Questions

#QuestionCreatedLast Modified
Q31 Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.17/12/2019 20:15:3421/07/2020 20:17:28
Q30 Your business has effective processes to identify, report, manage and resolve any personal data breaches.17/12/2019 20:15:3421/07/2020 20:08:42
Q29 Your business has an information security policy supported by appropriate security measures.17/12/2019 20:15:3421/07/2020 20:04:27
Q28 Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.17/12/2019 20:15:3421/07/2020 19:55:35
Q27 Your business has nominated a data protection lead or Data Protection Officer (DPO).17/12/2019 20:15:3421/07/2020 19:47:30
Q26 Your business has a DPIA framework which links to your existing risk management and project management processes.17/12/2019 20:15:3421/07/2020 19:38:25
Q25 Your business understands when you must conduct a DPIA and has processes in place to action this.17/12/2019 20:15:3421/07/2020 19:35:20
Q24 Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.17/12/2019 20:15:3421/07/2020 19:30:00
Q23 Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.17/12/2019 20:15:3421/07/2020 19:26:41
Q22 Your business has a written contract with any processors you use.17/12/2019 20:15:3421/07/2020 19:20:30
Q21 Your business provides data protection awareness training for all staff.17/12/2019 20:15:3421/07/2020 19:17:15
Q20 Your business monitors your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.17/12/2019 20:15:3421/07/2020 19:10:46
Q19 Your business has an appropriate data protection policy.17/12/2019 20:15:3421/07/2020 19:06:17
Q18 Your business has identified whether any of your processing operations constitute automated decision making and have procedures in place to deal with the requirements.17/12/2019 20:15:3421/07/2020 18:55:03
Q17 Your business has procedures to handle an individual’s objection to the processing of their personal data.17/12/2019 20:15:3421/07/2020 18:49:55
Q16 Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.17/12/2019 20:15:3421/07/2020 18:49:03
Q15 Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.17/12/2019 20:15:3421/07/2020 18:48:14
Q14 Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it.17/12/2019 20:15:3421/07/2020 18:47:14
Q13 Your business has processes to ensure that the personal data you hold remains accurate and up to date.17/12/2019 20:15:3421/07/2020 18:46:11
Q12 Your business has a process to recognise and respond to individuals' requests to access their personal data.17/12/2019 20:15:3421/07/2020 18:45:02
Q11 If your business offers online services directly to children, you communicate privacy information in a way that a child will understand.17/12/2019 20:15:3421/07/2020 18:43:53
Q10 Your business has provided privacy information to individuals.17/12/2019 20:15:3421/07/2020 18:31:03
Q9 Your business is currently registered with the Information Commissioner's Office.17/12/2019 20:15:3421/07/2020 18:30:28
Q8 If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.17/12/2019 20:15:3421/07/2020 18:29:28
Q7 If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.17/12/2019 20:15:3421/07/2020 18:28:19
Q2 Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.17/12/2019 20:15:3421/07/2020 18:24:29
Q3 Your business has identified your lawful bases for processing and documented them.17/12/2019 20:15:3421/07/2020 18:23:55
Q4 Your business has reviewed how you ask for and record consent.17/12/2019 20:15:3421/07/2020 18:23:24
Q5 Your business has systems to record and manage ongoing consent.17/12/2019 20:15:3421/07/2020 18:22:52
Q6 If your business relies on consent to offer online services directly to children, you have systems in place to manage it.17/12/2019 20:15:3421/07/2020 18:22:12
Q1 Your business has conducted an information audit to map personal data flows.17/12/2019 20:15:3411/07/2020 14:28:09
Your organisation's approach and policy relating to the security of networks and information systems supporting the operation  of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Regular board discussions on the security of network and information systems supporting the operation  of your essential function take place, based on timely and accurate information and informed by expert guidance.29/05/2020 09:55:1929/05/2020 09:55:19
There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.29/05/2020 09:55:1929/05/2020 09:55:19
Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The security of network and information systems related to the operation  of essential functions is discussed and reported regularly at board-level.29/05/2020 09:55:1929/05/2020 09:55:19
Board-level discussions on the security of networks and information systems are based on up-to-date information, with the benefit of expert guidance.29/05/2020 09:55:1929/05/2020 09:55:19
The security of networks and information systems supporting your essential functions are driven effectively by the direction set at board level.29/05/2020 09:55:1929/05/2020 09:55:19
No senior management or pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.29/05/2020 09:55:1929/05/2020 09:55:19
Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.29/05/2020 09:55:1929/05/2020 09:55:19
Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.29/05/2020 09:55:1929/05/2020 09:55:19
There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Key roles are filled on a formal basis.29/05/2020 09:55:1929/05/2020 09:55:19
Staff are assigned security responsibilities with adequate authority and resources to fulfil them.29/05/2020 09:55:1929/05/2020 09:55:19
Staff are comfortable what their responsibilities are for the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Senior management have visibility of key risk decisions made throughout the organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.29/05/2020 09:55:1929/05/2020 09:55:19
Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.29/05/2020 09:55:1929/05/2020 09:55:19
Risk management decisions are periodically reviewed to ensure their continued relevance and validity.29/05/2020 09:55:1929/05/2020 09:55:19
What should be relatively straightforward risk decisions are completed by those placed effectively.29/05/2020 09:55:1929/05/2020 09:55:19
Risks are resolved formally at a local level with a formal reporting mechanism when it is appropriate.29/05/2020 09:55:1929/05/2020 09:55:19
Decision-makers are sure of what senior management's risk appetite is, or understand it in clear terms.29/05/2020 09:55:1929/05/2020 09:55:19
Organisational structure causes risk decisions to be made collaboratively. (e.g. engineering and IT talk to each other about risk).29/05/2020 09:55:1929/05/2020 09:55:19
Risk priorities are clear enough to make meaningful distinctions between them.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.29/05/2020 09:55:1929/05/2020 09:55:19
Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.29/05/2020 09:55:1929/05/2020 09:55:19
Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.29/05/2020 09:55:1929/05/2020 09:55:19
You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.29/05/2020 09:55:1929/05/2020 09:55:19
The effectiveness of your risk management process is reviewed periodically, and improvements made as required.29/05/2020 09:55:1929/05/2020 09:55:19
You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.29/05/2020 09:55:1929/05/2020 09:55:19
Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.29/05/2020 09:55:1929/05/2020 09:55:19
Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.29/05/2020 09:55:1929/05/2020 09:55:19
You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.29/05/2020 09:55:1929/05/2020 09:55:19
You perform threat analysis and understand how generic threats apply to your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Risk assessments are based on a clearly defined set of threat assumptions.29/05/2020 09:55:1929/05/2020 09:55:19
Risk assessment outputs aren't too complex or unwieldy to be consumed by decision-makers and are effectively communicated in a clear and timely manner.29/05/2020 09:55:1929/05/2020 09:55:19
Risk assessments for critical systems are a recurring activity.29/05/2020 09:55:1929/05/2020 09:55:19
The security elements of projects or programmes are not solely dependent on the completion of a risk management assessment without any regard to the outcomes.29/05/2020 09:55:1929/05/2020 09:55:19
There is a systematic process in place to ensure that identified security risks are managed effectively.29/05/2020 09:55:1929/05/2020 09:55:19
Systems are not assessed in isolation, and are assessed with consideration of dependencies and interactions with other systems. (e.g. interactions between IT and OT environments).29/05/2020 09:55:1929/05/2020 09:55:19
Security requirements and mitigation's aren't arbitrary and are applied from a control catalogue with consideration of how they contribute to the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Risks documented on a register are resolved quickly and effectively.  29/05/2020 09:55:1929/05/2020 09:55:19
You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.29/05/2020 09:55:1929/05/2020 09:55:19
Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.29/05/2020 09:55:1929/05/2020 09:55:19
The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.29/05/2020 09:55:1929/05/2020 09:55:19
No particular products or services are seen as a "silver bullet" and vendor claims aren't taken at face value.29/05/2020 09:55:1929/05/2020 09:55:19
Assurance methods are applied with appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.29/05/2020 09:55:1929/05/2020 09:55:19
Assurance isn't assumed because there have been no known problems to date.29/05/2020 09:55:1929/05/2020 09:55:19
All assets relevant to the secure operation of essential functions are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.29/05/2020 09:55:1929/05/2020 09:55:19
Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded.29/05/2020 09:55:1929/05/2020 09:55:19
You have prioritised your assets according to their importance to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have assigned responsibility for managing physical assets.29/05/2020 09:55:1929/05/2020 09:55:19
Assets relevant to essential functions are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.29/05/2020 09:55:1929/05/2020 09:55:19
Inventories of assets relevant to the essential function are complete and adequately detailed.29/05/2020 09:55:1929/05/2020 09:55:19
All domains and types of asset are documented and understood. Dependencies between assets are understood (such as the dependencies between IT and OT).29/05/2020 09:55:1929/05/2020 09:55:19
Information assets, which could include personally identifiable information or other sensitive information, are stored with clear business need and retention policy.29/05/2020 09:55:1929/05/2020 09:55:19
Knowledge critical to the management, operation, or recovery of essential functions is not held by one or two key individuals and a succession plan is in place.29/05/2020 09:55:1929/05/2020 09:55:19
Asset inventories are completed and in date.29/05/2020 09:55:1929/05/2020 09:55:19
You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.29/05/2020 09:55:1929/05/2020 09:55:19
Your approach to supply chain risk management considers the risks to your essential functions arising from supply chain subversion by capable and well-resourced attackers.  29/05/2020 09:55:1929/05/2020 09:55:19
You have confidence that information shared with suppliers that is essential to the operation of your function is appropriately protected from sophisticated attacks.29/05/2020 09:55:1929/05/2020 09:55:19
You can clearly express the security needs you place on suppliers in ways that are mutually understood and are laid in contracts. There is a clear and documented shared-responsibility model.  29/05/2020 09:55:1929/05/2020 09:55:19
All network connections and data sharing with third parties is managed effectively and proportionately.29/05/2020 09:55:1929/05/2020 09:55:19
