Skip to main content

SIG Core

logo

Summary

The Standardized Information Gathering (Questionnaire) (SIG) is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. The SIG gathers pertinent information to determine how security risks are managed across a spectrum of 18 risk control areas, or domains, within a service provider's environment. It was developed to enable a service provider to compile complete information about these risk domains in one document. As a core questionnaire, its objective is to provide a risk assessment for businesses in all industries. The version used in this section is SIG 2019.

Definitions

DefinitionRequirements
A_4_1_8. Risk assessment and treatment
318. Notify third parties of changes
B_1. Security policy
331. Guarantee legal compliance
B_1_1. Security policy
331. Guarantee legal compliance
D_1_1_2. Asset and information management
232. Require equipment identity
D_4_4. Asset and information management
314. Provide processing confirmation
315. Provide processed data information
D_4_4_1. Asset and information management
096. Set user's required privileges
D_4_4_2. Asset and information management
185. Encrypt sensitive information
D_4_4_4. Asset and information management
115. Filter malicious emails
118. Inspect attachments
181. Transmit data using secure protocols
D_6_1. Asset and information management
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
338. Implement perfect forward secrecy
D_6_5. Asset and information management
115. Filter malicious emails
D_6_6. Asset and information management
273. Define a fixed security suite
D_6_7. Asset and information management
173. Discard unsafe inputs
D_6_9_1. Asset and information management
172. Encrypt connection strings
D_6_11. Asset and information management
145. Protect system cryptographic keys
D_6_11_1. Asset and information management
224. Use secure cryptographic mechanisms
D_6_11_2. Asset and information management
145. Protect system cryptographic keys
D_6_13. Asset and information management
148. Set minimum size of asymmetric encryption
D_6_13_1. Asset and information management
149. Set minimum size of symmetric encryption
D_9_2. Asset and information management
259. Segment the organization network
F_1_4_2. Physical and environmental security
231. Implement a biometric verification component
G_2_10_2. Operations management
301. Notify configuration changes
G_3_4. Operations management
229. Request access credentials
264. Request authentication
G_4. Operations management
363. Synchronize system clocks
H_1_2. Access control
186. Use the principle of least privilege
H_2. Access control
143. Unique access credentials
H_2_1. Access control
334. Avoid knowledge-based authentication
H_2_3. Access control
144. Remove inactive accounts periodically
H_2_11. Access control
075. Record exceptional events in logs
H_2_12. Access control
075. Record exceptional events in logs
H_2_14. Access control
328. Request MFA for critical systems
H_2_15. Access control
095. Define users with privileges
H_3. Access control
229. Request access credentials
H_3_1_5. Access control
132. Passphrases with at least 4 words
H_3_1_6. Access control
133. Passwords with at least 20 characters
H_3_1_8. Access control
136. Force temporary password change
137. Change temporary passwords of third parties
H_3_1_9. Access control
367. Proper generation of temporary passwords
H_3_1_14. Access control
130. Limit password lifespan
H_3_1_15. Access control
130. Limit password lifespan
H_3_1_16. Access control
023. Terminate inactive user sessions
H_3_1_17. Access control
028. Allow users to log out
H_3_1_19. Access control
205. Configure PIN
H_3_2. Access control
181. Transmit data using secure protocols
185. Encrypt sensitive information
H_3_3. Access control
127. Store hashed passwords
185. Encrypt sensitive information
H_3_3_1. Access control
127. Store hashed passwords
H_3_4. Access control
300. Mask sensitive data
H_3_7. Access control
238. Establish safe recovery
H_4. Access control
153. Out of band transactions
H_4_1. Access control
338. Implement perfect forward secrecy
H_4_2. Access control
328. Request MFA for critical systems
H_4_6_1. Access control
095. Define users with privileges
H_4_6_3. Access control
095. Define users with privileges
H_6_1. Access control
095. Define users with privileges
I_1_3_1. Application security
264. Request authentication
I_1_3_2. Application security
062. Define standard configurations
I_1_6. Application security
153. Out of band transactions
I_1_9. Application security
075. Record exceptional events in logs
I_1_11. Application security
023. Terminate inactive user sessions
I_1_14. Application security
173. Discard unsafe inputs
I_1_16. Application security
051. Store source code in a repository
I_1_18_3. Application security
095. Define users with privileges
I_1_19_2. Application security
183. Delete sensitive data securely
I_1_19_3. Application security
