| Management Direction, Leadership |
|
|
|
|
|
|
|
|
|
| 1 |
A5 |
|
5.1.2 |
Have all information security policies and standards been reviewed in
the last 12 months?
|
Yes |
|
1 |
|
|
| 2 |
|
|
5.1.1 |
Is there a set of information security policies that have been approved
by management, published and communicated to constituents?
|
No |
|
0 |
|
|
| 3 |
|
|
5.1.2 |
Describe the cybersecurity deployed with the system, to include
infrastructure, application (for example, encryption), and transport.
Security and encryption must be FIPS 140-2 compliant
|
Yes |
|
1 |
|
|
| 4 |
|
|
5.1.2 |
Are you compliant with relevant cybersecurity standards (e.g., NIST, ISO
27000, NIST CSF,SOC2)
|
No |
|
0 |
|
|
| Organization Responsibilities and Roles |
|
|
|
|
|
|
|
|
|
| 5 |
A6 |
|
6.1.2 |
Is there a policy that defines roles, responsibilities and authorities
of information security?
|
Yes |
|
1 |
|
|
| 6 |
|
|
6.1.2 |
Is there segregation of duties for granting access and approving access
to Scoped Systems and Data?
|
Yes |
|
1 |
|
|
| Human Resource |
|
|
|
|
|
|
|
|
|
| 7 |
A7 |
|
7.1.1 |
Do Human Resource policies include Constituent background screening
criteria?
|
Yes |
|
1 |
|
|
| 8 |
|
|
7.2.2 |
Does the security awareness training program include new hire and annual
participation?
|
Yes |
|
1 |
|
|
| 9 |
|
|
7.2.3 |
Does the Human Resource policy include a disciplinary process for
non-compliance?
|
Yes |
|
1 |
|
|
| Asset Management |
|
|
|
|
|
|
|
|
|
| 10 |
A8 |
|
8.1.3 |
Is there an acceptable use policy for information and associated assets
that has been approved by management, communicated to appropriate
Constituents and assigned an owner to maintain and periodically review
the policy?
|
Yes |
|
1 |
|
|
| 11 |
|
|
8.1.4 |
Is there a process to verify return of constituent assets (computers,
cell phones, access cards, tokens, smart cards, keys, etc.) upon
termination?
|
Not Applicable |
|
0 |
|
|
| 12 |
|
|
8.2.1 |
Is there a policy or procedure for information handling (storing,
processing, and communicating) consistent with its classification that
has been approved by management, communicated to appropriate
constituents and assigned an owner to maintain and periodically review?
|
Yes |
|
1 |
|
|
| 13 |
|
|
8.2.1 |
Does the policy or procedure for information handling include storage
requirements including authorized use of Public Cloud storage?
|
Yes |
|
1 |
|
|
| 14 |
|
|
8.3.2 |
Is there a data retention/destruction requirement that includes
information on live media, backup/archived media, and information
managed by Employees?
|
Yes |
|
1 |
|
|
| 15 |
|
|
8.2.2 |
Is all Scoped Data sent or received electronically encrypted in transit
while outside the network?
|
Yes |
|
1 |
|
|
| Access Control |
|
|
|
|
|
|
|
|
|
| 16 |
A9 |
|
9.2.1 |
Is electronic access to systems containing scoped data removed within 24
hours for terminated constituents?
|
Yes |
|
1 |
|
|
| 17 |
|
|
9.2.1 |
Is access on applications, operating systems, databases, and network
devices provisioned according to the principle of least privilege?
|
Yes |
|
1 |
|
|
| 18 |
|
|
9.2.1 |
Is there a process to request and receive approval for access to systems
transmitting, processing or storing Scoped Systems and Data?
|
Yes |
|
1 |
|
|
| 19 |
|
|
9.4.2 |
Is Multi-factor Authentication deployed? |
Yes |
|
1 |
|
|
| 20 |
|
|
9.4.2 |
Does system policy require logoff from terminals, PC or servers when the
session is finished?
|
Yes |
|
1 |
|
|
| 21 |
|
|
9.2.5 |
Are user access rights reviewed periodically? |
Yes |
|
1 |
|
|
| 22 |
|
|
9.2.5 |
Are access rights reviewed when a constituent changes roles? |
Yes |
|
1 |
|
|
| 23 |
|
|
9.2.5 |
Are privileged user access rights reviewed periodically? |
Yes |
|
1 |
|
|
| 24 |
|
|
9.3.1 |
Is there a password policy for systems that transmit, process or store
Scoped Systems and Data that has been approved by management,
communicated to constituents, and enforced on all platforms and network
devices? If no, please explain in the 'Additional Information' field.
