A.

8 Technological Controls

Control Control
Control Assessment Questions Response
No. Description
8.1 User end point Information 1.Whether a mobile device policy exists and is
devices stored on, approved?
processed by or 2. Inventory details of the mobile devices registered
accessible via 3.Whether policy document address additional risk
user end point of using mobile devices (eg.Theft of devices, use of
devices shall be open Wi-Fi hotspots?
protected 4.Whether organisation have access control and
malware protection in place for mobile devices?
5. Does organisation take regular backup of mobile
devices?
6. Is there a process for registration of user
endpoint devices?
7. Is there any restriction of software installation on
user endpoint devices?
8. Is there any remote disabling, deletion or
lockout controls implemented on user endpoint
devices?
9. Are the USB ports disabled on user endpoint
devices?
8.2 Privileged The allocation 1. What are the criteria that your organisation has
access rights and use of planned for a user to be assigned access privileges?
privileged access 2. How your authorise and record access privileges
rights shall be and maintain them?
restricted and 3. Whether there is an access control policy?
managed 4. How organisation notify their employees about
their assigned privileged access?
5. Procedure in place for preventing unauthorised
use of generic ID
6.Whether organisation defined the conditions of
expiry for privilege access?
7. Is there a process to review the privilege access
rights assigned to users?
8. How often are the access review performed?
8.3 Information Access to 1.Do you ensure that sensitive information is kept
access information and confidential, and no unauthorised identities have
restriction other associated access to that information?
assets shall be 2. Whether organisation has a defined, maintained
restricted in and controlled what data can be accessed by
accordance with whom?
the established 3. Does the organisation control which identified
topic-specific will have which access (Read,write,delete,execute)
policy on access 4.Wheteher the organisation provide
control. physical/logical access control for isolating sensitive
systems, application and data?
8.4 Access to Read and write 1.Whether the organisation manages the access to
source code access to source program source code and its libraries according to
code, established procedures.
development 2. Whether granting and revoking of read/ write
tools and access is on need basis?
software 3. Does your organisation assure that the
libraries shall be developers have source code access only through
appropriately developer tools which has proper authorisation?
managed 4. Does you organisation maintain the audit log of
all accesses and all changes done to source code?
8.5 Secure Secure 1.Does your organisation test that no confidential
authentication authentication information is displayed before log on process has
technologies and successfully completed?
procedures shall 2. Whether your organisation display generic
be implemented notices /warnings that systems should be accessed
based on by authorised users only?
information 3. Whether there is a defined limit on unsuccessful
access login attempts?
restrictions and 4. Whether a procedure defined for raising a
the topic-specific security issue?
policy 5. whether passwords are masked?
on access control 6. Whether the passwords are encrypted before
transmission?
7. Whether a session time out is in place to logout
the inactive sessions?
8. Are the users mandated to change passwords
upon first login?
9. Are the default vendor accounts and passwords
changed?
8.6 Capacity The use of 1. Is there a process to manage capacity
management resources shall requirements of all systems based on the business
be monitored process and criticality of the process.
and adjusted in 2. Is there a process to identify expected capacity
line with current requirements for the future.
and expected 3. Are there any detective controls implemented to
capacity indicate problems and notify administrators.
requirement 4. Whether the organisation follows the retention
practises and remove absolute data?
8.7 Protection Protection 1.Whether your organisation created a formal
against against malware policy for managing Malware?
malware shall be 2. Is the Antimalware solution implemented on all
implemented and systems?
supported by 3. Is the antimalware solution configured to
appropriate user perform periodic scans?
awareness. 4. Is the antimalware solution configured to get
signature updates on regular basis?
5. Is the antimalware solution configured to send
alerts to system administrators upon identifying
malware?
6. Is there a process in place for detecting malicious
websites?
