 1.2 - Wide Area Network (WAN)
The organization has defined a set of information security policies that are formally approved by executive management.
If True, ask for a screenshot or formally documented validation of review that shows remote sites are unable to access untrusted networks
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 1.3 - Local Area Network (LAN)
Unmanaged network equipment (switches and hubs) is not employed for network connectivity; all network equipment is managed.
If True, ask for a screenshot or formally documented validation that shows all network equipment is managed
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 1.4 - Wireless Local Area Network (WLAN)
Systems connecting to guest wireless networks cannot access internal network resources.
If True, ask for a screenshot or formally documented validation that shows guest wireless networks cannot access internal networks
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 2.1 - User Remote Access
Multi-factor authentication is used for all client remote access to the organization's network(s).
If True, ask for a screenshot or formally documented validation that shows multi-factor is used for all client remote access
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Remote access traffic is sufficiently encrypted.
If True, ask for a screenshot or formally documented validation that shows all remote access traffic is sufficiently encrypted
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 2.2 - Third-Party Remote Access
Third party remote access is only enabled when it is required for the conduct of authorized activities.
If True, ask for a screenshot or formally documented validation that shows third party remote access is only enabled when conducting authorized activities
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Multi-factor authentication is used for all third party client remote access connections.
If True, ask for a screenshot or formally documented validation that shows multi-factor authentication is in place for all third party access
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 3.1 - Directory Security
Access to the Built-in Domain Administrator account is sufficiently limited.
If True, ask for a screenshot or formally documented validation that shows the Domain Administrator is sufficiently limited
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 3.2 - Directory Policy
Strong password requirements are sufficiently enforced through Group Policy.
If True, ask for a screenshot or formally documented validation that strong password requirements are enforced through Group Policy
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 4.1 - Server Software
Server operating systems are current and supported by the supplier/developer/manufacturer.
If True, ask for a screenshot or formally documented validation that shows server operating systems are currently supported by the supplier/developer/manufacturer
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Servers have appropriate malware protection installed.
If True, ask for a screenshot or formally documented validation that shows servers have appropriate malware protection installed
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 4.3 - Storage
The organization regularly scans storage systems in search of unusual or unauthorized file storage.
If True, ask for a screenshot or formally documented validation that shows scans are conducted on a regular basis looking for unusual or unauthorized file storage
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 5.1 - Client Software
The client operating systems (workstation, laptop, etc.) used by your organization are currently supported by the manufacturer (updates/patches, technical support, etc., is available).
If True, ask for a screenshot or formally documented validation that shows client operating systems are currently supported by the supplier/developer/manufacturer
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Users do not maintain, and cannot easily obtain, local administrative privileges on their workstations.
If True, ask for a screenshot or formally documented validation that shows users do not have local administrative privileges on their workstations
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 6.1 - Phones and Tablets
The mobile devices that shows could contain sensitive information are protected with enforced authentication.
If True, ask for a screenshot or formally documented validation that shows mobile devices that could contain sensitive information are protected with enforced authentication
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Remote wipe capabilities are available and used to protect data on lost and/or stolen mobile devices.
If True, ask for a screenshot or formally documented validation that shows remote wipe capabilities are available and used to protect data on lost and/or stolen mobile devices
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 6.2 - Laptops
Whole-disk encryption is employed to protect all data stored on laptop hard drives.
If True, ask for a screenshot or formally documented validation that shows whole-disk encryption is employed to protect all data stored on laptop hard drives
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 7.2 - Events and Incidents
Critical systems administration personnel are immediately alerted to high-severity security-related events.
If True, ask for a screenshot or formally documented validation that shows critical systems administration personnel are immediately alerted to high-severity security-related events
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 8.1 - Microsoft Software and Applications
Critical-severity vulnerabilities are resolved in a timely manner.
If True, ask for a screenshot or formally documented validation that shows critical-severity vulnerabilities are resolved in a timely manner
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
A centralized patch management solution is leveraged by the organization.
If True, ask for a screenshot or formally documented validation that shows a centralized patch management solution is leveraged by the organization
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 8.2 - Non-Microsoft Operating Systems
Critical non-Microsoft operating system vulnerabilities are patched in a timely manner
If True, ask for a screenshot or formally documented validation that shows critical non-Microsoft operating system vulnerabilities are patched in a timely manner
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Patches are applied to infrastructure systems (firewalls, routers, switches, virtual host servers, etc.) in a timely manner.
If True, ask for a screenshot or formally documented validation that shows patches are applied to infrastructure systems (firewalls, routers, switches, virtual host servers, etc.) in a timely manner
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 8.3 - Validation
Vulnerability scanning is conducted regularly, using tools separate from those used to remediate vulnerabilities.
If True, ask for a screenshot or formally documented validation that shows vulnerability scanning is conducted regularly, using tools separate from those used to remediate vulnerabilities
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 9.1 - Backups
A backup inventory is maintained and available, including backup contents and frequency.
If True, ask for a screenshot or formally documented validation that shows a backup inventory is maintained and available, including backup contents and frequency
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Complete backups of all critical systems are taken regularly.
If True, ask for a screenshot or formally documented validation that shows complete backups of all critical systems are taken regularly
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 9.2 - Backup Storage
Backup data is stored in a location that shows is sufficiently distanced from the primary operational facility.
If True, ask for a screenshot or formally documented validation that shows backup data is stored in a location that shows is sufficiently distanced from the primary operational facility
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Backup data is transported to the storage environment in an encrypted form.
If True, ask for a screenshot or formally documented validation that shows backup data is transported to the storage environment in an encrypted form
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 9.3 - Disaster Recovery and Business Continuity
Backups are taken in accordance with a documented disaster recovery and/or business continuity plan.
If True, ask for a screenshot or formally documented validation that shows backups are taken in accordance with a documented disaster recovery and/or business continuity plan
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Backup data is encrypted while in storage and the encryption keys are accessible in a disaster situation.
If True, ask for a screenshot or formally documented validation that shows backup data is encrypted while in storage and the encryption keys are accessible in a disaster situation
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 9.4 - Backup Validation
Backups are periodically tested and validated.
If True, ask for a screenshot or formally documented validation that shows backups are periodically tested and validated
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
The restoration of entire servers from bare metal has been tested.
If True, ask for a screenshot or formally documented validation that shows the restoration of entire servers from bare metal has been tested
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Related Items
โ