When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the general risks suppliers may pose to your essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
You know the extent of your supply chain for essential functions, including sub-contractors.29/05/2020 09:55:1929/05/2020 09:55:19
You engage with suppliers about security, and you set and communicate security requirements in contracts.29/05/2020 09:55:1929/05/2020 09:55:19
You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements.29/05/2020 09:55:1929/05/2020 09:55:19
Your approach to security incident management considers incidents that might arise in your supply chain.29/05/2020 09:55:1929/05/2020 09:55:19
You have confidence that information shared with suppliers that is necessary for the operation of your essential function is appropriately protected from well-known attacks and known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
You know what data belonging to you is held by suppliers, and how it is managed.29/05/2020 09:55:1929/05/2020 09:55:19
Elements of the supply chain for essential functions are subcontracted and you have full visibility of the sub-contractors.29/05/2020 09:55:1929/05/2020 09:55:19
Relevant contracts have security requirements.29/05/2020 09:55:1929/05/2020 09:55:19
Suppliers that have access to systems that provide your essential function is restricted and monitored.29/05/2020 09:55:1929/05/2020 09:55:19
You fully document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance. Cyber security is integrated and embedded throughout these policies and processes and key performance indicators are reported to your executive management.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation’s policies and processes are developed to be practical, usable and appropriate for your essential function and your technologies.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes that rely on user behaviour are practical, appropriate and achievable.29/05/2020 09:55:1929/05/2020 09:55:19
You review and update policies and processes at suitably regular intervals to ensure they remain relevant. This is in addition to reviews following a major cyber security incident.29/05/2020 09:55:1929/05/2020 09:55:19
Any changes to the essential function or the threat it faces triggers a review of policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
Your systems are designed so that they remain secure even when user security policies and processes are not always followed.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance.29/05/2020 09:55:1929/05/2020 09:55:19
You review and update policies and processes in response to major cyber security incidents.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are active and complete.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes are applied universally and consistently.29/05/2020 09:55:1929/05/2020 09:55:19
People don't circumvent policies and processes to achieve business objectives.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation’s security governance and risk management approach has no bearing on your policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
System security isn't reliant on users' careful and consistent application of manual security processes.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes have been reviewed in response to major changes (e.g. technology or regulatory framework), and within a suitable period.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes are readily available to staff, simple to remember, and easy to understand.29/05/2020 09:55:1929/05/2020 09:55:19
All your policies and processes are followed, their correct application and security effectiveness is evaluated.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals' trustworthiness.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities.29/05/2020 09:55:1929/05/2020 09:55:19
Appropriate action is taken to address all breaches of policies and processes with potential to adversely impact the essential function including aggregated breaches.29/05/2020 09:55:1929/05/2020 09:55:19
Most of your policies and processes are followed and their application is monitored.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals' trustworthiness.29/05/2020 09:55:1929/05/2020 09:55:19
All staff are aware of their responsibilities under your policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
All breaches of policies and processes with the potential to adversely impact the essential function are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes aren't ignored and are fully followed.29/05/2020 09:55:1929/05/2020 09:55:19
The reliance on your policies and processes is well understood.29/05/2020 09:55:1929/05/2020 09:55:19
Staff are aware of their responsibilities under your policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
You attempt to detect breaches of policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
Policies and processes integrate with other organisational policies and processes.29/05/2020 09:55:1929/05/2020 09:55:19
Your policies and processes are well communicated across your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Only authorised and individually authenticated users can physically access and logically connect to your networks or information systems on which your essential function depends.29/05/2020 09:55:1929/05/2020 09:55:19
User access to all your networks and information systems supporting the essential function is limited to the minimum necessary.29/05/2020 09:55:1929/05/2020 09:55:19
You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for privileged access to all systems that operate or support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, when you individually authenticate and authorise all remote user access to all your networks and information systems that support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The list of users with access to networks and systems supporting and delivering the essential function is reviewed on a regular basis, at least every six months.29/05/2020 09:55:1929/05/2020 09:55:19
All authorised users with access to networks or information systems on which your essential function depends are individually identified and authenticated.29/05/2020 09:55:1929/05/2020 09:55:19
User access to essential function networks and information systems is limited to the minimum necessary.29/05/2020 09:55:1929/05/2020 09:55:19
You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for privileged access to sensitive systems such as operational technology.29/05/2020 09:55:1929/05/2020 09:55:19
You individually authenticate and authorise all remote user access to all your networks and information systems that support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
The list of users with access to essential function networks and systems is reviewed on a regular basis at least annually.29/05/2020 09:55:1929/05/2020 09:55:19
Authorised users with access to networks or information systems on which your essential function depends can be individually identified.29/05/2020 09:55:1929/05/2020 09:55:19
Unauthorised individuals or devices cannot access your networks or information systems on which your essential function depends.29/05/2020 09:55:1929/05/2020 09:55:19
User access is limited to the minimum necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Dedicated devices are used for privileged actions (such as administration or accessing the essential function's network and information systems). These devices are not used for directly browsing the web or accessing email.29/05/2020 09:55:1929/05/2020 09:55:19
You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to your systems, or you only allow third-party devices or networks dedicated to supporting your systems to connect.29/05/2020 09:55:1929/05/2020 09:55:19
You perform certificate-based device identity management and only allow known devices to access systems necessary for the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You perform regular scans to detect unknown devices and investigate any findings.29/05/2020 09:55:1929/05/2020 09:55:19
Only corporately owned and managed devices can access your essential function's networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
All privileged access occurs from corporately management devices dedicated to management functions.29/05/2020 09:55:1929/05/2020 09:55:19
You have sought to understand the security properties of third-party devices and networks before they can be connected to your systems. You have taken appropriate steps to mitigate any risks identified.29/05/2020 09:55:1929/05/2020 09:55:19
The act of connecting to a network port or cable does not grant access to any systems.29/05/2020 09:55:1929/05/2020 09:55:19
You are able to detect unknown devices being connected to your network and investigate such incidents.29/05/2020 09:55:1929/05/2020 09:55:19
Users can't connect to your essential function's networks using devices that are not corporately managed.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged users can't perform administrative functions from devices that are not corporately managed.29/05/2020 09:55:1929/05/2020 09:55:19
You have gained assurance in the security of any third-party devices or networks connected to your systems.29/05/2020 09:55:1929/05/2020 09:55:19
Physically connecting a device to your network doesn't give that device access without device or user authentication 29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access to your essential function systems is carried out from dedicated separate accounts that are closely monitored and managed.29/05/2020 09:55:1929/05/2020 09:55:19
The issuing of temporary, time-bound rights for privileged user access and external third-party support access is either in place or you are migrating to an access control solution that supports this functionality.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process.29/05/2020 09:55:1929/05/2020 09:55:19
All privileged user access to your networks and information systems requires strong authentication, such as two-factor, hardware authentication, or additional real-time security monitoring.29/05/2020 09:55:1929/05/2020 09:55:19
All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access requires additional validation, but this does not use a strong form of authentication (e.g. two-factor, hardware authentication or additional real-time security monitoring).29/05/2020 09:55:1929/05/2020 09:55:19
The identities of the individuals with privileged access to your essential function systems (infrastructure, platforms, software, configuration, etc) are known and managed. This includes third parties.29/05/2020 09:55:1929/05/2020 09:55:19
Activity by privileged users is routinely reviewed and validated. (e.g. at least annually).29/05/2020 09:55:1929/05/2020 09:55:19
Privileged users are only granted specific privileged permissions which are essential to their business role or function.29/05/2020 09:55:1929/05/2020 09:55:19
The identities of the individuals with privileged access to your essential function systems (infrastructure, platforms, software, configuration, etc) are known and managed.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access to your essential function systems is via strong authentication mechanisms.29/05/2020 09:55:1929/05/2020 09:55:19
The list of privileged users has been reviewed recently (e.g. within the last 12 months).29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access is granted on a per-user or per-role basis rather than system wide.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged user access to your essential function isn't via generic, shared or default name accounts.29/05/2020 09:55:1929/05/2020 09:55:19
Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are additional controls (e.g. physical controls) to ensure access is appropriately restricted.29/05/2020 09:55:1929/05/2020 09:55:19
There is logical separation between roles that an individual may have and hence the actions they perform. (e.g. access to corporate email and privilege user actions).29/05/2020 09:55:1929/05/2020 09:55:19