8.8 Management Information 1. Are the Roles and responsibilities pertaining to
of technical about technical vulnerability monitoring, vulnerability risk
vulnerabilities vulnerabilities of assessment, patching defined?
information 2. Is the scope and frequency of technical
systems in vulnerability assessments defined?
use shall be 3. Is there a process to rate the vulnerabilities as
obtained, the Critical, High, Medium and Low?
organization’s 4. Are the remediation timelines defined as per the
exposure to such vulnerability ratings?
vulnerabilities 5. Is there a formal process to install patches for
shall be remediating vulnerabilities?
evaluated and 6. Are we testing and evaluating the patches before
appropriate they are installed?
measures shall
be take
8.9 Configuration Configurations, 1. Whether your organisation has a policy and
management including security procedure in place for documenting the
configurations, of configurations of hardware, software and network
hardware, devices?
software, 2. Is there a proper role and ownership assigned to
services and individuals for managing configuration on device?
networks shall be 3. Whether organisation follows a standardised
established, template for hardening hardware's and softwares?
documented, 4. Does organisation have appropriate mechanism
implemented, in place to review system, hardware updates at
monitored and regular intervals and any current security threats to
reviewed. ensure optimal performance?
8.1 Information Information 1. Does your organisation have policy that covers
deletion stored in maintenance activities related to deletion and
information destruction of data and or IT assets including the
systems, devices utilisation of specialised software and liaison with
or in any other vendors specialising in data and device deletion?
storage media 2. Whether organisation regularly identifies data
shall be deleted which is no longer in use and needs to be removed
when no longer to prevent from unauthorised access or misuse?
required. 3. When employing specialised deletion vendor,
whether sufficient evidence is obtained (via
documentation) that the deletion has been
performed?
8.11 Data masking Data masking 1.Whether the organisation has a policy and
shall be used in procedure in place to ensure anonymization or
accordance with pseudonymization of data for protection of data as
the organization’s per legal and regulatory requirements?
topic-specific 2. Process in place to discover how masked data is
policy on access accessed?
control and other 3. Whether data masking policy and procedure
related topic- includes following requirements?
specific -Implement masking techniques to expose only the
policies, and lowest possible amount of data those who use it
business -At the request of the subject, certain data may be
requirements, hidden and staff access to relevant sections is
taking applicable restricted to only certain members.
legislation into -Constructing their data masking procedure in
consideration accordance with legal and regulatory requirements.
 -Pseudonymization requires use of an algorithm to
unmask data and this must be kept secure

8.12 Data leakage Data leakage 1. Has the organisation defined a procedure in place
prevention prevention to reduce the risks of data leakage from emails,
measures shall inward outward file transfer and USB devices?
be applied to 2. Has the organisation established proper
systems, measures to ensure data is organised according to
networks industry standards to assign different levels of risk?
and any other 3. Has organisation setup proper authorisation
devices that methods?
process, store or 4. Whether the data in back up and all sensitive
transmit sensitive data is encrypted?
information 5. Whether organisation has implemented gateway
security and leakage retention measures to protect
against external influences?
6. Has the organization identified monitoring
channels for identifying data leakage?
8.13 Information Backup copies of 1. Has organisation got approved policy and
backup information, procedure for managing backup of data on devices,
software and storage media, cloud, DB and servers?
systems shall be 2. How often the servers and configuration data are
maintained getting backed up ?
and regularly 3.Whether the backed up data are restored and
tested in checked at regular intervals.
accordance with 4. Whether the results of restorations are
the agreed topic- recorded?
specific policy 5. Whether backup plan is updated on regular
on backup. basis?
6. Has the organization defined the backup
restoration testing frequency?
