Skip to main content

SIG Core

logo

Summary

The Standardized Information Gathering (Questionnaire) (SIG) Lite is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. The SIG gathers pertinent information to determine how security risks are managed across a spectrum of 18 risk control areas, or domains, within a service provider's environment. It was developed to enable a service provider to compile complete information about these risk domains in one document. The version used in this section is SIG 2019.

Definitions

DefinitionRequirements
A_4_1_8. Risk assessment and treatment318. Notify third parties of changes
B_1. Security policy331. Guarantee legal compliance
B_1_1. Security policy331. Guarantee legal compliance
D_1_1_2. Asset and information management232. Require equipment identity
D_4_4. Asset and information management314. Provide processing confirmation
315. Provide processed data information
D_4_4_1. Asset and information management096. Set user's required privileges
D_4_4_2. Asset and information management185. Encrypt sensitive information
D_4_4_4. Asset and information management115. Filter malicious emails
118. Inspect attachments
181. Transmit data using secure protocols
D_6_1. Asset and information management181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
338. Implement perfect forward secrecy
D_6_5. Asset and information management115. Filter malicious emails
D_6_6. Asset and information management273. Define a fixed security suite
D_6_7. Asset and information management173. Discard unsafe inputs
D_6_9_1. Asset and information management172. Encrypt connection strings
D_6_11. Asset and information management145. Protect system cryptographic keys
D_6_11_1. Asset and information management224. Use secure cryptographic mechanisms
D_6_11_2. Asset and information management145. Protect system cryptographic keys
D_6_13. Asset and information management148. Set minimum size of asymmetric encryption
D_6_13_1. Asset and information management149. Set minimum size of symmetric encryption
D_9_2. Asset and information management259. Segment the organization network
F_1_4_2. Physical and environmental security231. Implement a biometric verification component
G_2_10_2. Operations management301. Notify configuration changes
G_3_4. Operations management229. Request access credentials
264. Request authentication
G_4. Operations management363. Synchronize system clocks
H_1_2. Access control186. Use the principle of least privilege
H_2. Access control143. Unique access credentials
H_2_1. Access control334. Avoid knowledge-based authentication
H_2_3. Access control144. Remove inactive accounts periodically
H_2_11. Access control075. Record exceptional events in logs
H_2_12. Access control075. Record exceptional events in logs
H_2_14. Access control328. Request MFA for critical systems
H_2_15. Access control095. Define users with privileges
H_3. Access control229. Request access credentials
H_3_1_5. Access control132. Passphrases with at least 4 words
H_3_1_6. Access control133. Passwords with at least 20 characters
H_3_1_8. Access control136. Force temporary password change
137. Change temporary passwords of third parties
H_3_1_9. Access control367. Proper generation of temporary passwords
H_3_1_14. Access control130. Limit password lifespan
H_3_1_15. Access control130. Limit password lifespan
H_3_1_16. Access control023. Terminate inactive user sessions
H_3_1_17. Access control028. Allow users to log out
H_3_1_19. Access control205. Configure PIN
H_3_2. Access control181. Transmit data using secure protocols
185. Encrypt sensitive information
H_3_3. Access control127. Store hashed passwords
185. Encrypt sensitive information
H_3_3_1. Access control127. Store hashed passwords
H_3_4. Access control300. Mask sensitive data
H_3_7. Access control238. Establish safe recovery
H_4. Access control153. Out of band transactions
H_4_1. Access control338. Implement perfect forward secrecy
H_4_2. Access control328. Request MFA for critical systems
H_4_6_1. Access control095. Define users with privileges
H_4_6_3. Access control095. Define users with privileges
H_6_1. Access control095. Define users with privileges
I_1_3_1. Application security264. Request authentication
I_1_3_2. Application security062. Define standard configurations
I_1_6. Application security153. Out of band transactions
I_1_9. Application security075. Record exceptional events in logs
I_1_11. Application security023. Terminate inactive user sessions
I_1_14. Application security173. Discard unsafe inputs
I_1_16. Application security051. Store source code in a repository
I_1_18_3. Application security095. Define users with privileges
I_1_19_2. Application security183. Delete sensitive data securely
I_1_19_3. Application security159. Obfuscate code
