Security Compliance: CCM Questions

More digestible questions based off of the Cloud Controls Management v4.0.3 compliance framework.

A&A

  • Does the organization have independent audits performed on a regular basis according to relevant compliance standards?

  • Are the results of these audits reported to the proper officials and used for remediation?

AIS

  • Does the organization maintain requirements for application security and how to maintain the security of proprietary applications?

BCR

  • Does the organization maintain a business continuity and disaster response plan?

  • Is this plan tested and updated regularly?

CCC

  • Are baselines for all organizational assets and policies for changing configurations of these assets established and regularly updated?

  • Is there a plan for detecting unauthorized changes and rolling back unwanted changes?

CEK

Are secure cryptographic technologies implemented and maintained in order to protect passwords, cryptographic keys, and other sensitive information?

DCS

  • Is all sensitive information stored, transported, and disposed of carefully? (This can include physical and digital storage, transportation, and disposal.)

DSP

  • Is the management, security, and ownership of personal or sensitive data defined and documented?

HRS

  • Are employees vetted, trained, and informed properly before receiving access to sensitive information?

  • Are work spaces and sites secured?

IAM

  • Are secure user policies implemented?

  • This includes strong authentication policies, least privilege policies, and strong information and user management policies.

IVS

  • Are work environments separated logically and is the communication between those environments secured properly?

LOG

  • Are physical and information systems logged and monitored for anomalous activity?

SEF

  • Is there an established security incident response plan that is regularly reviewed and tested?

TVM

  • Are there policies and procedures to prevent and remediate vulnerabilities and malware?

  • Are these policies and procedures tested and updated regularly?

UEM

  • Are endpoints secured?

  • Is usage of these endpoints controlled and monitored?

PreviousCommon Windows PIDsNextSecurity Compliance: NIST 800-171 Questions

Last updated