8.14 Redundancy of Information 1.Has the organisation have a policy and procedure
information processing in place to ensure data processed through any ICT
processing facilities shall be technology, physical facility, software is duplicated
facilities implemented to ensure availability in event of disruption?
with redundancy 2.Has organisation considered geographically
sufficient to meet disparate locations when outsourcing data services
availability (file storage/data centre amenities)
requirements 3.Whether redundancy is in place for all systems to
ensure availability of information processing facility
8.15 Logging Logs that record 1. Do you have a process to review security audit
activities, logs in timely and act upon threats ?
exceptions, faults 2.Are appropriate event logs maintained and
and other regularly reviewed?
relevant events 3.Whether logging facilities protected against
shall be tampering and unauthorised access?
produced, stored, 4.Whether system admin /operator activities logged
protected and and reviewed regularly?
analysed 5.Whether NTP services are deployed and systems
are synced with the NTP services
6.Whether log archives are maintained ?
7.How log collection and aggregating from different
network ,security , servers , DB, Identity systems
and applications is managed?
8.16 Monitoring Networks, 1. Whether company has a policy and procedure in
activities systems and place to suspect events which should be reported
applications shall to relevant personnel in order to maintain the
be monitored for network integrity and improve business continuity
anomalous 2. Has the organization established a baseline for
behaviour and normal working conditions to identify anomalies in
appropriate the network?
actions taken to
evaluate
potential
information
security
incidents.
8.17 Clock The clocks of 1. Has the organization identified reputed time
synchronizatio information source?
n processing 2. Whether all devices are in sync with this NTP
systems used by server hosted in organisation
the organization 3. Is there a process to restrict access to time data
shall be in the organization?
synchronized to 4. Is there a process to identify and monitor all
approved time changes to NTP systems?
sources
8.18 Use of The use of utility 1.Whether organisation has defined list of utility
privileged programs that programs?
utility can be capable of 2. Does organisation has procedure in place to
programs overriding see identify, authorise and authenticate using utility
programs?
3.Whether ad hoc utility programs ae used? If yes,
the approval process for the same.
4. Details of logging for utility program
8.19 Installation of Procedures and 1.Policy and procedure in place for software
software on measures shall installation and to upgrade existing software’s
operational be implemented 2.List of whitelisted software approved by
systems to securely management to be used in organisation
manage 3.Audit logs maintained for changes carried out?
software 4. Change management procedure, policy for
installation on installing/upgrading new software’s
operational 5.Sample change management tickets raised for
systems such installation and upgradation of software’s
8.20 Networks Networks and 1.Does the organisation have a approved copy of
security network devices the network diagram?
shall be secured, 2.Network asset inventory for the organisation?
managed and 3.Whether logging and monitoring of network
controlled equipment’s in place?
to protect 4.Details of network configuration files storage and
information in their backup?
systems and 5. What is the encryption controls deployed for
applications data in transit?
6.Is there a Procedure in place for authenticating
network devices?
8.21 Security of Security 1. Policy and procedure in place for network
network mechanisms, security management?
services service levels and 2.Procdeure for updating the OS patches, NW OS?
service 3.Details of approved individuals who can make
requirements of changes to network ?
network 4. Details of SIEM,DLP.SOAR,IDS,IPS implemented?
services shall be 5. Is there a procedure in place to access network
identified, devices?
implemented and
monitored
8.22 Segregation of Groups of 1. What security controls are implemented to
networks information ensure Segregation of access for production, testing
services, users and development environment?
and information 2. How is the network segmented and how is the
systems shall access monitored to different segments of
be segregated in network?
the organization’s
networks.
8.23 Web filtering Access to 1. Are the Web filtering rules implemented to
external websites permit access to specific websites only?
shall be managed 2.Whether there is an approved list of high risk
to reduce website/content category
exposure to 3. are the controls implemented to block malicious
malicious content from being downloaded(Eg.Web proxy,
content. email gateway, ant phishing module, EDR ?
8.24 Use of Rules for the 1. Has organisation got an cryptography policy in
cryptography effective use of place?
cryptography, 2. How are the cryptographic keys accessed, stored
including and safeguarded?
cryptographic key 3. Is the Inventory of cryptography keys and
management, certificates used maintained?
shall be defined 4. Is there a process defined to decide the
and implemented encryption key strength and encryption algorithm?
5. Is the crypto period defined for all encryption
keys?
