Skip to main content

SIG Lite

logo

Summary

The Standardized Information Gathering (Questionnaire) (SIG) Lite is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. SIG Lite takes the high-level concepts and questions from the larger SIG assessments, distilling them down to a few questions. The version used in this section is SIG Lite 2019.

Definitions

DefinitionRequirements
SL_18. Are there regular privacy risk assessments conducted?
173. Discard unsafe inputs
SL_23. Is there an information security policy that has been approved by management and an owner to maintain and review the policy?
331. Guarantee legal compliance
SL_30. Are encryption tools managed and maintained for Scoped Data?
224. Use secure cryptographic mechanisms
SL_31. Are clients provided with the ability to generate a unique encryption key?
351. Assign unique keys to each device
SL_34. Are clients provided with the ability to rotate their encryption key on a scheduled basis?
145. Protect system cryptographic keys
SL_33. Are staff able to access client Scoped Data in an unencrypted state?
096. Set user's required privileges
SL_45. Termination or change of status process?
114. Deny access with inactive credentials
SL_46. Are background checks performed for Service Provider Contractors and Subcontractors?
330. Verify Subresource Integrity
SL_65. s there a process to ensure clients are notified prior to changes being made which may impact their service?
301. Notify configuration changes
SL_70. Are individual IDs required for user authentication to applications, operating systems, databases and network devices?
229. Request access credentials
SL_71. Are passwords used?
229. Request access credentials
SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
129. Validate previous passwords
130. Limit password lifespan
131. Deny multiple password changing attempts
133. Passwords with at least 20 characters
238. Establish safe recovery
332. Prevent the use of breached passwords
334. Avoid knowledge-based authentication
SL_73. Is remote access permitted?
153. Out of band transactions
SL_75. Is two factor authentication required to access the production environment containing scoped data?
362. Assign MFA mechanisms to a single account
SL_76. Are staff able to access client scoped data?
095. Define users with privileges
362. Assign MFA mechanisms to a single account
SL_78. Are applications used to transmit, process or store scoped data?
181. Transmit data using secure protocols
185. Encrypt sensitive information
338. Implement perfect forward secrecy
SL_79. Is a web site supported, hosted or maintained that has access to scoped systems and data?
045. Remove metadata when sharing files
SL_81. Is HTTPS enabled for all web pages used as part of the scoped service?
029. Cookies with security attributes
SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?
075. Record exceptional events in logs
080. Prevent log modification
376. Register severity level
SL_88. Is development, test, and staging environment separate from the production environment?
259. Segment the organization network
374. Use of isolation methods in running applications
SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
154. Eliminate backdoors
155. Application free of malicious code
156. Source code without sensitive information
158. Use a secure programming language
159. Obfuscate code
162. Avoid duplicate code
164. Use optimized structures
173. Discard unsafe inputs
266. Disable insecure functionalities
302. Declare dependencies explicitly
344. Avoid dynamic code execution
345. Establish protections against overflows
366. Associate type to variables
SL_90. Are change control procedures required for all changes to the production environment?
301. Notify configuration changes
SL_98. Are mobile applications that access scoped systems and data developed?
315. Provide processed data information
SL_110. Are there any dependencies on critical third party service providers?
302. Declare dependencies explicitly
330. Verify Subresource Integrity
SL_131. Are end user devices used for transmitting, processing or storing scoped data?
320. Avoid client-side control enforcement
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
SL_142. Is there a mobile device management solution in place?
206. Configure communication protocols
210. Delete information from mobile devices
214. Allow data destruction
SL_148. Is there a process that requires security approval to allow external networks to connect to the company network, and enforces the least privilege necessary?
186. Use the principle of least privilege
253. Restrict network access
SL_151. Are wireless networking devices connected to networks containing scoped systems and data?
249. Locate access points
SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
189. Specify the purpose of data collection
262. Verify third-party components
310. Request user consent
315. Provide processed data information
SL_160. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
SL_162. Is there an anti-malware program that has been approved by management, communicated to appropriate constituents and an owner to maintain?
273. Define a fixed security suite
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on