Client security assessment brief

• Identity and Access Management

  User Identity Management

  Can you provide a list of user access controls implemented within your Company?

  How are user entitlements provisioned, and what criteria are used to determine the level of access granted?

  How are employees, consultants, and contractors subjected to background checks before being granted access to the Company's systems?

  Could you explain the process of verifying the identity of new employees and contractors during the onboarding phase?

  Are all personnel required to sign a non-disclosure agreement? If so, what does it entail, specifically regarding the protection of client information?

  How are unique identifiers and identification badges assigned to workers, and how are they used to ensure proper identity verification?

  What measures are in place to prevent personnel from sharing their individual credential information (e.g., usernames and passwords)?

  Are there any additional user identity management policies or procedures in place that were not covered in the previous questions?

  Entitlements Management

  Are there Company-approved authentication and entitlement solutions implemented for all applications?

  How are these solutions designed to limit access to authorized personnel?

  How does the Company enable reporting of user entitlements and management approval?

  How often are system entitlements associated with critical and sensitive applications reviewed by management?

  Are there more frequent reviews for privileged access?

  How are entitlements reviewed when personnel transfer to new roles or departments within the Company?

  How does the Company ensure appropriate segregation of duties as part of its internal control framework?

  Can you provide information on how segregation of duties is enforced to prevent the same individual from initiating, approving, and reconciling the same critical transaction or process?

  Is an automated system used to continuously monitor entitlement stores and identify violations in segregation of duty requirements?

  Can you explain the process for revoking access to the Company's facilities and general access to information systems when a worker leaves the Company?

  Are there any special circumstances where access is revoked immediately instead of within 24 hours?

  Access Controls

  Are there established password requirements in place within your Company?

  Yes

  No

  Other (specify)

  Are these password requirements documented in a formal standard?

  Yes

  No

  Other (specify)

  What are the password requirements regarding the establishment of a new password at initial login?

  What is the minimum password length required?

  Are there any specific alphanumeric composition requirements for passwords?

  Yes

  No

  Other (specify)

  Is there an expiration period for passwords? If so, what is the defined period?

  How many unsuccessful login attempts are allowed before lockout?

  Is there a password history requirement?

  Yes

  No

  Other (specify)

  Is there an inactivity lockout in place?

  Yes

  No

  Other (specify)

  How is data segregation achieved within your Company? (e.g., logical segregation, data-level access controls)

  Is administrative access to systems that store client data required to be approved by authorized managers?

  Yes

  No

  Other (specify)

  What measures are taken to control access to production environments? (e.g., access authorizations, logging, time limits on access)

  Is pre-approval required for technology staff to gain access to production systems?

  Yes

  No

  Other (specify)

  Who are the authorized individuals with access to production environments?

  Are access permissions time-bound?

  Yes

  No

  Other (specify)

  Is access to production environments subject to logging and periodic review?

  Yes

  No

  Other (specify)

  Are access permissions in production environments limited to necessary functions?

  Yes

  No

  Other (specify)

  How is access to production environments regularly monitored? (e.g., keystroke logging)

  Are changes made to production environments subject to mandatory reviews?

  Yes

  No

  Other (specify)

  Is multi-factor authentication (MFA) required for accessing systems from outside the Company's network?

  Yes

  No

  Other (specify)

• Application and Software Security

  Centralized Inventory and Risk Classification

  Can you provide a list of all the applications within your Company?

  What type of information is recorded in the centralized inventory for each application?

  How frequently is the centralized inventory updated to include new applications or changes to existing applications?

  Are all applications required to complete a risk profile? If so, what information is included in the risk profile?

  How are risk classifications determined for each application? Are there specific criteria or guidelines that are followed?

  Can you provide a list of the different risk classifications and the associated required controls and resiliency thresholds for each classification?

  How often are the risk classifications reviewed and updated for each application? Is this done on an annual basis or more frequently?

  How are risks identified and recorded in the centralized inventory? Are there specific assessments or evaluations that are conducted?

  Are there any specific regulatory or compliance requirements that the risk classifications help to address?

  Can you provide any examples of risks that have been identified and recorded in the centralized inventory for applications?

• Infrastructure Security

  Configuration Management and Hardening

  How does the Company ensure that its systems continue to perform consistently and as expected over time from a security perspective?

  What industry standards does the Company use as a benchmark for its system hardening efforts?

  Can you provide details on the specific security practices employed by the Company to ensure the systems are hardened adequately?

  Are the hard drives on Company-provided laptops encrypted? If yes, what industry standard tools are used for encryption?