|
Yes |
|
1 |
|
|
| 25 |
|
|
9.3.1 |
Does password policy include minimum password length at least eight
characters?
|
Yes |
|
1 |
|
|
| 26 |
|
|
9.3.1 |
Are complex passwords (mix of upper case letters, lower case letters,
numbers, and special characters) required on systems transmitting,
processing, or storing Scoped Data?
|
Yes |
|
1 |
|
|
| 27 |
|
|
9.3.1 |
Does password policy prohibit a PIN or secret question as a possible
stand-alone method of authentication?
|
Yes |
|
1 |
|
|
| 28 |
|
|
9.3.1/9.4.1 |
Does password policy require initial and temporary passwords to be
changed upon next login?
|
Yes |
|
1 |
|
|
| 29 |
|
|
9.3.1/9.4.1 |
Does password policy require initial and temporary passwords to be
random and complex?
|
Yes |
|
1 |
|
|
| 30 |
|
|
9.3.1 |
Does your solution have features that prevent unauthorized access to the
system or system data. For example, limit user security database access
to authorized system administrators only
|
Yes |
|
1 |
|
|
| 31 |
|
|
9.3.1/9.4.1 |
Are user IDs and passwords communicated/distributed via separate media
(e.g., e-mail and phone)?
|
Yes |
|
1 |
|
|
| 32 |
|
|
9.1.1 |
Are mechanisms established so that access to personal information is
limited to authorized personnel based upon their assigned roles and
responsibilities?
|
Yes |
|
1 |
|
|
| 33 |
|
|
9.4.5 |
Is there a control to protect personal information stored on portable
media or devices from unauthorized access?
|
Not Applicable |
|
0 |
|
|
| 34 |
|
|
9.4.5 |
Does your solution provide user name/login and password capabilities for
all users, including those members of outside Agencies - for web-based
applications/portions of the solution.
|
Yes |
|
1 |
|
|
| 35 |
|
|
9.4.5 |
Does your solution include role-based functional security, configurable
to allow the County to restrict access to some reports, functions,
screens, etc. For example, External Agency; Detention Admin; Detention
View Only; System Admin. Security should be additive for a single user
across the entire solution.
|
Not Applicable |
|
0 |
|
|
| 36 |
|
|
9.4.5 |
Does your solution have a lock-out provision that will lock-out access
to an account after an organizationally-defined number (at least three)
of unsuccessful logins by the user
|
Yes |
|
1 |
|
|
| Cryptography |
|
|
|
|
|
|
|
|
|
| 37 |
A10 |
|
10.1.1 |
Does the policy or procedure for information handling include encryption
requirements?
|
Yes |
|
1 |
|
|
| 38 |
|
|
10.1.1 |
Are encryption keys managed and maintained for Scoped Data? |
Yes |
|
1 |
|
|
| Physical and Environmental security |
|
|
|
|
|
|
|
|
|
| 39 |
A11 |
|
11.1.1 |
Are there physical security and environmental controls in the data
center and office buildings?
|
Not Applicable |
|
0 |
|
|
| 40 |
|
|
11.1.1 |
Is there a physical security program approved by management,
communicated to constituents, and has an owner been assigned to maintain
and review?
|
Not Applicable |
|
0 |
|
|
| 41 |
|
|
11.1.1 |
Do physical access control procedures include collection of access
equipment (badges, keys, change pin numbers, etc.) upon termination or
status change?
|
Not Applicable |
|
0 |
|
|
| 42 |
|
|
11.1.3 |
Do physical access control procedures include lost or stolen access
card/key reporting required?
|
Not Applicable |
|
0 |
|
|
| 43 |
|
|
11.1.4 |
Do the physical security and environmental controls include electronic
controlled access system (key card, token, fob, biometric reader, etc.)?
|
Not Applicable |
|
0 |
|
|
| Operations Management |
|
|
|
|
|
|
|
|
|
| 44 |
A12 |
|
12.2.1 |
Does Scoped Data sent or received electronically include protection
against malicious code by network virus inspection or virus scan at the
endpoint?
|
Yes |
|
1 |
|
|
| 45 |
|
|
12.2.1 |
Do scans performed on incoming and outgoing email include phishing
prevention?
|
Yes |
|
1 |
|
|
| 46 |
|
|
12.7.1 |
Are locking screensavers on unattended system displays or locks on
consoles required within the data center?