300. Mask sensitive data
I_1_20. Application security319. Make authentication options equally secure
I_2_1. Application security154. Eliminate backdoors
155. Application free of malicious code
156. Source code without sensitive information
158. Use a secure programming language
159. Obfuscate code
162. Avoid duplicate code
164. Use optimized structures
173. Discard unsafe inputs
266. Disable insecure functionalities
302. Declare dependencies explicitly
344. Avoid dynamic code execution
345. Establish protections against overflows
366. Associate type to variables
I_2_6. Application security154. Eliminate backdoors
I_2_7_1. Application security029. Cookies with security attributes
173. Discard unsafe inputs
I_2_9_4. Application security266. Disable insecure functionalities
I_3_2_1. Application security062. Define standard configurations
I_3_2_4. Application security029. Cookies with security attributes
I_3_2_4_1. Application security336. Disable insecure TLS versions
I_3_2_4_2. Application security089. Limit validity of certificates
090. Use valid certificates
093. Use consistent certificates
I_3_2_5. Application security167. Close unused resources
I_3_2_5_1. Application security255. Allow access only to the necessary ports
I_3_2_7. Application security171. Remove commented-out code
I_3_2_10. Application security095. Define users with privileges
I_3_4_6. Application security342. Validate request parameters
L_1. Compliance331. Guarantee legal compliance
L_2_1. Compliance337. Make critical logic flows thread safe
L_11_1. Compliance075. Record exceptional events in logs
M_1_2. End user device security167. Close unused resources
M_1_5. End user device security023. Terminate inactive user sessions
M_1_10. End user device security075. Record exceptional events in logs
M_1_14. End user device security075. Record exceptional events in logs
080. Prevent log modification
378. Use of log management system
M_1_25. End user device security205. Configure PIN
206. Configure communication protocols
210. Delete information from mobile devices
213. Allow geographic location
214. Allow data destruction
N_1_3. Network security258. Filter website content
N_1_4. Network security249. Locate access points
250. Manage access points
N_1_7. Network security259. Segment the organization network
N_1_9. Network security341. Use the principle of deny by default
N_1_11. Network security255. Allow access only to the necessary ports
N_1_12. Network security252. Configure key encryption
N_1_13. Network security142. Change system default credentials
N_1_15_4. Network security338. Implement perfect forward secrecy
N_1_15_5. Network security328. Request MFA for critical systems
P_1_3_1. Privacy183. Delete sensitive data securely
P_1_5_3. Privacy189. Specify the purpose of data collection
P_2. Privacy314. Provide processing confirmation
P_2_1. Privacy315. Provide processed data information
P_2_4. Privacy314. Provide processing confirmation
P_3_1. Privacy310. Request user consent
P_3_3. Privacy315. Provide processed data information
P_4_1. Privacy315. Provide processed data information
P_5_1. Privacy360. Remove unnecessary sensitive information
P_5_3. Privacy300. Mask sensitive data
P_6. Privacy312. Allow user consent revocation
316. Allow rectification requests
317. Allow erasure requests
P_7_1. Privacy315. Provide processed data information
P_8_2. Privacy095. Define users with privileges
P_8_5. Privacy315. Provide processed data information
U_1_2. Server security062. Define standard configurations
U_1_2_1. Server security167. Close unused resources
U_1_2_2. Server security186. Use the principle of least privilege
U_1_2_4. Server security023. Terminate inactive user sessions
U_1_2_5. Server security142. Change system default credentials
U_1_4. Server security075. Record exceptional events in logs
322. Avoid excessive logging
376. Register severity level
U_1_4_2. Server security080. Prevent log modification
U_1_6_1. Server security095. Define users with privileges
U_1_6_2. Server security328. Request MFA for critical systems
U_1_8_1. Server security181. Transmit data using secure protocols
U_1_9_8. Server security378. Use of log management system
U_1_9_9. Server security080. Prevent log modification
U_1_9_11. Server security133. Passwords with at least 20 characters
U_1_9_12. Server security130. Limit password lifespan
U_1_9_13. Server security136. Force temporary password change
140. Define OTP lifespan
U_1_9_15. Server security338. Implement perfect forward secrecy
U_1_9_16. Server security127. Store hashed passwords
U_1_9_18. Server security143. Unique access credentials
U_1_9_20. Server security033. Restrict administrative access
U_1_9_27. Server security328. Request MFA for critical systems
U_1_10_5. Server security116. Disable images of unknown origin