  Are the Company-provided laptops used for a small number of specific business purposes only?

  Does the Company have a documented configuration policy in place to enforce an inactivity screen lock on every endpoint? If yes, please provide details on the configuration policy.

  How is file access permission restricted on the Company's systems?

  Are logs maintained for system activity on the Company's systems? If yes, can you provide details on the logging mechanisms in place?

  Network Security

  Are there multiple network zones implemented in your network environment?

  Yes, we have multiple network zones separated by firewalls and other controls.

  No, we do not have multiple network zones.

  Are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) deployed at your network perimeter?

  Yes, IDS and IPS are deployed at our network perimeter.

  No, IDS and IPS are not deployed at our network perimeter.

  Are the management interfaces on perimeter firewalls, routers, and other devices accessible from the Internet?

  Yes, management interfaces are accessible from the Internet.

  No, management interfaces are not accessible from the Internet.

  Do you subscribe to continuous Distributed Denial of Service (DDoS) monitoring and mitigation services?

  Yes, we subscribe to continuous DDoS monitoring and mitigation services from multiple service providers.

  No, we do not subscribe to continuous DDoS monitoring and mitigation services.

  Do you host your primary Internet web presence on Content Delivery Networks (CDNs) with DDoS mitigation and absorption capacity?

  Yes, we host our primary Internet web presence on CDNs with DDoS mitigation and absorption capacity.

  No, we do not host our primary Internet web presence on CDNs.

  Does the implemented network request throttling limit the number of referrals and requests made by client IP addresses?

  Yes, the implemented network request throttling limits the number of referrals and requests made by client IP addresses.

  No, there is no network request throttling implemented.

  Are alerts generated by DDoS activities monitored and mitigated as needed?

  Yes, alerts generated by DDoS activities are monitored and mitigated as needed.

  No, alerts generated by DDoS activities are not monitored and mitigated as needed.

  Is wireless access to the Company's infrastructure only permitted from Company-approved devices?

  Yes, wireless access to the Company's infrastructure is only permitted from Company-approved devices.

  No, wireless access is not restricted to Company-approved devices.

• System Monitoring, Capacity and Vulnerability Management

  Virtual Desktop Solution

  How is the Virtual Desktop Infrastructure (VDI) implemented within your Company?

  What kind of thin clients are being used by the users to access their virtual desktops?

  Can you provide details about the secure connection used for remote access to the virtual desktops? Are all connections encrypted using SSL/TLS or another encryption method?

  How is multi-factor authentication implemented and enforced for remote access to the virtual desktops? Can you provide details about the specific factors used for authentication? Is multi-factor authentication mandatory for all users accessing the virtual desktops remotely?

  How is user access control managed within the virtualized infrastructure? Are proper access control policies and role-based access controls in place? Are access logs maintained for audit purposes?

  Can you explain how the virtualized infrastructure provides the same level of control as your on-premise infrastructure? Are there any additional security measures in place for the virtualized infrastructure?

  Are any network segregation or segmentation techniques deployed within the virtualized infrastructure to separate different user groups or departments?

  What security measures are in place to protect against unauthorized access or data leakage within the virtual desktop environment? Are there features like data loss prevention (DLP), web filtering, or endpoint protection in place?

  How are patches and updates managed for the virtual desktop infrastructure? Are regular security updates tested and deployed in a timely manner? Are there any processes in place for ensuring the virtualized environment remains secure against vulnerabilities?

  Are user activities and data within the virtual desktop environment monitored for security purposes? Are there any intrusion detection or prevention systems in place? How are security incidents or anomalies within the virtual desktop environment detected and responded to?

  How are non-virtual desktop computing models handled? Can you provide an overview of the exceptions that require non-virtual desktop computing? Is there a specific process or approval mechanism in place for conducting non-virtual desktop computing?

  Can you provide any security incident or breach history related to the virtual desktop solution? Have there been any previous incidents or vulnerabilities identified within the virtual desktop infrastructure? How were these incidents mitigated and what measures have been taken to prevent similar incidents in the future?

  Secure Remote Access for Personnel Personnel

  Are personnel allowed to use their personal devices for remote access to Company resources?

  What is the Company's Bring Your Own Device (BYOD) Program?

  Are personal devices only permitted to connect to the Company's systems through Company-approved mobile applications?

  Is any storage of Company or client information on personal devices, outside of Company-approved applications, strictly prohibited?

  Does remote access to the Company's network provide the same controls as on-premise access?

  What are the two primary mechanisms for personnel to remotely access the Company?