|
Not Applicable |
|
0 |
|
|
| 47 |
|
|
12.7.1 |
Does your solution have features that prevent computer viruses, hidden
logic bombs, back doors, or any such code that could be activated
inadvertently or otherwise at a later date or time
|
Not Applicable |
|
0 |
|
|
| 48 |
|
|
|
Is your solution able to automatically generate an application log file
for application error messages identifying hardware/software problems,
security violations, and attempted breaches
|
Yes |
|
1 |
|
|
| 49 |
|
|
12.1.2 |
Do changes to the production environment including network, systems,
application updates, and code changes subject to the change control
process?
|
Yes |
|
1 |
|
|
| 50 |
|
|
12.1.1/12.1.2 |
Is there an operational change management/Change Control policy or
program that has been documented, approved by management, communicated
to appropriate Constituents and assigned an owner to maintain and review
the policy?
|
Yes |
|
1 |
|
|
| 51 |
|
|
12.1.2 |
Does the change control process include a formal process to ensure
clients are notified prior to changes being made which may impact their
service?
|
Yes |
|
1 |
|
|
| 52 |
|
|
12.5.1 |
Does the change control process include a scheduled maintenance window?
|
Yes |
|
1 |
|
|
| 53 |
|
|
12.1.2 |
Does the change control process include a scheduled maintenance window
which results in client downtime?
|
Yes |
|
1 |
|
|
| 54 |
|
|
12.3.1 |
Are backups of Scoped Systems and Data performed? |
Yes |
|
1 |
|
|
| 55 |
|
|
12.3.1 |
Is there a policy or process for the backup of production data? |
Yes |
|
1 |
|
|
| 56 |
|
|
12.3.1 |
Are backup media and restoration procedures tested at least annually?
|
Yes |
|
1 |
|
|
| 57 |
|
|
12.3.1 |
Are backup and replication errors reviewed and resolved as required?
|
Yes |
|
1 |
|
|
| 58 |
|
|
12.3.1 |
Is backup media stored offsite? |
Not Applicable |
|
0 |
|
|
| 59 |
|
|
12.3.1 |
Are backups containing Scoped Data stored in an environment where the
security controls protecting them are equivalent to the production
environment?
|
Yes |
|
1 |
|
|
| 60 |
|
|
12.2.1 |
Is there an anti-malware policy or program that has been approved by
management, communicated to appropriate constituents and an owner to
maintain and review the policy?
|
Yes |
|
1 |
|
|
| 61 |
|
|
12.2.1 |
Does the anti-malware policy or program include defined operating
systems that require antivirus?
|
Yes |
|
1 |
|
|
| 62 |
|
|
12.2.1 |
Does the approved anti-malware policy or program mandate an interval
between the availability of a new anti-malware signature update and its
deployment no longer than 24 hours?
|
Yes |
|
1 |
|
|
| 63 |
|
|
12.2.1 |
Is there a vulnerability management policy or program that has been
approved by management, communicated to appropriate constituent and an
owner assigned to maintain and review the policy?
|
Yes |
|
1 |
|
|
| 64 |
|
|
12.4.1 |
Is sufficient detail contained in Operating System and application logs
to support security incident investigations (at a minimum, successful
and failed login attempts, and changes to sensitive configuration
settings and files)?
|
Yes |
|
1 |
|
|
| 65 |
|
|
12.1.1 |
Are all systems and applications patched regularly? |
Yes |
|
1 |
|
|
| 66 |
|
|
12.1.1 |
Are there any Operating System versions in use within the Scoped
Services that no longer have patches released? If yes, please describe
in the 'Additional Information' section.
|
No |
|
0 |
|
|
| 67 |
|
|
12.1.1 |
Does the Cloud Hosting Provider provide independent audit reports (e.g.,
Service Operational Control - SOC) for their cloud hosting services?
|
Yes |
|
1 |
|
|
| Network Security |
|
|
|
|
|
|
|
|
|
| 68 |
A13 |
|
13.1.1 |
Do you have logical or Physical segregation between web, application and
database components? i.e., Internet, DMZ, Database?
|
Yes |
|
1 |
|
|
| 69 |
|
|
13.1.2 |
Is HTTPS enabled for all web pages? |
Yes |
|
1 |
|
|
| 70 |
|
|
13.1.3 |
Are non-company managed PCs used to connect to the company network?
|
Yes |
|
1 |
|
|
| 71 |
|
|
13.1.1 |
Are there security and hardening standards for network devices,
including Firewalls, Switches, Routers and Wireless Access Points
(baseline configuration, patching, passwords, Access control)?
|
Yes |
|
1 |
|
|
| 72 |
|
|
13.2.1 |
Is there an approval process prior to installing a network device?
|
Yes |
|
1 |
|
|
| 73 |
|
|
13.2.1 |
Is every connection to an external network terminated at a firewall?