Your procedure to verify each user and issue the minimum required access rights is robust and regularly audited.29/05/2020 09:55:1929/05/2020 09:55:19
User permissions are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals - at least annually.29/05/2020 09:55:1929/05/2020 09:55:19
All user access is logged and monitored.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review access logs and correlate this data with other access records and expected activity.29/05/2020 09:55:1929/05/2020 09:55:19
Attempts by unauthorised users to connect to your systems are alerted, promptly assessed and investigated.29/05/2020 09:55:1929/05/2020 09:55:19
You follow a robust procedure to verify each user and issue the minimum required access rights.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review access rights and those no longer needed are revoked.29/05/2020 09:55:1929/05/2020 09:55:19
User permissions are reviewed when people change roles via your joiners, leavers and movers process.29/05/2020 09:55:1929/05/2020 09:55:19
All user access is logged and monitored.29/05/2020 09:55:1929/05/2020 09:55:19
No greater rights are granted to users than necessary.29/05/2020 09:55:1929/05/2020 09:55:19
User rights are granted with validation of their identity and requirement for access.29/05/2020 09:55:1929/05/2020 09:55:19
User rights are reviewed when they move jobs.29/05/2020 09:55:1929/05/2020 09:55:19
User rights don't remain active when people leave your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued all the data important to the operation of the essential function, or that would assist an attacker.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued who has access to the data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the location, quantity and quality of data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You take steps to remove or minimise unnecessary copies or unneeded historic data.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified all mobile devices and media that may hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the data links used to transmit data that is important to your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the context, limitations and dependencies of your important data.29/05/2020 09:55:1929/05/2020 09:55:19
You understand and document the impact on your essential function of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.29/05/2020 09:55:1929/05/2020 09:55:19
You validate these documented impact statements regularly, at least annually.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued all the data important to the operation of the essential function, or that would assist an attacker.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and catalogued who has access to the data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You periodically review location, transmission, quantity and quality of data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified all mobile devices and media that hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand and document the impact on your essential function of all relevant scenarios, including unauthorised access, modification or deletion, or when authorised users are unable to appropriately access this data.29/05/2020 09:55:1929/05/2020 09:55:19
You occasionally validate these documented impact statements.29/05/2020 09:55:1929/05/2020 09:55:19
You have a complete knowledge of what data is used by and produced in the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified the important data on which your essential function relies.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified who has access to data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have clearly articulated the impact of data compromise or inaccessibility.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You apply appropriate physical or technical means to protect data that travels over non-trusted or openly accessible carriers, with justified confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of the essential function due to resource limitation (e.g. transmission equipment or function failure, or important data being blocked or jammed).29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You apply appropriate technical means (e.g. cryptography) to protect data that travels over non-trusted or openly accessible carriers, but you have limited or no confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
You know what all your data links are, or which carry data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Data important to the operation of the essential function travels with technical protection over non-trusted or openly accessible carriers.29/05/2020 09:55:1929/05/2020 09:55:19
Critical data paths that could fail, be jammed, be overloaded, etc. have an alternative path.29/05/2020 09:55:1929/05/2020 09:55:19
You have only necessary copies of this data. Where data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.29/05/2020 09:55:1929/05/2020 09:55:19
You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.29/05/2020 09:55:1929/05/2020 09:55:19
If cryptographic protections are used you apply suitable technical and procedural means, and you have justified confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
You have suitable, secured backups of data to allow the operation of the essential function to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.29/05/2020 09:55:1929/05/2020 09:55:19
Necessary historic or archive data is suitably secured in storage.29/05/2020 09:55:1929/05/2020 09:55:19
All copies of data important to the operation of your essential function are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and/or as a read-only copy.29/05/2020 09:55:1929/05/2020 09:55:19
You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.29/05/2020 09:55:1929/05/2020 09:55:19
If cryptographic protections are used, you apply suitable technical and procedural means, but you have limited or no confidence in the robustness of the protection applied.29/05/2020 09:55:1929/05/2020 09:55:19
You have suitable, secured backups of data to allow the operation of the essential function to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.29/05/2020 09:55:1929/05/2020 09:55:19
You have complete knowledge of where data important to the operation of the essential function is stored.29/05/2020 09:55:1929/05/2020 09:55:19
You have protected vulnerable stored data important to the operation of the essential function in a suitable way.29/05/2020 09:55:1929/05/2020 09:55:19
Backups are complete, tested, adequately secured and could be accessible in a disaster recovery or business continuity situation.29/05/2020 09:55:1929/05/2020 09:55:19
Mobile devices that hold data that is important to the operation of the essential function are catalogued, are under your organisation's control and configured according to best practice for the platform, with appropriate technical and procedural policies in place.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation can remotely wipe all mobile devices holding data important to the operation of essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have minimised this data on these mobile devices. Some data may be automatically deleted off mobile devices after a certain period.29/05/2020 09:55:1929/05/2020 09:55:19
You know which mobile devices hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Data important to the operation of the essential function is only stored on mobile devices with at least equivalent security standard to your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Data on mobile devices is technically secured.29/05/2020 09:55:1929/05/2020 09:55:19
You know which mobile devices hold data important to the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You don't allow data important to the operation of the essential function to be stored on devices not managed by your organisation, or to at least equivalent standard.29/05/2020 09:55:1929/05/2020 09:55:19
Data on mobile devices is technically secured.29/05/2020 09:55:1929/05/2020 09:55:19
You catalogue and track all devices that contain data important to the operation of the essential function (whether a specific storage device or one with integral storage).29/05/2020 09:55:1929/05/2020 09:55:19
All data important to the operation of the essential function is sanitised from all devices, equipment or removable media before disposal.29/05/2020 09:55:1929/05/2020 09:55:19
All devices, equipment and removable media that hold data important to the operation of the essential function are disposed of with sanitisation of that data.29/05/2020 09:55:1929/05/2020 09:55:19
You employ appropriate expertise to design network and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
Your networks and information systems are segregated into appropriate security zones, e.g. operational systems for the essential function are segregated in a highly trusted, more secure zone.29/05/2020 09:55:1929/05/2020 09:55:19
The networks and information systems supporting your essential function are designed to have simple data flows between components to support effective security monitoring.29/05/2020 09:55:1929/05/2020 09:55:19
The networks and information systems supporting your essential function are designed to be easy to recover.29/05/2020 09:55:1929/05/2020 09:55:19
Content-based attacks are mitigated for all inputs to operational systems that affect the essential function (e.g. via transformation and inspection).29/05/2020 09:55:1929/05/2020 09:55:19
You employ appropriate expertise to design network and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
You design strong boundary defences where your networks and information systems interface with other organisations or the world at large.29/05/2020 09:55:1929/05/2020 09:55:19
You design simple data flows between your networks and information systems and any external interface to enable effective monitoring.29/05/2020 09:55:1929/05/2020 09:55:19
You design to make network and information system recovery simple.29/05/2020 09:55:1929/05/2020 09:55:19
All inputs to operational systems are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks.29/05/2020 09:55:1929/05/2020 09:55:19
Systems essential to the operation of the essential function are appropriately segregated from other systems.29/05/2020 09:55:1929/05/2020 09:55:19
Internet access isn't available from operational systems.29/05/2020 09:55:1929/05/2020 09:55:19
Data flows between the essential function's operational systems and other systems are simple, making it easy to differentiate between legitimate and illegitimate/malicious traffic.29/05/2020 09:55:1929/05/2020 09:55:19
No remote or third party accesses circumvent some network controls to gain more direct access to operational systems of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified, documented and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
All platforms conform to your secure, defined baseline build, or the latest known good configuration version for that environment.  29/05/2020 09:55:1929/05/2020 09:55:19
You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review and validate that your network and information systems have the expected, secured settings and configuration.29/05/2020 09:55:1929/05/2020 09:55:19
Only permitted software can be installed and standard users cannot change settings that would impact security or business operation.29/05/2020 09:55:1929/05/2020 09:55:19
If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and documented the assets that need to be carefully configured to maintain the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Secure platform and device builds are used across the estate.29/05/2020 09:55:1929/05/2020 09:55:19
Consistent, secure and minimal system and device configurations are applied across the same types of environment.29/05/2020 09:55:1929/05/2020 09:55:19
