Mapping Diagnostics
Diagnostics Summary
Questions in Scope
58
Questions with Gaps
54
Fully Mapped Questions
4
Stale Questions
0
Authoritative Gaps
54
Question Diagnostics Matrix
Client-scoped diagnostics for freshness, evidence presence, and compliance outcomes.
| Question | Control | Expected Systems | Missing Systems | Freshness | Status | Actions | |
|---|---|---|---|---|---|---|---|
A4.1
Do you have firewalls at the boundaries between your organisation's internal networks, laptops, desktops, servers, and the internet? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.1.1
Do you have software firewalls enabled on all of your computers, laptops and servers? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.1.2
If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.2
When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.2.1
Please describe the process for changing your firewall password. |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.3
How is your firewall password configured? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.4
Do you change your firewall password when you know or suspect it has been compromised? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.5
Do you have a process to manage your firewall? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.6
Have you reviewed your firewall rules in the last 12 months? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.7
Are host firewalls enabled and configured to block unauthorized inbound network connections on supported endpoints? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.8
Please describe how you approve and document your allowed inbound connections. |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.9
Are your boundary firewalls configured to allow access to their configuration settings over the internet? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.10
If you answered yes in question A4.9, is there a documented business requirement for this access? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A4.11
If you answered yes in question A4.9, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings? |
Host Firewall Enforcement | M365, NinjaOne | M365 |
Fresh |
NonCompliant | ||
A5.1
Is unnecessary or unauthorized software identified and remediated in line with policy? |
Unnecessary Software Remediation | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.2
Are systems and identities configured to an approved secure baseline with unnecessary features disabled? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.3
Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.4
Do you run or host external services that provide access to data (that should not be made public) to users across the internet? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.5
If yes to question A5.4, which authentication option do you use? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.6
Describe the process in place for changing passwords on your external services when you believe they have been compromised. |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.7
When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.8
Have you disabled any feature which allows automatic file execution of downloaded or imported files without user authorisation? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.9
When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed? |
Secure Configuration Baseline | M365, NinjaOne | M365, NinjaOne |
No Evidence |
NonCompliant | ||
A5.10
Which method do you use to unlock the devices? |
Unnecessary Software Remediation | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.1
Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.2
Is all the software on your devices supported by a supplier that produces regular vulnerability fixes for any security problems? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.2.1
Please list your internet browser(s). |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.2.2
Please list your malware protection software. |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.2.3
Please list your email applications installed on end user devices and servers. |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.2.4
Please list all office applications that are used to create organisational data. |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.3
Are any of the in-scope software or cloud services unlicensed or unsupported? |
Unsupported Software Remediation | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.3.1/A6.6/A6.7
Is unsupported or end-of-life software identified and remediated with accountable ownership? |
Unsupported Software Remediation | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.4/A6.5
Are security updates applied within policy timelines for operating systems and applications? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.4.1
Are all updates applied for operating systems by enabling auto updates? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.4.2
Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all operating systems and firmware on firewalls and routers are applied within 14 days of release? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.5.1
Are all updates applied on your applications by enabling auto updates? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A6.5.2
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release? |
Security Update Currency | M365, NinjaOne, HaloPSA | HaloPSA, M365, NinjaOne |
No Evidence |
NonCompliant | ||
A7.1
Are your users only provided with user accounts after a process has been followed to approve their creation? Describe the process. |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.2
Are all your user and administrative accounts accessed by entering unique credentials? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.3
How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.4
Do you ensure that staff only have the access privileges that they need to do their current job? How do you do this? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.5
Do you have a formal process for giving someone access to systems at an administrator level and can you describe this process? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.6
Are administrative accounts separate from standard user accounts and used only for administrative tasks? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.7
How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.8
Do you formally track which users have administrator accounts in your organisation? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.9
Do you review who should have administrative access on a regular basis? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.10
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.11
Which technical controls are used to manage the quality of your passwords within your organisation? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.12
Please explain how you encourage people to use unique and strong passwords. |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.13
Do you have a process for when you believe the passwords or accounts have been compromised? |
Privileged Account Separation | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.14
Is multi-factor authentication enforced for privileged users and cloud service access? |
MFA for Privileged and Cloud Access | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.15
If you have answered no to question A7.14, please provide a list of your cloud services that do not provide any option for MFA. |
MFA for Privileged and Cloud Access | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.16
Has MFA been applied to all administrators of your cloud services, excluding any listed in A7.15 that do not provide it? |
MFA for Privileged and Cloud Access | M365 | M365 |
No Evidence |
NonCompliant | ||
A7.17
Has MFA been applied to all users of your cloud services, excluding any listed in A7.15 that do not provide it? |
MFA for Privileged and Cloud Access | M365 | M365 |
No Evidence |
NonCompliant | ||
A8.1
Is anti-malware protection enabled on supported devices with current signatures and active monitoring? |
Endpoint Malware Protection | M365, NinjaOne | None |
Fresh |
NonCompliant | ||
A8.2/A8.3
Are malware detections investigated and resolved through a documented incident workflow? |
Malware Incident Handling | NinjaOne, HaloPSA | None |
Fresh |
NonCompliant | ||
A8.4
If Option B has been selected: where you use an app-store or application signing, are users restricted from installing unsigned applications? |
Endpoint Malware Protection | M365, NinjaOne | None |
Fresh |
NonCompliant | ||
A8.5
If Option B has been selected: where you use an app-store or application signing, do you ensure users only install applications approved by your organisation and maintain that approved list? |
Endpoint Malware Protection | M365, NinjaOne | None |
Fresh |
NonCompliant | ||
Missing Coverage Controls
Controls that currently lack coverage, split by whether evidence is missing or not feasible in this scope/client.