  What services can be accessed using secure applications on personal mobile phones or tablets?

  How does the Company's remote access solution enable access to a virtual desktop?

  What are the features of the Company-approved mobile applications?

  Are there any third-party applications that personnel can use for analytic and/or business-related activity? If yes, do these applications meet the Company's security criteria?

  What security features do the mobile applications used by the Company generally utilize?

  Is mobile threat defense implemented in the Company's mobile applications?

  Does the Company use device allow-listing for the mobile applications?

  Are the network connections secured for the mobile applications?

  Is multi-factor authentication implemented for the mobile applications?

  Is sandboxing used for the mobile applications?

  Is encryption implemented for the mobile applications?

  Is device registration required for the use of mobile applications?

  Is required operating system (OS) patching enforced for the mobile applications?

  Is there a verification process to ensure that the OS of the mobile device is not jailbroken?

  Is there a capability to remotely wipe data from personnel's mobile devices?

  Are personnel issued Company devices for specific business purposes?

  Is all data on Company-issued devices encrypted at rest and in transit for remote access and mobile computing?

• Mobile Security
  What operating systems are the Company mobile applications designed for? (iOS, Android, etc.)

  Are the Company mobile applications developed in-house or by third-party vendors?

  How frequently are the Company mobile applications updated to address security vulnerabilities and improve functionality?

  Do the Company mobile applications undergo regular security audits or penetration testing?

  What type of multi-factor authentication is implemented in the Company mobile applications? (SMS-based, authenticator apps, hardware tokens, etc.)

  Are users allowed to enable biometric authentication (fingerprint, face recognition) for accessing their accounts?

  How is the data in transit encrypted? (TLS, SSL, etc.)

  Are there any additional security measures in place, such as device-level encryption or remote wipe capabilities?

  How are user credentials and sensitive data stored on the mobile devices? (Keychain, secure storage, etc.)

  What measures are taken to ensure the integrity and authenticity of the market news accessed through the mobile applications?

  Are there any restrictions or controls in place to prevent unauthorized access or use of the Company mobile applications?

  Are there any usage logs or monitoring systems in place to detect and mitigate potential security incidents in the Company mobile applications?

  Has there been any history of security incidents or breaches related to the Company mobile applications?

  Are there any compliance or regulatory requirements that the Company mobile applications need to adhere to?

  How are security updates or patches for the Company mobile applications deployed to users?

  Are there any external security certifications or standards that the Company mobile applications have obtained? (ISO 27001, SOC 2, etc.)

  How are security policies and best practices communicated to the users of the Company mobile applications?

  Are there any user awareness or training programs in place to educate users about secure usage of the mobile applications?

  How are vulnerabilities or security issues reported and addressed in the Company mobile applications?

  Can you provide any additional information regarding the security controls implemented in the Company mobile applications?

• Data Security

  Data Governance

  What is the current data governance framework in place at your Company?

  Can you provide an overview of the roles and responsibilities of individuals involved in data governance?

  How is sensitive data classified and protected within your Company?

  What measures or processes are in place to ensure data integrity and accuracy?

  How is data lifecycle managed within your Company, from creation to disposal?

  Are there any data retention policies in place? If yes, can you provide details?

  How often is data quality assessed and audited?

  What mechanisms are in place to ensure data confidentiality and prevent unauthorized access?

  Are there any data sharing agreements with third-party vendors or partners? If yes, how is data governance enforced in those agreements?

  How is data governance aligned with regulatory and compliance requirements specific to your industry?

  Are there any ongoing data governance initiatives or projects? If yes, can you provide details?

  How are data governance policies communicated and enforced within the Company?

  Are there any data governance training or awareness programs in place for employees?

  Can you provide any documentation or evidence that showcases the effectiveness of your data governance program?

  How are data governance practices monitored and measured for continuous improvement?

  Are there any challenges or issues faced in implementing or maintaining a robust data governance program?

  Can you provide any examples of how the data governance program has resulted in tangible benefits for the Company?

  What are your future plans or goals for enhancing the data governance program?

  Do you have any additional information or insights that you would like to share regarding data governance at your Company?

  Encryption

  What sensitive personal information does the Company handle?

  How is sensitive personal information encrypted in transit?

  How is sensitive personal information encrypted at rest?

  Are there any specific regulatory, security, or contractual considerations that require additional encryption or compensating controls for certain types of data?

  What industry standard encryption methods are currently being used by the Company?

  How often does the Company review the strength of its encryption protocols?

  Are there Company-standard solutions available for file encryption transferred between the Company and third-parties?