8.25 Secure Rules for the 1. Does the organization have a Secure application
development secure development policy?
life cycle development of 2. Are security requirements considered in all
software and phases of development?
systems shall be 3. Is there any secure coding guidelines used for
established and development?
applied 4. Does the organization have secure source code
repositories?
 5. Does the organization maintain version
controlling on source code?

8.26 Application Information 1. Is there a process to ensure identify all

security security information security requirements when developing
requirements requirements or acquiring applications?
shall be 2. Are the legal, statutory and regulatory
identified, requirements considered during application
specified and development
approved when 3. Are the privacy requirements considered during
developing or application development?
acquiring
applications
8.27 Secure system Principles for 1.Documented standards, evidence for engineering
architecture engineering secure system and system architecture
and secure systems 2. Whether Secure Engineering guidelines include
engineering shall be the following
principles established, -Methods of user authentication
documented, -Secure session control guidance
maintained and -Procedure for sanitising and validating data
applied to any -Security measures for protecting information
information assets and systems against known threats
system -Security measures analysed for their ability to
development identify, eliminate and respond to security threats
activities -How and where the security measures will be
implemented
3. Procedure in place for validating the practises,
standards of service provider/third parties so they
are in line with secure engineering protocols
8.28 Secure coding Secure coding 1. Details of Secure Development policy and
principles shall procedures
be applied to 2. Threat and vulnerability process
software 3.Tools for secure code development if any
development 4.Reports on Secure code review, SAST,DAST
5.Whether development team is regularly trained
on real world threats
6.Whether secure coding takes into account
following points
-Details on attack surface
- OWASP Top 10 Vulnerabilities
8.29 Security testing Security testing 1.Whether user authentication, access restrictions
in development processes shall and use of cryptographic techniques tested?
and acceptance be defined and 2.Whether organisation tests the secure configs of
implemented in OS , firewalls and other components
the 3.Whether the organisation has a test plan defined,
development life documented and implemented?
cycle. 4. Whether organization carriers out VA , if yes the
frequency and reports of the same
5. Whether organisation conducts PT, if yes the
frequency and the reports of the same
6.Whether organisation tests their DB for their
security
8.3 Outsourced The organization 1.Whether licensing , code ownership and IPR
development shall direct, related to outsourced development in place?
monitor and 2.Does organisation have contractual requirements
review the for secure design, coding and testing practises
activities related 3.Whether provision for threat modelling
to outsourced considered by external developers?
system 4.Whether UAT is done and approved
development. 5.Details of software ESCROW in place
6. Details of organisation conducting an audit on
third party in place?
8.31 Separation of Development, 1. Whether organisation has segregated
development, testing and environment for application (Development, test and
test production production)
and production environments 2.Access control list for each environment and
environments shall be review of the same.
separated 3.Privilege user access management process in
and secured place
4.Patch, Backup management process in place
5.VAPT detailed reports
6.Details of web application security
8.32 Change Changes to 1. Whether organisation has a change management
management information policy and procedure?
processing 2. Is there a formal change request process?
facilities and 3. Are the change Impact assessment, testing and
information roll back plan defined for all changes?
systems 4. Are the changes approved before
shall be subject implementation?
to change 5. Is there a process to manage emergency
management changes?
procedures.
8.33 Test Test information 1.Whether organisation applies same access control
information shall be procedures to test and production environments?
appropriately 2.Details of approval if prod data is coped to testing
selected, environment?
protected and 3.Sample of data used in testing, development and
managed production environment?
4.Does organisation have defined the data
management process and guidelines in place
8.34 Protection of Audit tests and 1.Whether organisation has a system audit and
information other assurance assurance plan?
systems during activities 2.List of all privacy laws and regulations
audit testing involving 3. Details of the audit calendar and recent audit
assessment of reports
operational 4. Procedure in place for protecting the PII data
systems shall be 5. User awareness records of personal involving
planned and system operations
agreed between
the tester and
appropriate
management