Do you maintain a quality management system (QMS) approved by management? In lieu of a formal and static QMS, Ethicontrol has a dynamic and responsive approach to quality management. Does your quality management system (QMS) include coverage for software application security principles?
YES
Is quality management system (QMS) content published and communicated to all relevant employees?
YES.
Is quality management system (QMS) content reviewed and updated (if appropriate) at least once per year?
It is considered a constant Work In Progress; and updated almost daily in small increments.
Is there defined management oversight who is responsible for application quality and security reporting & signoff?
YES.
Is access to and maintenance of applications, systems, network components (including routers, databases, firewalls, voice communications servers, voice recording servers, etc), operating systems, virtualization components, hypervisors, or other information objects restricted to authorized personnel only?
YES
Is access to and maintenance of applications, systems, network components (including routers, firewalls, voice communications servers, voice recording servers, voice response units (VRU) etc), operating systems, virtualization components, hypervisors, or other information objects granted based upon need-to-know job function?
YES
For all IT systems including but not limited to servers, routers, switches, firewalls, databases, and external social spaces, is management approval required prior to creating all user and privileged accounts (e.g., system or security administrator)?
YES
For all IT systems including but not limited to servers, routers, switches, firewalls, databases are privileged accounts (e.g., system or security administrator) logged at all times and reviewed on at least a quarterly basis?
YES
Are all user accounts (including, but not limited to, standard user, system administrator, security administrator, internal social spaces, etc) assigned to an individual employee and not shared?
YES
Are all user accounts disabled after no more than ten unsuccessful logon attempts?
YES
For all IT systems (including but not limited to servers, routers, database, switches, firewalls, external social spaces), are inactive user and privileged accounts (e.g., system administrator or security administrator) disabled after 90 days or more?
YES
Is a user's identity verified before communicating an initial/temporary password or initiating a password reset by an automated or manual process?
YES
Do application, system, and device passwords (including routers, firewalls, databases, and external social spaces) require passwords to have the following characteristics: 1. minimum length of 8 characters, 2. chosen from any acceptable character sets available on the target system, 3. includes at least one alphabetic and one numeric character.)
YES
Are passwords prevented from being displayed in clear text during user authentication or in electronic/printed reports?
YES
Are passwords/PINs sent to users utilizing a secure method (e.g. secure e-mail) and sent separately from other authentication information such as the user account?
YES
For all IT systems (including but not limited to servers, routers, databases, switches, firewalls), are user and privileged account (e.g., system or security administrator) passwords changed at least every 90 days?
YES
Are users required to authenticate prior to changing their password?
YES
Are all system, application and device password files encrypted using an industry standard encryption algorithm where technically feasible?
YES
In instances where a software token is used to access an application or system, is a password or PIN required?
YES
In instances where a software token is used to access an application or system, are stored keys and software token files encrypted using an industry standard algorithm and smartcards compliant to FIPS level 2 or above?
YES
For externally hosted environment, is there separation of administrative access between the hosting infrastructure/platform and the hosted platform and data?
YES
If user accounts are assigned to non-permanent personnel (e.g., contractors, consultants) for troubleshooting purposes, are the accounts disabled or removed after each use?
YES
Is the retirement or replacement of encryption keys included in key management procedures when the integrity of the key has been weakened (such as departure of an employee with key knowledge) or keys are suspected of being compromised?
YES
If you use cloud services, do you ensure that confidential data or an aggregation of proprietary information that can reveal confidential information is encrypted to ensure confidentiality at rest and in transit?
YES
If you use cloud services, do you have key management procedures to manage and maintain encryption keys?
YES