  Is opportunistic email encryption, such as Transport Layer Security (TLS), enabled with all clients?

  Are there specific business requirements that mandate mandatory email encryption?

  Is mandatory email encryption supported and enabled by mutual agreements with clients?

  Data Security

  Does the Company have a formal, structured data privacy security program in place?

  Are there mandatory controls and processes for all applications and assets storing or processing personally identifiable information?

  Is the data privacy security program regularly updated in accordance with applicable laws, regulations, and internal standards?

  Are there clear desk guidelines in place to keep the workspace clear of paper containing sensitive data?

  Are there controls implemented to lock user workstations after a defined idle period?

  Are personnel advised to lock workstations when away from their desk?

  Are there controls in place to ensure secure data destruction at the end-of-life of a storage device?

  Is there a program in place to identify end-of-life systems and prioritize upgrades or demise based on criticality of supported services?

  Are retired media sanitized using a standard set of tools?

  Is physical media destruction performed according to pre-defined procedures?

  How is asset decommissioning managed? Is it internally managed through workflow, inventory, and scanning processes?

  Does the Company retain records for various periods as needed to comply with applicable laws, regulations, and internal retention policies?

  Physical security

  What physical security measures are currently in place to protect data centers and offices?

  Are card access systems implemented for physical access control? If yes, how are these access cards issued and managed?

  Are biometric access systems implemented for physical access control? If yes, how are these biometric data stored and managed?

  Are video surveillance cameras deployed in the data centers and offices? If yes, how is the recorded video footage stored and retained?

  Is there on-site security staff present at the data centers and offices? If yes, how are they trained and supervised?

  Are there environmental controls in place to protect the facilities from environmental hazards? If yes, what types of controls are implemented?

  How is access to data centers and offices granted? Is it based on need and aligned with Companywide access controls?

  Are designated access approvers responsible for approving physical access requests? If yes, who are these designated access approvers?

  Are periodic reviews conducted to ensure that physical access is still granted based on need?

  Is physical separation of teams and offices in place based on business and regulatory requirements? If yes, how is this separation enforced? formed according to pre-defined procedures?

  How is access to data centers and offices electronically logged? Is it through access card or biometric technology?

  Are visitors required to present photo identification before being granted access to the Company's offices or data center facilities?

  Is there a process in place to confirm that visitors have a confirmed host before being granted access?

  How are visitor logs maintained? Are they retained for a certain period of time?

  Are critical data centers geographically dispersed? If yes, how many data centers are there and where are they located?

  Are critical data centers supported by diverse utility and power infrastructure?

  Are there security personnel on duty 24 hours a day at critical data centers? If yes, how are they trained and supervised?

  Is access to critical data centers limited to only essential support personnel? If yes, what process is in place to ensure compliance with this restriction?

  Are facilities protected from power outages by uninterruptible power supplies (UPS) and generators?

  Are air conditioning units installed to ensure proper temperature control in the facilities?

  Are fire detection and suppression systems in place to protect against fire hazards?

  Are water detection systems installed to detect any potential water leaks or flooding incidents?

  Are physical security standards consistently applied to all offices globally, including business recovery site locations?

• Cloud Computing

  Do you have a comprehensive Companywide Vendor Management Policy and Program that outlines the risk-based framework for managing third-party vendor relationships?

  Yes

  No

  Does your vendor management process cover vendor selection, onboarding, performance monitoring, and risk management?

  Yes

  No

  Are vendors required to design, implement, and maintain information security controls consistent with your Company's security policies and standards?

  Yes

  No

  Do you conduct initial assessments of vendors who have access to your Company's information?

  Yes

  No

  How do you determine the breadth and frequency of re-certifications for vendors?

  Based on each vendor's information security rating.

  Fixed schedule for all vendors.

  Other (specify)

  How do you rank and address gaps found during due diligence assessments?

  Based on the level of risk.

  All gaps are immediately addressed.

  Other (specify)

  Do you conduct ongoing oversight of vendors based on the criticality of their services to the Company and the results of the initial risk assessment?

  Yes

  No

  How do you handle changes in services provided by a particular vendor?

  Identify and assess the changes as part of the standard oversight process.

  Conduct an updated risk assessment before onboarding additional services.

  Other (specify)

  Do you require vendors to sign standard contractual provisions before receiving sensitive information from the Company?

  Yes

  No

  Which dedicated teams in your Company are responsible for regular assessment and reporting on the security practices of vendors?

  Cybersecurity team.

  Risk management team.

  Other (specify)

Existing Infrastructure