|
Not Applicable |
|
0 |
|
|
| 74 |
|
|
13.1.2 |
Do network devices deny all access by default? |
Yes |
|
1 |
|
|
| 75 |
|
|
13.1.2 |
Do the firewalls have any rules that permit 'any' network, sub network,
host, protocol or port on any of the firewalls (internal or external)?
|
Yes |
|
1 |
|
|
| 76 |
|
|
13.1.2 |
Are default passwords changed or disabled prior to placing the device
into production?
|
Yes |
|
1 |
|
|
| 77 |
|
|
13.1.2 |
Is there a remote access policy for systems transmitting, processing and
storing Scoped Systems and Data that has been approved by management and
communicated to constituents?
|
Yes |
|
1 |
|
|
| 78 |
|
|
13.2.2 |
Are encrypted communications required for all remote connections? |
Yes |
|
1 |
|
|
| 79 |
|
|
13.3.3 |
Is remote terminal technology (e.g., RDP, Citrix) used to access Scoped
Systems and Data remotely?
|
Yes |
|
1 |
|
|
| 80 |
|
|
13.2.1 |
Are all available high-risk security patches applied and verified on
network devices?
|
Yes |
|
1 |
|
|
| 81 |
|
|
13.1.1 |
Is there sufficient detail contained in network device logs to support
incident investigation?
|
Yes |
|
1 |
|
|
| 82 |
|
|
13.1.1 |
Are Network Intrusion Detection capabilities employed? |
Yes |
|
1 |
|
|
| 83 |
|
|
13.1.1 |
Is there a wireless policy or program that has been approved by
management, communicated to appropriate constituents and an owner to
maintain and review the policy?
|
Not Applicable |
|
0 |
|
|
| 84 |
|
|
13.1.1 |
Does the Wireless Security Policy require wireless connections to be
secured with WPA2, and encrypted using AES or CCMP?
|
Not Applicable |
|
0 |
|
|
| 85 |
|
|
13.1.3 |
Are wireless networking devices connected to networks containing Scoped
Systems and Data?
|
Not Applicable |
|
0 |
|
|
| 86 |
|
|
13.1.1 |
Is there a documented privacy policy or procedures maintained for the
protection of information collected, transmitted, processed, or
maintained on behalf of the client?
|
Yes |
|
1 |
|
|
| 87 |
|
|
13.1.1 |
Are privacy risks identified and associated mitigation plans documented
in a formal data protection or privacy program plan that is reviewed by
management?
|
Yes |
|
1 |
|
|
| 88 |
|
|
13.1.1 |
Is conspicuous notice provided in clear and plain language about privacy
policies and procedures related to client scoped data?
|
Yes |
|
1 |
|
|
| 89 |
|
|
13.2.1 |
Do privacy notices identify the purposes for which personal information
is collected, used, processed, retained, maintained, and disclosed?
|
Yes |
|
1 |
|
|
| 90 |
|
|
13.1.1 |
Is there an ongoing process to regularly review and update privacy
policies and notices on a periodic basis?
|
Yes |
|
1 |
|
|
| 91 |
|
|
13.1.1 |
Are notices communicated to inform individuals regarding awareness of
privacy obligations, retention periods of data collected, and opt-out
choices applicable to the services?
|
Yes |
|
1 |
|
|
| 92 |
|
|
13.1.3 |
Is a website, mobile, or digital service privacy policy developed,
maintained, published, and communicated to users on devices or
applications that have access to client-scoped privacy data?
|
Yes |
|
1 |
|
|
| 93 |
|
|
13.1.1 |
Are network Vulnerability Scans performed against internal networks and
systems?
|
Yes |
|
1 |
|
|
| 94 |
|
|
13.1.1 |
Are network vulnerability scans performed against internet-facing
networks and systems?
|
Yes |
|
1 |
|
|
| 95 |
|
|
13.1.1 |
Do network Vulnerability Scans occur at least Monthly? |
Yes |
|
1 |
|
|
| 96 |
|
|
13.1.1 |
Are Servers used for transmitting, processing or storing Scoped Data?
|
Yes |
|
1 |
|
|
| 97 |
|
|
13.1.1 |
Are server security configuration standards documented and based on
external industry or vendor guidance?
|
Yes |
|
1 |
|
|
| 98 |
|
|
13.1.1 |
Are server security configuration reviews performed regularly to
validate compliance with documented standards?
|
Yes |
|
1 |
|
|
| 99 |
|
|
13.1.3 |
Are all servers configured according to security standards as part of
the build process?
|
Yes |
|
1 |
|
|
| 100 |
|
|
13.1.3 |
Are all unnecessary/unused services uninstalled or disabled on all
servers?
