IT Security: Ask This;

TLDR: Ask This;

1. Does your management team have access to compliance reporting that illustrates your organization of your IT security preparedness?

2. How in control are you of the number of versions of CIs that are in use, and what is the impact that has on your ability to enforce IT security and protect your information assets?

3. Does your organization have a log management or security information and event management (SIEM) system?

4. How does your organization ensure the effective use of security controls and authentication tools to protect privacy for those systems that promote or permit public access?

5. Do your organizations IT modernization efforts result in an increase or decrease in the IT security challenges your organization faces?

6. Does your organization have a Chief Information Security Officer (CISO or equivalent title)?

7. Does your organization have approved information security policies, procedures, and controls?

8. As your organization has increased your investment in public infrastructure cloud (IaaS), how have IT security factors changed?

9. Does your organization have a formal security operations center or team that actively manages security incidents and events as they are generated?

10. Does your organization have appropriate IT Security policies governing user access that are effectively implemented?

11. Which tech trends will have the biggest impact on the IT security of your organization in the next two years?

12. Which strategies ensure that your employees can identify a threat to information security assets, and how is it ensured that employees will react to such situations?

13. Does your organization have a policy that requires HR to immediately notify either IT Security or access administration of terminations and transfers?

14. How does your organizations IT security compare to an established framework and have gaps been identified?

15. Are the outsourced service providers required to have the same security level as your organization requires of itself?

16. What percentage of the primary Cloud Computing services IT budget does your organization (plan to) invest in that services IT security?

17. Does your organization have a written incident response plan for localized IT Security incidents?

18. Are employees in your organization made aware of data security and sensitive information handling requirements?

19. Does your organization have an effective program for monitoring its IT Security governance controls and associated regulatory risks?

20. Does your organization have a dedicated IT security budget for incident investigation and forensic (Endpoint Detection and Response)?

21. Does your organization have an IT Security policy that addresses the use, creation, and processing of employee and customer information?

22. Do you have the IT security expertise on hand to assess IT security reports and properly manage any security incidents, are responsibilities within your organization clearly assigned?

23. Does your organization have an IT security awareness program, which informs all users of the established IT security policies?

24. When auditing your organization for compliance, what role does IT Security policies and an IT Security policy framework play in the compliance audit?

25. Does your organization have a dedicated threat hunting team within its IT Security function?

26. Does your organization have enough security budget to defend itself against current threats?

27. Do you have a cybersecurity/critical infrastructure protection (CIP) initiative distinct from the core IT security function, and what threats does it encompass?

28. As your organization embraces emerging technologies and information changes, does this expose your organization to new IT security risks?

29. Do you have the capability to continuously monitor and report on the compliance of your infrastructure against your information security baselines?

30. How does your organization determine the most appropriate method and resources to implement security audit in its development lifecycle?

31. Do you have a recruitment process in place that considers high level IT security access risks against each position description?

32. Does your organization have the in house expertise necessary for achieving a strong IT security posture?

33. What drivers or pressures in your organization have the most influence on security decisions and direction?

34. Does your organization have a dedicated internal IT Security auditing, monitoring and analytics group?

35. Does the IT security leader (CISO) within your organization have final authority over security related spending?

36. Does your organization request security audit reports from its information service providers?

37. Will you notify customers about information security incidents that have or are suspected to have impacted customer data?

38. Which IT security functions does your organization outsource to a managed security service provider (MSSP)?

39. How do you manage which challenges for your organizations security operations team during the COVID 19 pandemic?

40. How does your organization make the case for more IT security spending?

41. Does your organization presently deploy, or plan to deploy, AI based security technologies?

42. At what point in a project lifecycle does the business engage your IT Security or Identity and Access Management teams?

43. How does your organization gain assurance in the operation of the security features of commercial off the shelf (COTS) products?

44. Does your organization share information on information security attacks with third parties?

45. Which strategies does your organization practice to overcome the shortage of qualified IT security talent?

46. Does your organization have formally documented procedures for the management of security incident responses?

47. Do you have a process to review security audit logs in a timely, consistent manner and act upon any threats identified by reviews?