Changes and adjustments to security configuration at security boundaries with the networks and information systems supporting your essential function are approved and documented.29/05/2020 09:55:1929/05/2020 09:55:19
You verify software before installation is permitted.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified the assets that need to be carefully configured to maintain the security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Policies relating to the security of operating system builds or configuration are applied consistently across your network and information systems relating to your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Configuration details are recorded and contain enough information to be able to rebuild the system or device.29/05/2020 09:55:1929/05/2020 09:55:19
The recording of security changes or adjustments that effect your essential function is full and consistent.29/05/2020 09:55:1929/05/2020 09:55:19
Your systems and devices supporting the operation of the essential function are only administered or maintained by authorised privileged users from dedicated devices that are technically segregated and secured to the same level as the networks and systems being maintained.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly review and update technical knowledge about networks and information systems, such as documentation and network diagrams, and ensure they are securely stored.29/05/2020 09:55:1929/05/2020 09:55:19
You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Your systems and devices supporting the operation of the essential function are only administered or maintained by authorised privileged users from dedicated devices.29/05/2020 09:55:1929/05/2020 09:55:19
Technical knowledge about networks and information systems, such as documentation and network diagrams, is regularly reviewed and updated.29/05/2020 09:55:1929/05/2020 09:55:19
You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Essential function networks and systems are administered and maintained using dedicated devices.29/05/2020 09:55:1929/05/2020 09:55:19
You have good or current technical documentation of your networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the exposure of your essential function to publicly-known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
Announced vulnerabilities for all software packages, network equipment and operating systems used to support the operation of your essential function are tracked, prioritised and mitigated (e.g. by patching) promptly.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly test to fully understand the vulnerabilities of the networks and information systems that support the operation of your essential function and verify this understanding with third-party testing.29/05/2020 09:55:1929/05/2020 09:55:19
You maximise the use of supported software, firmware and hardware in your networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You maintain a current understanding of the exposure of your essential function to publicly-known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential function are tracked, prioritised and externally-exposed vulnerabilities are mitigated (e.g. by patching) promptly.29/05/2020 09:55:1929/05/2020 09:55:19
Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period.29/05/2020 09:55:1929/05/2020 09:55:19
You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology.29/05/2020 09:55:1929/05/2020 09:55:19
You regularly test to fully understand the vulnerabilities of the networks and information systems that support the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the exposure of your essential function to publicly-known vulnerabilities.29/05/2020 09:55:1929/05/2020 09:55:19
You mitigate externally-exposed vulnerabilities promptly.29/05/2020 09:55:1929/05/2020 09:55:19
There are means to check data or software imports for malware.29/05/2020 09:55:1929/05/2020 09:55:19
You have recently tested to verify your understanding of the vulnerabilities of the networks and information systems that support your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have suitably mitigated systems and software that is no longer supported.  29/05/2020 09:55:1929/05/2020 09:55:19
You are pursuing replacement for unsupported systems or software.29/05/2020 09:55:1929/05/2020 09:55:19
You have business continuity and disaster recovery plans that have been tested for practicality, effectiveness and completeness. Appropriate use is made of different test methods, e.g. manual fail-over, table-top exercises, or red-teaming.29/05/2020 09:55:1929/05/2020 09:55:19
You use your security awareness and threat intelligence sources, to make immediate and potentially temporary security changes in response to new threats, e.g. a widespread outbreak of very damaging malware.29/05/2020 09:55:1929/05/2020 09:55:19
You know all networks, information systems and underlying technologies that are necessary to restore the operation of the essential function and understand their interdependence.29/05/2020 09:55:1929/05/2020 09:55:19
You know the order in which systems need to be recovered to efficiently and effectively restore the operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have a full understanding of all the elements that are required to restore operation of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You have completed business continuity and/or disaster recovery plans for your essential function’s networks, information systems and their dependencies.29/05/2020 09:55:1929/05/2020 09:55:19
You have fully assessed the practical implementation of your disaster recovery plans.29/05/2020 09:55:1929/05/2020 09:55:19
Operational systems that support the operation of the essential function are segregated from other business and external systems by appropriate technical and physical means, e.g. separate network and system infrastructure with independent user administration. Internet services are not accessible from operational systems.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and mitigated all resource limitations, e.g. bandwidth limitations and single network paths.29/05/2020 09:55:1929/05/2020 09:55:19
You have identified and mitigated any geographical constraints or weaknesses. (e.g. systems that your essential function depends upon are replicated in another location, important network connectivity has alternative physical paths and service providers).29/05/2020 09:55:1929/05/2020 09:55:19
You review and update assessments of dependencies, resource and geographical limitations and mitigation's when necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Operational systems that support the operation of the essential function are logically separated from your business systems, e.g. they reside on the same network as the rest of the organisation, but within a DMZ. Internet access is not available from operational systems.29/05/2020 09:55:1929/05/2020 09:55:19
Resource limitations (e.g. network bandwidth, single network paths) have been identified but not fully mitigated.29/05/2020 09:55:1929/05/2020 09:55:19
Operational networks and systems are appropriately segregated.29/05/2020 09:55:1929/05/2020 09:55:19
Internet services, such as browsing and email, aren't accessible from essential  operational systems supporting the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You understand and have plans to mitigate all resource limitations that could adversely affect your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Your comprehensive, automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event.29/05/2020 09:55:1929/05/2020 09:55:19
Key roles are duplicated, and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Backups of all important data and information needed to recover the essential function are made, tested, documented and routinely reviewed.29/05/2020 09:55:1929/05/2020 09:55:19
You have appropriately secured backups (including data, configuration information, software, equipment, processes and key roles or knowledge). These backups will be accessible to recover from an extreme event.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely test backups to ensure that the backup process functions correctly and the backups are usable.29/05/2020 09:55:1929/05/2020 09:55:19
Backup coverage is complete in coverage and would be adequate to restore operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Backups are frequent enough for the operation of your essential function to be restored within a suitable time-frame.29/05/2020 09:55:1929/05/2020 09:55:19
Your executive management clearly and effectively communicates the organisation's cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations.29/05/2020 09:55:1929/05/2020 09:55:19
People in your organisation raising potential cyber security incidents and issues are treated positively.29/05/2020 09:55:1929/05/2020 09:55:19
Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.29/05/2020 09:55:1929/05/2020 09:55:19
Your management is seen to be committed to and actively involved in cyber security.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation communicates openly about cyber security, with any concern being taken seriously.29/05/2020 09:55:1929/05/2020 09:55:19
People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.29/05/2020 09:55:1929/05/2020 09:55:19
Your executive management understand and widely communicate the importance of a positive cyber security culture. Positive attitudes, behaviours and expectations are described for your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
All people in your organisation understand the contribution they make to the essential function's cyber security.29/05/2020 09:55:1929/05/2020 09:55:19
All individuals in your organisation know who to contact and where to access more information about cyber security. They know how to raise a cyber security issue.29/05/2020 09:55:1929/05/2020 09:55:19
People in your organisation understand what they contribute to the cyber security of the essential function.29/05/2020 09:55:1929/05/2020 09:55:19
People in your organisation know how to raise a concern about cyber security.29/05/2020 09:55:1929/05/2020 09:55:19
People believe that reporting issues will not get them into trouble.29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation's approach to cyber security is not perceived by staff as hindering the business of the organisation.29/05/2020 09:55:1929/05/2020 09:55:19
All people in your organisation, from the most senior to the most junior, follow appropriate cyber security training paths.29/05/2020 09:55:1929/05/2020 09:55:19
Each individual’s cyber security training is tracked and refreshed at suitable intervals.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely evaluate your cyber security training and awareness activities to ensure they reach the widest audience and are effective.29/05/2020 09:55:1929/05/2020 09:55:19
You make cyber security information and good practice guidance easily accessible, widely available and you know it is referenced and used within your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
You have defined appropriate cyber security training and awareness activities for all roles in your organisation, from executives to the most junior roles.29/05/2020 09:55:1929/05/2020 09:55:19
You use a range of teaching and communication techniques for cyber security training and awareness to reach the widest audience effectively.29/05/2020 09:55:1929/05/2020 09:55:19
Cyber security information is easily available.29/05/2020 09:55:1929/05/2020 09:55:19
All teams who operate and support your essential function that are cyber security trained.29/05/2020 09:55:1929/05/2020 09:55:19
Cyber security training isn't restricted to specific roles in your organisation.29/05/2020 09:55:1929/05/2020 09:55:19
