Are there procedures in place for Post intrusion prevention triggers and alerts based on anomalies in security logs?
Is a risk assessment conducted and are security controls documented according to risk?
Are new applications and services are reviewed for security risk?
Does staff have designated individuals for addressing user security questions and issues?
Are security policies and standards reviewed biannually and are additional security controls deployed as needed?
Does IT staff discourage users from using unencrypted USB drives or other mobile media?
Do the password policies for users conform to standards?
Are there more stringent password settings for system administrators- such as multifactor authentication or 15 character passwords?
Are there prohibitions against unencrypted laptops or personal electronic devices?
Are the procedures for terminating user accounts are coordinated with HR and enterprise systems? What is the timeframe for removing user accounts? What is the timeframe for terminating admin accounts? Are admin accounts annually recertified?
1. Does a documented change management procedure exist?
2. Is the IT staff briefed on change management processes biannually?
3. Are stakeholders identified and communications prior to change requests?
4. Are change requests reviewed and communicated with appropriate IT and business units?
5. Are problematic changes are reviewed? Do informal cm processes for root causes and lesson learned exist?
6. Are vendors, business partners, and other entities expected to follow CM processes?
7. Do CM procedures require documented testing plans?
8. Do processes include coordination, test dev, and prod data and systems as part of testing plan?
9. Are there prohibitions on testing on production systems? Is testing on prod data discouraged, limited and documented?
Do documented procedures exist for identifying and classifying problems (e.g. usability or interfaces)? What are the procedures?
Do customers and partners have channel for communicating problems?
What are the documented procedures for escalating problems and events to incidents?
Are incident handlers identified based on type and scope of incidents?
Does an incident policy and procedure exist, and is it documented?
Are incident post mortems are conducted? Are remediation actions planned and deployed?