48. Are IT security and confidential usage policies in place covering use of all information communication technology devices within your organization?

Organized by Key Themes: SECURITY, RISK, MANAGEMENT, TECHNOLOGY, DATA, SYSTEMS, COMPLIANCE, CLOUD, DEVELOPMENT, AUDIT:

SECURITY:

How do you see the roles of IT Security, governance and compliance changing in the long term?

Make sure your organization reviews incoming projects for Information Security requirements, determines the scope of Information Security services needed to address project demands, performs quality control on Information Security threat and vendor risk management products, and mentors team members.?

How do you track changes to software versions on your servers?

Guarantee your design executes on various other reviews of IT management policies and procedures such as change management, business continuity planning disaster recovery and information security to ensure that controls surrounding these processes are adequate.?

What are the primary goals, objectives, and mission functions that the investment will support?

Make sure the IT Security Compliance specialization works with the Information Security Compliance team and your organization to support the security risk management program.?

Do cybersecurity professionals believe that other organizations are vulnerable to cyber attacks?

Interface so that your personnel provides technical expertise and support to (internal) clients, IT management and staff in cybersecurity threat risk assessments, development, testing and the implementation and operation of appropriate information security plans, procedures, and control techniques designed to prevent, minimize or quickly recover from cyber-attacks or other serious events.?

Do you regularly assess your current IT Security posture and align your security strategy with business goals balancing expense with potential cost of breach?

Make sure the IT Security Architecture and Engineering team develops and guides technology risk management in collaboration with teams across your organization to enable responsive, secure and cost effective solutions.?

Are site emergency and it disaster recovery plans maintained, up to date and tested on a regular basis?

Lead and facilitate meetings with system owners, executive management, staff, and contract partners and technical personnel to provide IT security guidance, define system boundaries, and establish and maintain information security standards and procedures in compliance with information security and risk management policies, standards, and guidelines.?

Are there any audit logs, reports or alerts produced if there are any suspicious activities?

Be confident that your process assists with monitoring and auditing of information systems activities and systems to confirm information security policy, compliance, and provide management with security policy compliance assessments and system monitoring reports.?

Which strategies ensure that your employees can identify a threat to information security assets, and how is it ensured that employees will react to such situations?

Make headway so that your group is advising on the conduct of internal reviews of IT security management information programs to identify needs, business process requirements and organizational infrastructure including staffing and financial commitments.?

Have prevailing conditions changed that result in the need to change the procedure regarding IT Security?

Develop recommendations to create or modify IT systems and various business supporting technology to solve complex, non-standard, unprecedented, and unusual problems considering IT system and business capacity and limitations related to various IT systems, IT general and application controls, and IT security and privacy consideration over IT applications, operating systems, databases, and IT infrastructures in virtual or physical client-server and mainframe IT environments including standard and wireless networks for various IT processes such as software development, IT system operations and change management, logical and physical access management, and IT issue identification and incident management.?

Are there mechanisms for immediate dissemination and implementation of access right changes?

Make sure your company develops IT security programs and recommends necessary changes to the information security team to ensure your organizations systems are fully compliant with all applicable regulatory requirements and privacy laws.?

RISK:

Is there a particular solution that you feel will change the traditional solutions in your portfolio?

Assure your company projects goals could be focused around people, process, or tools concerning IT Service Management (ITIL), HR Information Systems, (internal) customer Service Management, IT Security Operations, IT Governance Risk and Compliance, Facilities, Project and Portfolio Management, IT Financial Management, Organizational Change Management, and or IT Operations Management Oriented topics.?

Is the service provider planning any major strategic/mission changes or anticipating any budget/financial viability issues during the period of performance?

Perform IT security reviews, technical risk assessments, and analysis to ensure compliance with IT security policies and standards.?

How much of your IT Security budget is devoted to preventing, detecting and mitigating insider threats?

Establish and continuously assess a Technology Risk Profile for Information and IT Security through regular status reporting of risk treatment especially on progress and success of risk mitigating initiatives.?