Cyber security training records for your organisation are extensive and complete.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring is based on an understanding of your networks, common cyber attack methods and what you need awareness of in order to detect potential security incidents that could affect the operation of your essential function. (e.g. presence of malware, malicious emails, user policy violations).  29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring data provides enough detail to reliably detect security incidents that could affect the operation of your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You easily detect the presence or absence of IoCs on your essential functions, such as known malicious command and control signatures.29/05/2020 09:55:1929/05/2020 09:55:19
Extensive monitoring of user activity in relation to the operation of essential functions enables you to detect policy violations and an agreed list of suspicious or undesirable behaviour.29/05/2020 09:55:1929/05/2020 09:55:19
You have extensive monitoring coverage that includes host-based monitoring and network gateways.29/05/2020 09:55:1929/05/2020 09:55:19
All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.29/05/2020 09:55:1929/05/2020 09:55:19
Data relating to the security and operation of some areas of your essential functions is collected.29/05/2020 09:55:1929/05/2020 09:55:19
You easily detect the presence or absence of IoCs on your essential function, such as known malicious command and control signatures.29/05/2020 09:55:1929/05/2020 09:55:19
Some user monitoring is done, but not covering a fully agreed list of suspicious or undesirable behaviour.29/05/2020 09:55:1929/05/2020 09:55:19
You monitor traffic crossing your network boundary (including IP address connections as a minimum).29/05/2020 09:55:1929/05/2020 09:55:19
Data relating to the security and operation of your essential functions is collected.29/05/2020 09:55:1929/05/2020 09:55:19
You confidently detect the presence or absence of Indicators of Compromise (IoCs) on your essential functions, such as known malicious command and control signatures.29/05/2020 09:55:1929/05/2020 09:55:19
You are able to audit the activities of users in relation to your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
You capture any traffic crossing your network boundary including as a minimum IP connections.29/05/2020 09:55:1929/05/2020 09:55:19
The integrity of logging data is protected, or any modification is detected and attributed.29/05/2020 09:55:1929/05/2020 09:55:19
The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the function itself, and the data within it.29/05/2020 09:55:1929/05/2020 09:55:19
Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.29/05/2020 09:55:1929/05/2020 09:55:19
Logging datasets are synchronised, using an accurate common time source, so separate datasets can be correlated in different ways.29/05/2020 09:55:1929/05/2020 09:55:19
Access to logging data is limited to those with business need and no others.29/05/2020 09:55:1929/05/2020 09:55:19
All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user.29/05/2020 09:55:1929/05/2020 09:55:19
Legitimate reasons for accessing logging data are given in use policies.29/05/2020 09:55:1929/05/2020 09:55:19
Only authorised staff can view logging data for investigations.29/05/2020 09:55:1929/05/2020 09:55:19
Privileged users can view logging information.29/05/2020 09:55:1929/05/2020 09:55:19
There is some monitoring of access to logging data. (e.g. copying, deleting or modification, or even viewing.) 29/05/2020 09:55:1929/05/2020 09:55:19
It is not possible for logging data to be easily edited or deleted by unauthorised users or malicious attackers.29/05/2020 09:55:1929/05/2020 09:55:19
There is a controlled list of who can view and query logging information.29/05/2020 09:55:1929/05/2020 09:55:19
There is monitoring of the access to logging data.29/05/2020 09:55:1929/05/2020 09:55:19
There is policy for accessing logging data.29/05/2020 09:55:1929/05/2020 09:55:19
Logging is synchronised, using an accurate common time source.29/05/2020 09:55:1929/05/2020 09:55:19
Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts.29/05/2020 09:55:1929/05/2020 09:55:19
A wide range of signatures and indicators of compromise are used for investigations of suspicious activity and alerts.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts can be easily resolved to network assets using knowledge of networks and systems.29/05/2020 09:55:1929/05/2020 09:55:19
Security alerts relating to all essential functions are prioritised and this information is used to support incident management.29/05/2020 09:55:1929/05/2020 09:55:19
Logs are reviewed almost continuously, in real time.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts from third party security software are investigated, and action taken.29/05/2020 09:55:1929/05/2020 09:55:19
Some logging datasets can be easily queried with search tools to aid investigations.29/05/2020 09:55:1929/05/2020 09:55:19
The resolution of alerts to a network asset or system is performed regularly.29/05/2020 09:55:1929/05/2020 09:55:19
Security alerts relating to some essential functions are prioritised.29/05/2020 09:55:1929/05/2020 09:55:19
Logs are reviewed at regular intervals.29/05/2020 09:55:1929/05/2020 09:55:19
Alerts from third party security software is investigated e.g. Anti-Virus (AV) providers.29/05/2020 09:55:1929/05/2020 09:55:19
Logs aren't distributed across devices with no easy way to access them other than manual login or physical action.29/05/2020 09:55:1929/05/2020 09:55:19
The resolution of alerts to a network asset or system is performed.29/05/2020 09:55:1929/05/2020 09:55:19
Security alerts relating to essential functions are prioritised.29/05/2020 09:55:1929/05/2020 09:55:19
Logs are reviewed frequently.29/05/2020 09:55:1929/05/2020 09:55:19
You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based infoshare).29/05/2020 09:55:1929/05/2020 09:55:19
You apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them.29/05/2020 09:55:1929/05/2020 09:55:19
You receive signature updates for all your protective technologies (e.g. AV, IDS).29/05/2020 09:55:1929/05/2020 09:55:19
You track the effectiveness of your intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies).29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation uses some threat intelligence services, but you don't choose providers specifically because of your business needs, or specific threats in your sector (e.g. sector-based infoshare, ICS software vendors, anti-virus providers, specialist threat intel firms).29/05/2020 09:55:1929/05/2020 09:55:19
You receive updates for all your signature based protective technologies (e.g. AV, IDS).29/05/2020 09:55:1929/05/2020 09:55:19
You apply some updates, signatures and IoCs in a timely way.29/05/2020 09:55:1929/05/2020 09:55:19
You know how effective your threat intelligence is (e.g. by tracking how threat intelligence helps you identify security problems).29/05/2020 09:55:1929/05/2020 09:55:19
Your organisation has sources of threat intelligence.29/05/2020 09:55:1929/05/2020 09:55:19
You apply updates in a timely way, after receiving them. (e.g. AV signature updates, other threat signatures or Indicators of Compromise (IoCs)).29/05/2020 09:55:1929/05/2020 09:55:19
You receive signature updates for all protective technologies such as AV and IDS or other software in use.29/05/2020 09:55:1929/05/2020 09:55:19
You evaluate the usefulness of your threat intelligence and share feedback with providers or other users.29/05/2020 09:55:1929/05/2020 09:55:19
You have monitoring staff, who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and performance.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have defined roles and skills that cover all parts of the monitoring and investigation process.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff follow process and procedures that address all governance reporting requirements, internal and external.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are empowered to look beyond the fixed process to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data.29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring tools make use of all logging data collected to pinpoint activity within an incident.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff and tools drive and shape new log data collection and can make wide use of it.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are aware of the operation of essential functions and related assets and can identify and prioritise alerts or investigations that relate to them.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have some investigative skills and a basic understanding of the data they need to work with.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff can report to other parts of the organisation (e.g. security directors, resilience managers).29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are capable of following most of the required workflows.29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring tools can make use of logging that would capture most unsophisticated and untargeted attack types.29/05/2020 09:55:1929/05/2020 09:55:19
Your monitoring tools work with most logging data, with some configuration.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are aware of some essential functions and can manage alerts relating to them.29/05/2020 09:55:1929/05/2020 09:55:19
There are staff who perform a monitoring function.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have the correct specialist skills.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff are capable of reporting against governance requirements. Monitoring staff have the skills to successfully perform any part of the defined workflow.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring tools are able to make use of all logging data being collected.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring tools can be configured to make use of new logging streams, as they come online.29/05/2020 09:55:1929/05/2020 09:55:19
Monitoring staff have full awareness of the essential functions the organisation provides, what assets relate to those functions and hence the importance of the logging data and security events.29/05/2020 09:55:1929/05/2020 09:55:19
Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity (e.g. You fully understand which systems should and should not communicate and when).29/05/2020 09:55:1929/05/2020 09:55:19
System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
The system abnormalities you search for consider the nature of attacks likely to impact on the networks and information systems supporting the operation of essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
The system abnormality descriptions you use are updated to reflect changes in your networks and information systems and current threat intelligence.29/05/2020 09:55:1929/05/2020 09:55:19
Normal system behaviour is sufficiently understood to be able to use system abnormalities to detect malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
You have an established understanding of what abnormalities to look for that might signify malicious activities.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function, generating alerts based on the results of such searches.29/05/2020 09:55:1929/05/2020 09:55:19
You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
You routinely search for system abnormalities indicative of malicious activity.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is based on a clear understanding of the security risks to the networks and information systems supporting your essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is comprehensive (i.e. covers the complete lifecycle of an incident, roles and responsibilities, and reporting) and covers likely impacts of both known attack patterns and of possible attacks, previously unseen.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is documented and integrated with wider organisational business and supply chain response plans.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is communicated and understood by the business areas involved with the operation of your essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan covers your essential functions.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan comprehensively covers scenarios that are focused on likely impacts of known and well-understood attacks only.  29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan is understood by all staff who are involved with your organisation's response function.29/05/2020 09:55:1929/05/2020 09:55:19
