So we've compiled a list of short answers to help you complete those internal security questionnaires.
It's a big resounding yes to all the following questions:
- Is data encrypted in transit over HTTPS?
- Is data encrypted at rest?
- Is data hosted in the EU?
- Are passwords hashed and salted?
- Do you conduct regular vulnerability scans?
- Have you had an external penetration test?
- Do you have remote backups?
- Are backups encrypted?
- Do you have a Web Application Firewall?
- Do you have protection from DDoS attacks?
- Is Database access firewalled and user restricted?
- Do staff have to sign confidentiality agreements?
- Do you do regular software updates?
- Do you have a publicly disclosed change log?
- Do you monitor and disclose service uptime?
- Are hardware devices on laptops encrypted?
- Do you host in the cloud, with Microsoft Azure?
- Can I have audit reports for account activity?
- Can I take backups of our data to Excel?
- Do you provide an up to date list of 3rd party processors?
- Are you Cyber Essentials accredited?
- Can we use Single Sign On?
- Do you offer 2FA?
- Can we make 2FA compulsory on our account?
NO, absolutely not.
And a no to these questions:
- Do you store debit/credit card details?
- Do you store data outside the EU?
- Do contractors have access to client data?
- Do you outsource software development?
- Do you sell data?