IT Security Review for New Software Purchase

Vendors,
GCU’s IT Security & Business Engagement groups have several questions about the proposed application / service. This Cyber Security review will occur annually for all new and recurring requisitions. Please answer the questions below at your earliest convenience and provide as much detail as possible.

Word doc of the below questions

Programmatic Security

  • Is there a document you can share that provides a programmatic overview of your security posture?
  • Do you have a dedicated security team?
  • Is there an appointed security officer?
  • Where does the primary security officer report in the org structure?
  • Does your program orient toward a particular standard or framework?
  • What frameworks and standards are used (e.g., NIST 800-171, 800-53, MITRE ATT&CK, CIS 20, ISO 27001, etc.)

Certifications and Third Party Validations

  • Does a third party review and audit your security program?
  • How often?
  • What firm is used?
  • Do they provide a statement of assurance or summary letter to provide to customers?
  • Have any third party certifications been provided?  (if so, please list these)

Application Security

  • Is there a designated program and process for application security?
  • Are all web / software applications scanned prior to being released to production?
  • Is there a mature CI / CD process in place?
  • Is static code analysis and/or application scanning performed, with tollgates prior to the promotion of code as part of that process?
  • Has a web application penetration test been performed on the major code release currently in production, for the product currently under consideration?
  • Have all critical and high risk vulnerabilities or those demonstrated to be exploitable been remediated?
  • Is a web application firewall (WAF) deployed / set to prevent attacks?
  • Are APIs all confirmed as authenticated, regularly scanned and properly protected?

Network and Datacenter Security

  • Is a Layer 7 firewall deployed and set to prevent attacks?
  • Are high risk protocols blocked from the internet or scoped to specific IP ranges? (e.g., 3389, 445, 135, 21, 22, etc.)
  • Has external attack surface been reduced, by analyzing DNS entries and inbound NATs and associated VIPs and scoping appropriately?
  • Are outside facing services identified by such efforts hardened, patched and monitored with appropriate levels of urgency?
  • Is proper network segmentation implemented to segment high / low trust zones, scoping communication only to what is needed and instituting additional L7 inspection points?
  • Is microsegmentation in place on servers to reduce the scope of devices that can communicate and over only the needed ports?  (e.g., NSX, Tetration, Guardicore, Illumio, ACI, etc.)
  • Is a jump host standard enforced for high risk devices, such as DMZ environments and Domain Controllers, etc.?
  • Is a Network Detection and Response (NDR) or Intrusion Detection System (IDS) deployed to detect lateral movement, C2 and contextualize and inform IR?

Endpoint Security (server and workstation)

  • Are all endpoints managed and patched by a centralized process and system?
  • Is this process resilient to off-network users and a remote workforce, as appropriate?
  • Is an Next Gen Anti-Virus (NGAV) including Machine Learning and behavioral analysis in place?
  • Has an Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) solution been deployed?
  • Is host firewall (or microsegmentation) implemented to reduce the risk of exploitation of high risk services over expected ports?
  • Are hosts regularly scanned for vulnerabilities / remediated in a timely manner?
  • Identity and Access Management

Identity and Access Management

  • Has MFA been implemented to access:
    • VPN?
    • Cloud administration portals?
    • Critical cloud applications?
    • Email?
    • RDP or SSH to high risk servers?

Incidents, Breaches and Compromises

  • Has your organization experienced a material breach?  If yes:
    • Type – ransomware, data egress, etc?
    • Timeline – when was it?
    • Lessons learned – what did you improve or change based on this experience?
  • Incidents
    • Ok, it is just stupid to ask if anyone has had an incident or significant attack – everyone has.  However, it is definitely important to understand how response processes are evolving in response to the threat landscape.
    • How has your IR process evolved and what changes have been made in response to attacks?
  • BCP, DR, Backup and Recovery
    • Does your organization have a robust backup and recovery strategy?
    • Are there immutable, vaulted or cloud backups that are resilient to the targeting of backup and recovery mechanisms, typically exploited by Ransomware as a Service (RaaS) operators?
    • Does your organization have DR and BCP plans that are modern and adapted to more recent threats, such as ransomware?
  • Security Intelligence, Operations (SOC) and Incident Response (IR)
    • Are all security control and DC event logs available in a SIEM?
    • Have these logs been rationalized and built to generate notables for the SOC team to triage and prioritize / escalate?
    • Do security alerts / notables align with the most common attack scenarios you expect in your environment, in accordance with frameworks such as MITRE ATT&CK?
    • Does your organization have a SOC?
    • Is it outsourced or in-house?
    • If outsourced:
      • Is it comprehensive and all inclusive?
      • Are they monitoring all security controls?
      • Is it 24×7?
    • If in-house:
      • Is it 24×7? (if not, what is the coverage model)?
      • How are the skills of the team maintained?
      • Does the team receive outside training, certification or compete in competitions or events that develop skills?
    • Does your organization have an incident response plan?
    • Are dedicated and experienced Incident Response personnel a part of the organization – OR – is there a contract / retainer in place with a recognized and respected IR firm?
    • Has a communication plan been developed for incidents, attacks or outages?

 

Please send all questions and responses to [email protected]