I have a ton of questions regarding audits, security and governance.
I need to have these questions answered before I can recommend this product to my customers in the german banking field.
The questions were asked before in this community but the potential answers were not posted.
Questions I (About audit log)
- Does your cloud service obtain audit log ( including operations/actions of cloud vendor system administrator and user company Ope Admin,program execution history etc) and is it possible for the company to refer it? Otherwise is it possible to disclose audit log upon request from the user company?
- Is the log file access controlled ?
Question II (SonarCloud Security Assessment - #6 by ge_na)
- Do you have any Information Security certificate (e.g. ISO 27001, PCI DSS, SOC) or IT security related accreditation?
- Do you have Information Security policies, to govern the Information Security function and protect your information assets?
- Do you have documented Information Security roles and responsibilities, and staff to perform these responsibilities?
- Do you have documented business continuity and disaster recovery policies, processes and plans?
- Do you have Information Security Risk Management processes that address assessment, mitigation and monitoring of information risk?
- Do you have documented policies and processes defined and implemented to ensure compliance with information security or privacy legal and regulatory requirements including regular reviews of compliance?
- Do you have Information Security Incident Management processes that include coordination with customer’s Information Security Incident Management processes?
- Do you have policies and processes defined and implemented for HR Information Security Management that clearly defines the roles and responsibilities of staff to protect information assets?
- Do you perform background verification checks for all staff in accordance with legal and regulatory requirements?
- Do you have Information Security training and awareness program in place for all employees (new, existing, permanent, or contractual staff)?
- Do you have a documented Access Control policy and processes for provisioning, revocation, revalidation, access reviews and remote access?
- Do you have documented policies and processes to monitor the actions of users with privileged access to systems?
- Do you have Secure Application / System Development policies and processes that address information security requirements for the development and implementation of application/systems?
- Do you follow any secure coding guidelines while developing applications/systems?
- Do you have documented policies and processes to ensure that application information security events are logged and the events are monitored?
- Do you have documented policies and processes to ensure that no actual customer data is used in testing or that such data is sanitized prior to use for testing purposes?
- Do you have Network Security policies and processes that address network segregation, network access control, network device administration, security configuration, and remote device management?
- Do you have a secure network architecture that addresses network segmentation and protection between the internal network and public networks and the segmentation of internal network to provide appropriate security zones?
- Do you have configuration standards for network devices that address secure configuration of these devices?
- Do you perform Vulnerability Assessment and/or Penetration Testing at periodic intervals and address issues identified in this testing in a timely manner?
- Are intrusion detection prevention (IDS/IPS) tools deployed in your network and configured to detect and/or prevent malicious attempts to compromise networks, systems or information and are these systems appropriately monitored and managed?
- Do you have processes to provide secure remote access to network devices for administrators that address business requirements, access controls, logging and review of access?
- Do you have Physical and Environmental Information Security policies and processes to physically protect information assets?
- Do you have policies, processes and tools to to facilitate the following:
- Log monitoring and review
- Monitoring and regular testing of backups
- Centralized Access Management
- Incident and Change Management
- Workstation Security Management
- Data Loss Prevention tools to monitor for data leakage
- Will this vendor process personal or sensitive information? Please provide approximation.
Please excuse the extend list of questions.
Thank you for your help and best regards!