Your response plan is documented and shared with all relevant stakeholders.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is documented.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan includes your organisation's identified essential function.29/05/2020 09:55:1929/05/2020 09:55:19
Your incident response plan is well understood by relevant staff.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.29/05/2020 09:55:1929/05/2020 09:55:19
You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.29/05/2020 09:55:1929/05/2020 09:55:19
Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.29/05/2020 09:55:1929/05/2020 09:55:19
Back-up mechanisms are available that can be readily activated to allow continued operation of your essential function (although possibly at a reduced level) if primary networks and information systems fail or are unavailable.29/05/2020 09:55:1929/05/2020 09:55:19
Arrangements exist to augment your organisation’s incident response capabilities with external support if necessary (e.g. specialist cyber incident responders).29/05/2020 09:55:1929/05/2020 09:55:19
Adequate arrangements have been made to make the right resources available to implement your response plan.29/05/2020 09:55:1929/05/2020 09:55:19
Your response team members are equipped to make good response decisions and put them into effect.29/05/2020 09:55:1929/05/2020 09:55:19
Adequate back-up mechanisms exist to allow the continued operation of your essential function during an incident.29/05/2020 09:55:1929/05/2020 09:55:19
Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.29/05/2020 09:55:1929/05/2020 09:55:19
Exercise scenarios are documented, regularly reviewed, and validated.29/05/2020 09:55:1929/05/2020 09:55:19
Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.  29/05/2020 09:55:1929/05/2020 09:55:19
Exercises test all parts of your response cycle relating to your essential functions (e.g. restoration of normal function levels).29/05/2020 09:55:1929/05/2020 09:55:19
Exercises test all parts of the process.29/05/2020 09:55:1929/05/2020 09:55:19
Incident response exercises are routinely carried out and are carried out in an systematic way.29/05/2020 09:55:1929/05/2020 09:55:19
Outputs from exercises are fed into the organisation's lessons learned process.29/05/2020 09:55:1929/05/2020 09:55:19
Exercises test all parts of the response cycle.  29/05/2020 09:55:1929/05/2020 09:55:19
Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident.29/05/2020 09:55:1929/05/2020 09:55:19
Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.29/05/2020 09:55:1929/05/2020 09:55:19
All relevant incident data is made available to the analysis team to perform root cause analysis.29/05/2020 09:55:1929/05/2020 09:55:19
You are usually able to resolve incidents to a root cause.29/05/2020 09:55:1929/05/2020 09:55:19
You have a formal process for investigating causes.  29/05/2020 09:55:1929/05/2020 09:55:19
You have a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.29/05/2020 09:55:1929/05/2020 09:55:19
Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of networks and information systems.29/05/2020 09:55:1929/05/2020 09:55:19
You use lessons learned to improve security measures, including updating and retesting response plans when necessary.29/05/2020 09:55:1929/05/2020 09:55:19
Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.29/05/2020 09:55:1929/05/2020 09:55:19
Analysis is fed to senior management and incorporated into risk management and continuous improvement.29/05/2020 09:55:1929/05/2020 09:55:19
Following incidents, lessons learned are captured and aren't limited in scope.29/05/2020 09:55:1929/05/2020 09:55:19
Improvements arising from lessons learned following an incident are implemented and given sufficient organisational priority.29/05/2020 09:55:1929/05/2020 09:55:19
Access control resilience and access privileges are reviewed frequently.31/03/2020 13:37:0514/04/2020 16:41:03
Your business has the capability and technology to support communication while employees are working from home.31/03/2020 13:37:0531/03/2020 13:37:05
All devices use mobile device management software to be able to remotely lock access to the device, erase the data stored on it, or retrieve a backup of this data.31/03/2020 13:37:0531/03/2020 13:37:05
Security Incident and Event Monitoring Systems have been reviewed to ensure rules are effective for home workers.31/03/2020 13:37:0531/03/2020 13:37:05
Employees have secure access to necessary software to continue working from home such as instant communication, video conferencing and effective planning tools.31/03/2020 13:37:0531/03/2020 13:37:05
Employees have the relevant accounts and access to continue their day to day business.31/03/2020 13:37:0531/03/2020 13:37:05
Employees have complex passwords that are difficult to guess and are at least 8 characters in length on all internet routers or hardware firewall devices.31/03/2020 13:37:0531/03/2020 13:37:05
Employees can only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password.31/03/2020 13:37:0531/03/2020 13:37:05
Two factor authentication has been reviewed implemented on accounts where appropriate.31/03/2020 13:37:0531/03/2020 13:37:05
If appropriate, Virtual Private Networks are available to allow users to securely access your organisation's IT resources.31/03/2020 13:37:0531/03/2020 13:37:05
Furloughed workers accounts are de-activated if access to systems is no longer required.31/03/2020 13:37:0531/03/2020 13:37:05
Your business has software firewalls enabled on all computers and laptops.31/03/2020 13:37:0531/03/2020 13:37:05
Your employees have changed the default password on home routers.31/03/2020 13:37:0531/03/2020 13:37:05
You have an effective Bring Your Own Device (BYOD) policy that employees are aware of.31/03/2020 13:37:0531/03/2020 13:37:05
A policy is in place ensuring communication with employees frequently to ensure they feel motivated and supported.31/03/2020 13:37:0531/03/2020 13:37:05
Ensure government recommendations are disseminated and adhered to by employees.31/03/2020 13:37:0531/03/2020 13:37:05
Your employees know how to report any security problems they may have with their devices and software when working from home.31/03/2020 13:37:0531/03/2020 13:37:05
Your organisation has outlined rules on which operations can be carried out on personal devices for example the restriction of accessing emails on personal devices.31/03/2020 13:37:0531/03/2020 13:37:05
Your organisation has laid out minimum security requirements, or even mandate company-sanctioned security tools as a condition for allowing personal devices to connect to company data and network resources.31/03/2020 13:37:0531/03/2020 13:37:05
All operating systems and firmware on your devices is supported by a supplier that produces regular fixes for any security problems.31/03/2020 13:37:0531/03/2020 13:37:05
Encryption has been reviewed and configured to ensure home workers are protected.31/03/2020 13:37:0531/03/2020 13:37:05
Your organisation monitors the number of devices operating on your business network.31/03/2020 13:37:0531/03/2020 13:37:05
Your business produced an easily accessible series of "how to" guides to support the identification of phishing emails.31/03/2020 13:37:0531/03/2020 13:37:05
Your employees understand to flag all suspicious emails as spam or junk and to alert you and your email provider as potentially unsafe.31/03/2020 13:37:0531/03/2020 13:37:05
All employees keep devices safely and securely when in and out of use.31/03/2020 13:37:0531/03/2020 13:37:05
All employees know the protocol to follow when reporting a device as lost or stolen.31/03/2020 13:37:0531/03/2020 13:37:05
All employees understand the importance of keeping software up to date, and that they know how to do this.31/03/2020 13:37:0531/03/2020 13:37:05
Your business supplies guides for any new software or software features that have been implemented for home working.31/03/2020 13:37:0531/03/2020 13:37:05
Your business supplies a series of "how to" guides/webinar and/or online workshops in order to support home working.31/03/2020 13:37:0531/03/2020 13:37:05
Q27 Is user account creation subject to a full provisioning and approval process?17/12/2019 20:15:3417/12/2019 20:15:34
Q28 Are system administrative access privileges restricted to a limited number of authorised individuals?17/12/2019 20:15:3417/12/2019 20:15:34
Q29 Are user accounts assigned to specific individuals and are staff trained not to disclose their password to anyone?17/12/2019 20:15:3417/12/2019 20:15:34
Q30 Are all administrative accounts (including service accounts) only used to perform legitimate administrative activities, with no access granted to external email or the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q31 Are system administrative accounts (including service accounts) configured to lock out after a number of unsuccessful attempts?17/12/2019 20:15:3417/12/2019 20:15:34
Q32 Is there a password policy covering the following points: a) How to avoid choosing obvious passwords (such as those based on easily-discoverable information). b) Not to choose common passwords (use of technical means, using a password blacklist recommended). c) No password reuse. d) Where and how they may record passwords to store and retrieve them securely. e) If password management software is allowed, if so, which. f) Which passwords they really must memorise and not record anywhere.17/12/2019 20:15:3417/12/2019 20:15:34
Q33 Are users authenticated using difficult to guess passwords, as a minimum, before being granted access to applications and computers?17/12/2019 20:15:3417/12/2019 20:15:34
Q34 Are user accounts removed or disabled when no longer required (e.g. when an individual changes role or leaves the organisation) or after a predefined period of inactivity (e.g. 3 months)?17/12/2019 20:15:3417/12/2019 20:15:34
Q35 Are data shares (shared drives) configured to provide access strictly linked to job function in order to maintain the security of information held within sensitive business functions such as HR and Finance?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.1.1 Does your organisation outline the procedures on access control policy?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.1.2. Does your organisation outline the procedures on access to networks and network services?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.1 Does your organisation outline the procedures on user registration and de-registration?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.2 Does your organisation outline the procedures on user access provisioning?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.3 Does your organisation outline the procedures on management of privileged access rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.4 Does your organisation outline the procedures on management of secret authentication information of users?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.5 Does your organisation outline the procedures on review of user access rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.2.6 Does your organisation outline the procedures on removal or adjustment of access rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.3.1 Does your organisation outline the procedures on the use of secret authentication information?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.1 Does your organisation outline the procedures on information access restriction?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.2 Does your organisation outline the procedures on secure log-on procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.3 Does your organisation outline the procedures on password management system?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.4 Does your organisation outline the procedures on use of privileged utility programs?17/12/2019 20:15:3417/12/2019 20:15:34