159. Obfuscate code
300. Mask sensitive data
I_1_20. Application security
319. Make authentication options equally secure
I_2_1. Application security
154. Eliminate backdoors
155. Application free of malicious code
156. Source code without sensitive information
158. Use a secure programming language
159. Obfuscate code
162. Avoid duplicate code
164. Use optimized structures
173. Discard unsafe inputs
266. Disable insecure functionalities
302. Declare dependencies explicitly
344. Avoid dynamic code execution
345. Establish protections against overflows
366. Associate type to variables
I_2_6. Application security
154. Eliminate backdoors
I_2_7_1. Application security
029. Cookies with security attributes
173. Discard unsafe inputs
I_2_9_4. Application security
266. Disable insecure functionalities
I_3_2_1. Application security
062. Define standard configurations
I_3_2_4. Application security
029. Cookies with security attributes
I_3_2_4_1. Application security
336. Disable insecure TLS versions
I_3_2_4_2. Application security
089. Limit validity of certificates
090. Use valid certificates
093. Use consistent certificates
I_3_2_5. Application security
167. Close unused resources
I_3_2_5_1. Application security
255. Allow access only to the necessary ports
I_3_2_7. Application security
171. Remove commented-out code
I_3_2_10. Application security
095. Define users with privileges
I_3_4_6. Application security
342. Validate request parameters
L_1. Compliance
331. Guarantee legal compliance
L_2_1. Compliance
337. Make critical logic flows thread safe
L_11_1. Compliance
075. Record exceptional events in logs
M_1_2. End user device security
167. Close unused resources
M_1_5. End user device security
023. Terminate inactive user sessions
M_1_10. End user device security
075. Record exceptional events in logs
M_1_14. End user device security
075. Record exceptional events in logs
080. Prevent log modification
378. Use of log management system
M_1_25. End user device security
205. Configure PIN
206. Configure communication protocols
210. Delete information from mobile devices
213. Allow geographic location
214. Allow data destruction
N_1_3. Network security
258. Filter website content
N_1_4. Network security
249. Locate access points
250. Manage access points
N_1_7. Network security
259. Segment the organization network
N_1_9. Network security
341. Use the principle of deny by default
N_1_11. Network security
255. Allow access only to the necessary ports
N_1_12. Network security
252. Configure key encryption
N_1_13. Network security
142. Change system default credentials
N_1_15_4. Network security
338. Implement perfect forward secrecy
N_1_15_5. Network security
328. Request MFA for critical systems
P_1_3_1. Privacy
183. Delete sensitive data securely
P_1_5_3. Privacy
189. Specify the purpose of data collection
P_2. Privacy
314. Provide processing confirmation
P_2_1. Privacy
315. Provide processed data information
P_2_4. Privacy
314. Provide processing confirmation
P_3_1. Privacy
310. Request user consent
P_3_3. Privacy
315. Provide processed data information
P_4_1. Privacy
315. Provide processed data information
P_5_1. Privacy
360. Remove unnecessary sensitive information
P_5_3. Privacy
300. Mask sensitive data
P_6. Privacy
312. Allow user consent revocation
316. Allow rectification requests
317. Allow erasure requests
P_7_1. Privacy
315. Provide processed data information
P_8_2. Privacy
095. Define users with privileges
P_8_5. Privacy
315. Provide processed data information
U_1_2. Server security
062. Define standard configurations
U_1_2_1. Server security
167. Close unused resources
U_1_2_2. Server security
186. Use the principle of least privilege
U_1_2_4. Server security
023. Terminate inactive user sessions
U_1_2_5. Server security
142. Change system default credentials
U_1_4. Server security
075. Record exceptional events in logs
322. Avoid excessive logging
376. Register severity level
U_1_4_2. Server security
080. Prevent log modification
U_1_6_1. Server security
095. Define users with privileges
U_1_6_2. Server security
328. Request MFA for critical systems
U_1_8_1. Server security
181. Transmit data using secure protocols
U_1_9_8. Server security
378. Use of log management system
U_1_9_9. Server security
080. Prevent log modification
U_1_9_11. Server security
133. Passwords with at least 20 characters
U_1_9_12. Server security
130. Limit password lifespan
U_1_9_13. Server security
136. Force temporary password change
140. Define OTP lifespan
U_1_9_15. Server security
338. Implement perfect forward secrecy
U_1_9_16. Server security
127. Store hashed passwords
U_1_9_18. Server security
143. Unique access credentials
U_1_9_20. Server security
033. Restrict administrative access
U_1_9_27. Server security
328. Request MFA for critical systems
U_1_10_5. Server security
116. Disable images of unknown origin
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on