Do your due diligence by verifying assessment responses. This is a defensible step that helps ensure you are getting truthful answers. We recommend that you add a few more requirements every year in order to gradually expand the body of evidence.
You can ask for evidence after the assessment has been submitted OR proactively set the requirements in an assessment template. This is the easier method. Learn how to set assessment requirements here.
The recommended list of external technical requirements is below:
1.2 Monitoring (2)
Section 1.1 - Perimeter Control
Lists of known trusted and/or known malicious sites/IPs/systems are used to protect communications.
If True, ask for a screenshot or a formally documented proof that shows the lists of known trusted and/or known malicious sites and that IPs/systems are used to protect communications
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Internet-based systems are not permitted to directly connect to systems on internal networks.
If True, ask for a screenshot or formally documented validation that shows internet-based systems are not permitted to directly connect to systems on internal networks
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 1.2 - Monitoring
Network-based Intrusion Detection Systems (IDS) are used to monitor traffic on the Internet, extranet DMZ systems, and networks.
If True, ask for a screenshot or formally documented validation that shows network-based Intrusion Detection Systems (IDS) are used to monitor traffic on the internet, extranet DMZ systems, and networks
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
All traffic entering through the perimeter and all traffic leaving through the perimeter is inspected for the presence of malicious files.
If True, ask for a screenshot or formally documented validation that shows all traffic entering through the perimeter and all traffic leaving through the perimeter is inspected for the presence of malicious files
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 1.3 - Validation and Testing
External vulnerability scans are conducted on a quarterly basis, or more often.
If True, ask for a screenshot or formally documented validation that shows external vulnerability scans are conducted on a quarterly basis, or more often
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
External vulnerability scan reports are reviewed by knowledgeable and authorized personnel.
If True, ask for a screenshot or formally documented validation that shows external vulnerability scan reports are reviewed by knowledgeable and authorized personnel
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 2.1 - Reconnaissance Testing
The organization has validated that DNS zone transfers are prohibited, except between primary and secondary servers.
If True, ask for a screenshot or formally documented validation that shows the organization has validated that DNS zone transfers are prohibited, except between primary and secondary servers
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Properly configured Sender Policy Framework (SPF) records are employed to lower the chance of spoofed email addresses.
If True, ask for a screenshot or formally documented validation that shows properly configured Sender Policy Framework (SPF) records are employed to lower the chance of spoofed email addresses
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 3.1 - Enumeration Testing
Administrative login pages are secured with multi-factor authentication.
If True, ask for a screenshot or formally documented validation that shows administrative login pages are secured with multi-factor authentication
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
General-user login pages are secured with multi-factor authentication.
If True, ask for a screenshot or formally documented validation that shows general-user login pages are secured with multi-factor authentication
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Section 4.1 - Vulnerability Testing
There are no critical-severity vulnerabilities (CVSS 10) exposed to the Internet or any other public network.
If True, ask for a screenshot or formally documented validation that shows there are no critical-severity vulnerabilities (CVSS 10) exposed to the internet or any other public network
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
There are no known exploitable critical or high-severity vulnerabilities exposed to the Internet or any other public network.
If True, ask for a screenshot or formally documented validation that shows there are no known exploitable critical or high-severity vulnerabilities exposed to the internet or any other public network
If False, consider pursuing in remediation
If N/A, ask for a note explaining why this is not applicable and a specific date for when this will be reviewed for applicability
Related Items