A.9.4.5 Does your organisation outline the procedures on access control to program source code?17/12/2019 20:15:3417/12/2019 20:15:34
Q25 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.17/12/2019 20:15:3417/12/2019 20:15:34
Q26 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)? 17/12/2019 20:15:3417/12/2019 20:15:34
Q27 How do you ensure that administrator accounts are not used for accessing email or web browsing?17/12/2019 20:15:3417/12/2019 20:15:34
Q28 Do you formally track which users have administrator accounts in your organisation? 17/12/2019 20:15:3417/12/2019 20:15:34
Q29 Do you review who should have administrative access on a regular basis? 17/12/2019 20:15:3417/12/2019 20:15:34
Q30 Have you enabled two-factor authentication for access to all administrative accounts?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.1.1 Does your organisation have an inventory of assets?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.1.2 Does your organisation outline ownership of assets in the inventory?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.1.3 Does your organisation outline the acceptable use of assets in set rules of the company?17/12/2019 20:15:3417/12/2019 20:15:34
A8.1.4 Does your organisation outline the policy of the returning of assets to all employees?17/12/2019 20:15:3417/12/2019 20:15:34
A8.2.1 Does your organisation outline the classification of information?17/12/2019 20:15:3417/12/2019 20:15:34
A8.2.2 Does your organisation outline the labelling of information procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.2.3 Does your organisation outline the handling of assets procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A8.3.1 Does your organisation outline the policy on management of removable media procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.3.2. Does your organisation outline the procedures on disposal of media?17/12/2019 20:15:3417/12/2019 20:15:34
A.8.3.3 Does your organisation outline the procedures on physical media transfer?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.1.1 What are your organisation's procedures on network controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.1.2 What are your organisation's procedures on security of network services?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.1.3 What are your organisation's procedures on segregation in networks?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.1 What are your organisation's procedures on information transfer policies and procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.2 Does your organisation have procedures in place on agreements on information transfer?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.3 Does your organisation have procedures in place on agreements on electronic messaging?17/12/2019 20:15:3417/12/2019 20:15:34
A.13.2.4 Does your organisation have procedures in place on agreements on confidentiality or non disclosure agreements?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.1 Does your organisation have procedures in place on identification of applicable legislation and contractual requirements?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.2 Does your organisation have procedures in place on intellectual property rights?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.3 Does your organisation have procedures in place on protection of records?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.4 Does your organisation have procedures in place on privacy and protection of personally identifiable information?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.1.5 How does your organisation implement regulation of cryptographic controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.2.1 Does your organisation have procedures in place on independent review of information security?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.2.2 Does your organisation have procedures in place on compliance with security policies and standards?17/12/2019 20:15:3417/12/2019 20:15:34
A.18.2.3 Does your organisation have policies on implementing technical compliance?17/12/2019 20:15:3417/12/2019 20:15:34
A.10.1.1 Does your organisation outline the procedures on policy on the use of cryptographic controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.10.1.2 Does your organisation have an outlined list of procedures regarding key management?17/12/2019 20:15:3417/12/2019 20:15:34
Q1 Have one or more firewalls (or similar network device) been installed on the boundary of the organisation’s internal network(s)?17/12/2019 20:15:3417/12/2019 20:15:34
Q2 Has the default administrative password of the firewall (or equivalent network device) been changed to an alternative difficult to guess password?17/12/2019 20:15:3417/12/2019 20:15:34
Q3 Has each open connection (i.e. allowed ports and services) on the firewall been subject to approval by an authorised business representative and documented (including an explanation of business need)?17/12/2019 20:15:3417/12/2019 20:15:34
Q4 Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification?17/12/2019 20:15:3417/12/2019 20:15:34
Q5 Have firewall rules that are no longer required been removed or disabled?17/12/2019 20:15:3417/12/2019 20:15:34
Q6 Are firewall rules subject to regular review?17/12/2019 20:15:3417/12/2019 20:15:34
Q7 Have computers that do not need to connect to the Internet been prevented from initiating connections to the Internet (Default deny)?17/12/2019 20:15:3417/12/2019 20:15:34
Q8 Has the administrative interface used to manage the boundary firewall been configured such that it is not accessible from the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q8a If the answer to Q8 is no, does the administrative interface require second factor authentication or is access limited to a specific address?17/12/2019 20:15:3417/12/2019 20:15:34
A.7.1.1 Does your organisation have an employee screening policy?17/12/2019 20:15:3417/12/2019 20:15:34
A.7.1.2 Does your organisation have a Terms and Conditions of employment in place?17/12/2019 20:15:3417/12/2019 20:15:34
A7.2.1 Does your organisation have a information packet outlining all possible management responsibilities?17/12/2019 20:15:3417/12/2019 20:15:34
A7.2.2 Does your organisation implement information security awareness, education and training?17/12/2019 20:15:3417/12/2019 20:15:34
A7.2.3. Does your organisation have a formal disciplinary process?17/12/2019 20:15:3417/12/2019 20:15:34
A7.3.1 Does your organisation have a termination or change of employment responsibilities outlined in an information packet?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.1.1 Does your organisation have procedures in place on planning information security continuity?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.1.2 Does your organisation have procedures in place on implementing information security continuity?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.1.3 Does your organisation have procedures in place to verify, review and evaluate information security continuity?17/12/2019 20:15:3417/12/2019 20:15:34
A.17.2.1 Does your organisation have procedures in place for availability of information processing facilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.1 Does your organisation have procedures in place on responsibilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.2 Does your organisation have procedures in place on reporting information security events?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.3 Does your organisation have procedures in place on reporting information security weaknesses?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.4 Does your organisation have procedures in place on assessment of and decision on information security events?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.5 Does your organisation have procedures in place on response to information security incidents?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.6 Does your organisation have procedures in place on learning from information security incidents?17/12/2019 20:15:3417/12/2019 20:15:34
A.16.1.7 Does your organisation have procedures in place on collection of evidence?17/12/2019 20:15:3417/12/2019 20:15:34
A5.1.1 Does your organisation have policies for information security?17/12/2019 20:15:3417/12/2019 20:15:34
A5.1.2 Does your organisation review information security policies at planned intervals or if significant changes have occurred?17/12/2019 20:15:3417/12/2019 20:15:34
Q31 Are all of your computers, laptops, tablets and mobile phones protected from malware by either: A - having anti-malware software installed, B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C - application sandboxing (i.e. by using a virtual machine)? 17/12/2019 20:15:3417/12/2019 20:15:34
Q31a Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?17/12/2019 20:15:3417/12/2019 20:15:34
Q31b Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?17/12/2019 20:15:3417/12/2019 20:15:34
Q36 Which of the following does the organisation mainly rely on for malware protection:17/12/2019 20:15:3417/12/2019 20:15:34
Q37 Has anti-virus or malware protection software been installed on all computers that are connected to or capable of connecting to the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q38 Has anti-virus or malware protection software (including program/engine code and malware signature files) been kept up-to-date (either by configuring it to update automatically or through the use of centrally managed service)?17/12/2019 20:15:3417/12/2019 20:15:34
Q39 Has anti-virus or malware protection software been configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when accessed (via a web browser)?17/12/2019 20:15:3417/12/2019 20:15:34
Q40 Has malware protection software been configured to perform regular periodic scans (eg daily)?17/12/2019 20:15:3417/12/2019 20:15:34
Q41 Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms?17/12/2019 20:15:3417/12/2019 20:15:34
Q42 Does the organisation maintain a list of approved applications?17/12/2019 20:15:3417/12/2019 20:15:34
Q43 Are users prevented from installing any other applications?17/12/2019 20:15:3417/12/2019 20:15:34
Q44 Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission?17/12/2019 20:15:3417/12/2019 20:15:34
Q1 Do you have firewalls at the boundaries between your organisation's internal networks and the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?17/12/2019 20:15:3417/12/2019 20:15:34
Q3 Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?17/12/2019 20:15:3417/12/2019 20:15:34
Q4 Do you change the password when you believe it may have been compromised? How do you achieve this?17/12/2019 20:15:3417/12/2019 20:15:34
Q5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?17/12/2019 20:15:3417/12/2019 20:15:34