|
Yes |
|
1 |
|
|
| 101 |
|
|
13.1.3 |
Are vendor default passwords removed, disabled or changed prior to
placing any device or system into production?
|
Yes |
|
1 |
|
|
| Software Development |
|
|
|
|
|
|
|
|
|
| 102 |
A14 |
|
14.2.1 |
Do all projects involving Scoped Systems and Data go through some form
of information security assessment?
|
Yes |
|
1 |
|
|
| 103 |
|
|
14.2.6 |
Are Constituents able to view client's unencrypted Data? |
No |
|
0 |
|
|
| 104 |
|
|
14.2.6 |
Is there a formal Software Development Life Cycle (SDLC) process? |
Yes |
|
1 |
|
|
| 105 |
|
|
14.2.4 |
Is there a documented change management/change control process for
applications with Scoped Data?
|
Yes |
|
1 |
|
|
| 106 |
|
|
14.2.8 |
Are applications evaluated from a security perspective prior to
promotion to production?
|
Yes |
|
1 |
|
|
| 107 |
|
|
14.2.1 |
Is open source software or libraries used to transmit, process or store
Scoped Data?
|
Yes |
|
1 |
|
|
| 108 |
|
|
14.2.8/14.2.9 |
Is a Secure Code Review performed regularly? |
Yes |
|
1 |
|
|
| 109 |
|
|
14.2.8/14.2.9 |
Do secure code reviews include regular analysis of vulnerability to
recent attacks?
|
Yes |
|
1 |
|
|
| 110 |
|
|
14.2.8/14.2.9 |
Are identified security vulnerabilities remediated prior to promotion to
production?
|
Yes |
|
1 |
|
|
| 111 |
|
|
14.2.8/14.2.9 |
Is a web site supported, hosted or maintained that has access to Scoped
Systems and Data?
|
Yes |
|
1 |
|
|
| Supplier Management |
|
|
|
|
|
|
|
|
|
| 112 |
A15 |
|
15.1.1 |
Are there any dependencies on critical third party service providers?
|
Not Applicable |
|
0 |
|
|
| 113 |
|
|
15.1.2 |
Do agreements with third parties who have access to or potential access
to client Scoped Data address confidentiality, audit, security, and
privacy, including but not limited to incident response, ongoing
monitoring limitations on data use, limitations on data sharing, return
of data, and secure disposal of privacy data?
|
Not Applicable |
|
0 |
|
|
| 114 |
|
|
16.1.1 |
Is there an established incident management program that has been
approved by management, communicated to appropriate constituents and an
owner to maintain and review the program?
|
Not Applicable |
|
0 |
|
|
| 115 |
|
|
16.1.1 |
Is there a formal Incident Response Plan? |
Yes |
|
1 |
|
|
| 116 |
|
|
16.1.1 |
Does the Incident Response Plan include guidance for escalation
procedure?
|
Yes |
|
1 |
|
|
| 117 |
|
|
16.1.2 |
Does the Incident Response Plan include actions to be taken in the event
of an information security event?
|
Yes |
|
1 |
|
|
| Business Continuity |
|
|
|
|
|
|
|
|
|
| 118 |
A17 |
|
17.1.1 |
Is there an established business resiliency program that has been
approved by management, communicated to appropriate constituents, and an
owner to maintain and review the program?
|
No |
|
0 |
|
|
| 119 |
|
|
17.2.1 |
Does the business resiliency program include a formal annual (or more
frequent) executive management review of business continuity key
performance indicators, accomplishments, and issues?
|
No |
|
0 |
|
|
| 120 |
|
|
17.1.3 |
Is there a periodic (at least annual) review of your Business Resiliency
procedures?
|
No |
|
0 |
|
|
| 121 |
|
|
17.1.3 |
Is communication in the event of a disruption that impacts the delivery
of key service provider products and services required?
|
Yes |
|
1 |
|
|
| Compliance Management |
|
|
|
|
|
|
|
|
|
| 122 |
A18 |
|
18.1.4 |
Are there documented privacy policies and procedures that address choice
and consent based on the statutory, regulatory, or contractual
obligations to provide privacy protection for client-scoped privacy
data?
|
Yes |
|
1 |
|
|
| 123 |
|
|
18.1.4 |
For client-scoped Data, is personal data collected directly from an
individual on behalf of the client or provided to the organization
directly by the client?
|
Yes |
|
1 |
|
|
| 124 |
|
|
18.1.4 |
Is there a documented records retention policy and process with defined
schedules that ensure that Personal Information is retained for no
longer than necessary?
|
Yes |
|
1 |
|
|
|
|
|
|
|
|
|
99 |
|
|