No Coverage
40
Coverage Not Possible
0
| Requirement | Question | Gap Type | Expected Systems | Reason | Actions |
|---|---|---|---|---|---|
| CE-SC-1 | A5.2 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.3 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.4 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.5 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.6 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.7 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.8 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-1 | A5.9 | No Coverage |
M365, NinjaOne | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-2 | A5.1 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SC-2 | A5.10 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.1 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.2 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.2.1 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.2.2 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.2.3 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.2.4 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.4/A6.5 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.4.1 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.4.2 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.5.1 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-1 | A6.5.2 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-2 | A6.3 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-SUM-2 | A6.3.1/A6.6/A6.7 | No Coverage |
M365, NinjaOne, HaloPSA | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.1 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.2 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.3 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.4 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.5 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.6 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.7 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.8 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.9 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.10 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.11 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.12 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-1 | A7.13 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-2 | A7.14 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-2 | A7.15 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-2 | A7.16 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
| CE-UAC-2 | A7.17 | No Coverage |
M365 | No evidence records were returned for this control in the selected scope/client. | |
Mapping Rationale
Columnar view of rationale and status for quicker scanning across controls.
| Requirement | Question | Status | Decision Basis |
|---|---|---|---|
CE-FW-1 |
A4.1
Do you have firewalls at the boundaries between your organisation's internal networks, laptops, desktops, servers, and the internet? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.1.1
Do you have software firewalls enabled on all of your computers, laptops and servers? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.1.2
If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.2
When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.2.1
Please describe the process for changing your firewall password. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.3
How is your firewall password configured? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.4
Do you change your firewall password when you know or suspect it has been compromised? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.5
Do you have a process to manage your firewall? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.6
Have you reviewed your firewall rules in the last 12 months? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.7
Are host firewalls enabled and configured to block unauthorized inbound network connections on supported endpoints? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.8
Please describe how you approve and document your allowed inbound connections. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.9
Are your boundary firewalls configured to allow access to their configuration settings over the internet? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.10
If you answered yes in question A4.9, is there a documented business requirement for this access? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-FW-1 |
A4.11
If you answered yes in question A4.9, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-2 |
A5.1
Is unnecessary or unauthorized software identified and remediated in line with policy? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.2
Are systems and identities configured to an approved secure baseline with unnecessary features disabled? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.3
Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.4
Do you run or host external services that provide access to data (that should not be made public) to users across the internet? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.5
If yes to question A5.4, which authentication option do you use? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.6
Describe the process in place for changing passwords on your external services when you believe they have been compromised. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.7
When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.8
Have you disabled any feature which allows automatic file execution of downloaded or imported files without user authorisation? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-1 |
A5.9
When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SC-2 |
A5.10
Which method do you use to unlock the devices? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.1
Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.2
Is all the software on your devices supported by a supplier that produces regular vulnerability fixes for any security problems? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.2.1
Please list your internet browser(s). |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.2.2
Please list your malware protection software. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.2.3
Please list your email applications installed on end user devices and servers. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.2.4
Please list all office applications that are used to create organisational data. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-2 |
A6.3
Are any of the in-scope software or cloud services unlicensed or unsupported? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-2 |
A6.3.1/A6.6/A6.7
Is unsupported or end-of-life software identified and remediated with accountable ownership? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.4/A6.5
Are security updates applied within policy timelines for operating systems and applications? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.4.1
Are all updates applied for operating systems by enabling auto updates? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.4.2
Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all operating systems and firmware on firewalls and routers are applied within 14 days of release? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.5.1
Are all updates applied on your applications by enabling auto updates? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-SUM-1 |
A6.5.2
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.1
Are your users only provided with user accounts after a process has been followed to approve their creation? Describe the process. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.2
Are all your user and administrative accounts accessed by entering unique credentials? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.3
How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.4
Do you ensure that staff only have the access privileges that they need to do their current job? How do you do this? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.5
Do you have a formal process for giving someone access to systems at an administrator level and can you describe this process? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.6
Are administrative accounts separate from standard user accounts and used only for administrative tasks? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.7
How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.8
Do you formally track which users have administrator accounts in your organisation? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.9
Do you review who should have administrative access on a regular basis? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.10
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.11
Which technical controls are used to manage the quality of your passwords within your organisation? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.12
Please explain how you encourage people to use unique and strong passwords. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-1 |
A7.13
Do you have a process for when you believe the passwords or accounts have been compromised? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-2 |
A7.14
Is multi-factor authentication enforced for privileged users and cloud service access? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-2 |
A7.15
If you have answered no to question A7.14, please provide a list of your cloud services that do not provide any option for MFA. |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-2 |
A7.16
Has MFA been applied to all administrators of your cloud services, excluding any listed in A7.15 that do not provide it? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-UAC-2 |
A7.17
Has MFA been applied to all users of your cloud services, excluding any listed in A7.15 that do not provide it? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-MP-1 |
A8.1
Is anti-malware protection enabled on supported devices with current signatures and active monitoring? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-MP-2 |
A8.2/A8.3
Are malware detections investigated and resolved through a documented incident workflow? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-MP-1 |
A8.4
If Option B has been selected: where you use an app-store or application signing, are users restricted from installing unsigned applications? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |
CE-MP-1 |
A8.5
If Option B has been selected: where you use an app-store or application signing, do you ensure users only install applications approved by your organisation and maintain that approved list? |
NonCompliant | Demo profile shaping: this client is configured as fully non-compliant for scenario contrast. |