Q6 Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q7 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q8 Do you have software firewalls enabled on all of your computers and laptops?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.1 Does your organisation have a policy on documented operating procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.2 What are your organisation's procedures on change management?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.3 What are your organisation's procedures on capacity management?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.1.4 What are your organisation's procedures on separation of development, testing and operational environments?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.2.1 What are your organisation's procedures on controls against malware?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.3.1 What are your organisation's procedures on information backup?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.4.1 Does your organisation have procedures on event logging?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.4.2 What are your organisation's procedures on protection off log information?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.4.3 What are your organisation's procedures on administrator and operator logs?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.5.1 What are your organisation's procedures on installation of software on operational systems?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.6.1 What are your organisation's procedures on management of technical vulnerabilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.6.2 What are your organisation's procedures on restrictions on software installations?17/12/2019 20:15:3417/12/2019 20:15:34
A.12.7.1 What are your organisation's procedures on information systems audit controls?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.1 How does your organisation assign information security roles and responsibilities?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.2 How does your organisation implement segregation of duties?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.3 Has your organisation identified and had contact with relevant authorities?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.4 Can your organisation maintain contact with special interest groups?17/12/2019 20:15:3417/12/2019 20:15:34
A6.1.5 Does your organisation have an information security policy which is addressed within project management?17/12/2019 20:15:3417/12/2019 20:15:34
A6.2.1 Does your organisation have a mobile device policy?17/12/2019 20:15:3417/12/2019 20:15:34
A6.2.2 Does your organisation have a teleworking policy?17/12/2019 20:15:3417/12/2019 20:15:34
Q45 Do you apply security patches to all software running on computers and network devices?17/12/2019 20:15:3417/12/2019 20:15:34
Q46 Has software running on computers that are connected to or capable of connecting to the Internet been licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available?17/12/2019 20:15:3417/12/2019 20:15:34
Q47 Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q48 Have all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet been installed within 14 days of release or automatically when they become available from vendors?17/12/2019 20:15:3417/12/2019 20:15:34
Q49 Are all smart phones kept up to date with vendor updates and application updates?17/12/2019 20:15:3417/12/2019 20:15:34
Q50 Are all tablets kept up to date with vendor updates and application updates?17/12/2019 20:15:3417/12/2019 20:15:34
Q51 Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed?17/12/2019 20:15:3417/12/2019 20:15:34
Q52 Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.1 Does your organisation have an outlined list of procedures regarding physical security perimeter?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.2 Does your organisation have an outlined list of procedures regarding physical entry controls?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.3 Does your organisation have an outlined list of procedures regarding securing offices, rooms and facilities?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.4 How would your organisation implement procedures protecting against external and environmental threats?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.5 How would your organisation implement procedures on working in secure areas?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.1.6 What are your organisation's procedures on delivery and loading areas?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.1 What are your organisation's procedures on equipment siting and protection?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.2 What are your organisation's procedures on supporting utilities ?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.3 What are your organisation's procedures on cabling security?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.4 What are your organisation's procedures on equipment maintenance?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.5 What are your organisation's procedures on removal of assets ?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.6 What are your organisation's procedures on security of equipment and assets off-premises?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.7 What are your organisation's procedures on secure disposal or reuse of equipment?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.8 What are your organisation's procedures on unattended user equipment?17/12/2019 20:15:3417/12/2019 20:15:34
A.11.2.9 What are your organisation's procedures on clear desk and clear screen policy?17/12/2019 20:15:3417/12/2019 20:15:34
Q9 Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg Guest, previous employees) removed or disabled?17/12/2019 20:15:3417/12/2019 20:15:34
Q10 Have default passwords for any user accounts been changed to a difficult to guess password?17/12/2019 20:15:3417/12/2019 20:15:34
Q11 Are strong, complex passwords defined in policy and enforced technically for all users and administrators?17/12/2019 20:15:3417/12/2019 20:15:34
Q12 Has the auto-run feature been disabled (to prevent software programs running automatically when removable storage media is connected to a computer or network folders are mounted)?17/12/2019 20:15:3417/12/2019 20:15:34
Q13 Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements?17/12/2019 20:15:3417/12/2019 20:15:34
Q14 Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software?17/12/2019 20:15:3417/12/2019 20:15:34
Q15 Has a personal firewall (or equivalent) been enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default?17/12/2019 20:15:3417/12/2019 20:15:34
Q16 Are all user workstations built from a fully hardened base platform to ensure consistency and security across the estate?17/12/2019 20:15:3417/12/2019 20:15:34
Q17 Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies?17/12/2019 20:15:3417/12/2019 20:15:34
Q18 Are proxy servers used to provide controlled access to the Internet for relevant machines and users?17/12/2019 20:15:3417/12/2019 20:15:34
Q19 Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files?17/12/2019 20:15:3417/12/2019 20:15:34
Q20 Is there a corporate policy on log retention and the centralised storage and management of log information?17/12/2019 20:15:3417/12/2019 20:15:34
Q21 Are log files retained for operating systems on both servers and workstations?17/12/2019 20:15:3417/12/2019 20:15:34
Q22 Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months?17/12/2019 20:15:3417/12/2019 20:15:34
Q23 Are Internet access (for both web and mail) log files retained for a period of least three months?17/12/2019 20:15:3417/12/2019 20:15:34
Q24 Are mobile devices and tablets managed centrally to provide remote wiping and locking in the event of loss or theft?17/12/2019 20:15:3417/12/2019 20:15:34
Q25 Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation?17/12/2019 20:15:3417/12/2019 20:15:34
Q26 Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication.17/12/2019 20:15:3417/12/2019 20:15:34
Q9 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.17/12/2019 20:15:3417/12/2019 20:15:34
Q10 Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?17/12/2019 20:15:3417/12/2019 20:15:34
Q11 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a nonguessable password of 8 characters or more?17/12/2019 20:15:3417/12/2019 20:15:34
Q12 Do all your users and administrators use passwords of at least 8 characters?17/12/2019 20:15:3417/12/2019 20:15:34
Q13 Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?17/12/2019 20:15:3417/12/2019 20:15:34
Q14 Is 'auto-run' or 'auto-play' disabled on all of your systems?17/12/2019 20:15:3417/12/2019 20:15:34
Q15 Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems? 17/12/2019 20:15:3417/12/2019 20:15:34
Q16 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?17/12/2019 20:15:3417/12/2019 20:15:34
Q17 Is all software licensed in accordance with the publisher’s recommendations?17/12/2019 20:15:3417/12/2019 20:15:34
Q18 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.17/12/2019 20:15:3417/12/2019 20:15:34
Q19 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.17/12/2019 20:15:3417/12/2019 20:15:34
Q20 Have you removed any applications on your devices that are no longer supported and no longer received regular fixes for security problems? 17/12/2019 20:15:3417/12/2019 20:15:34
A.15.1.1 Does your organisation have procedures in place on information security policy for supplier relationships?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.1.2 Does your organisation have procedures in place on agreements on addressing security within supplier agreements?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.1.3 Does your organisation have procedures in place on agreements on information and communication technology supply chain?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.2.1 Does your organisation have procedures in place on agreements on monitoring and review of supplier services?17/12/2019 20:15:3417/12/2019 20:15:34
A.15.2.2 How does your organisation operate managing changes to supplier services?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.1.1 Does your organisation have procedures in place for agreements on information security requirements analysis and specification?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.1.2 Does your organisation have procedures in place on agreements on Securing application services on public networks17/12/2019 20:15:3417/12/2019 20:15:34
A.14.1.3 Does your organisation have procedures in place on agreements on Protecting application services transactions17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.1 Does your organisation have procedures in place on agreements on secure development policy?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.2 Does your organisation have procedures in place on agreements on system change control procedures?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.3 Does your organisation have procedures in place on agreements on technical review of applications after operating platform?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.4 Does your organisation have procedures in place on agreements on restrictions on changes to software packages?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.5 Does your organisation have procedures in place on agreements on secure system engineering principles?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.6 Does your organisation have procedures in place to implement agreements on secure development environments?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.7 Does your organisation have procedures in place on agreements on outsourced development?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.8 Does your organisation operate testing procedures on agreement system security testing?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.2.9 Does your organisation have procedures in place on agreements on system acceptance testing?17/12/2019 20:15:3417/12/2019 20:15:34
A.14.3.1 Does your organisation have procedures in place on agreements on protection of test data?17/12/2019 20:15:3417/12/2019 20:15:34
Q21 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.17/12/2019 20:15:3417/12/2019 20:15:34
Q22 Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password? 17/12/2019 20:15:3417/12/2019 20:15:34
Q23 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? 17/12/2019 20:15:3417/12/2019 20:15:34
Q24 How do you ensure that staff only have the privileges that they need to do their current job? How do you do this?17/12/2019 20:15:3417/12/2019 20:15:34