How are you involved in your organizations selection and/or management of government contractors that provide IT Security services and/or technologies?

Warrant that your operation leads the assessment of IT or business solutions against IT security requirements calling your gaps, risks, and corrective actions for both application and infrastructure solutions.?

Is confidential information deleted from data media or IT systems prior to maintenance and repair work?

Ensure you also provide consulting services focused on the IT side of the business and work closely with your IT Security and Risk Assurance teams.?

How does your organization determine how identified risks are mitigated in product offering design?

Develop, monitor, track and report against IT Security metrics and KPIs that help the Leadership understand threats, vulnerabilities and risks associated with protecting information across the enterprise and plans to mitigate those risks.?

How significant are challenges your organization faces in managing a multicloud environment?

Make sure your operation exhibits best practice risk management skills through effective IT security controls and improvement of risk management processes.?

Does interfacing the new product with the existing infrastructure introduce new vulnerabilities?

Verify that your team is evaluating Information and IT Security risks arising from control inefficiencies or lack thereof.?

How does your organizations IT security compare to an established framework and have gaps been identified?

Perform recurring internal IT Security audits and risk assessments in accordance with policies and procedures related HIPAA and PCI DSS.?

MANAGEMENT:

Is it security risk assessment a regular agenda item on it management meetings and does management follow through with improvement initiatives?

Make sure your design serves as an IT Cybersecurity specialization on matters of inter-agency cybersecurity strategy, program, and project management that involves applying IT security processes to the short- and long- term planning, design and implementation of cybersecurity solutions to meet the organizational strategic and business requirements.?

Have staff members with knowledge of IT Security been consulted and included in the evaluation team?

Have a background or hands-on involvement in IT Security and Networking, Cloud environments (AWS), Fraud Prevention, HITRUST, SOC1 and SOC2 Compliance Implementation, Business Continuity, and Disaster Recovery assessments, and Risk Assessment and Management principles.?

Is cyber resilience awareness incorporated at all levels and operational elements across the enterprise?

Collaborate with stakeholders, including vendor managers and business partners in areas such as Procurement, Compliance, IT Security and Contracts Management to develop appropriate policies and procedures, tools and templates, and collateral materials to facilitate the management and execution of an effective third-party vendor oversight program.?

Who are most responsible for ensuring IT Security objectives are achieved within your organization?

Oversee that your strategy develops an appropriate governance structure and management processes for prioritizing and executing IT projects, overseeing IT security and ensuring business continuity.?

What level of security depth does its security operations staff possess, and for what support time frames?

Guarantee your staff provides support for IT security capabilities, products and services, incident management, communications, and training advanced joint multi organization cybersecurity strategies.?

Did your organization program official plan and budget for IT Security into all of the business cases?

Develop experience establishing and implementing Project Management, IT Service Management (ITSM) and IT security services.?

What is the best way to eliminate the fear factor when taking on something new like machine learning?

Make sure the contract supports multiple functional areas, including Desktop Virtualization, IT Service Management, Systems Engineering and IT Security Operations.?

How do you encourage workers to collaborate while minimizing risks of compromised information?

Collaborate with IT security team in security incident response planning, management, and remediation.?

What level of experience and expertise is needed to interpret the results provided by the tool?

Provide leadership and management of the IT Security Team, and 3rd parties providing IS Security services.?

TECHNOLOGY:

Do the customer and user requirements include explicit changes to the operational environment?

Support efforts to turn leading edge concepts into the delivery of efficient, innovative, technology based solutions to include risk analysis and IT security compliance to address user business needs.?

Are training sessions conducted for all relevant personnel on backup, recovery, and contingency operating procedures?

Safeguard that your team is assessing IT security policies, procedures, and controls of your (internal) clients business applications, networks, operating systems, and other components of the technology infrastructure.?

Do you agree that IT security vendors/managed security providers should be offering a guarantee on the competence of the products?

Guarantee your personnel oversees all technology and IT security operations and projects for your organization to ensure 24/7/365 availability and uptime.?

How do you drive risk management into the daily activities of your people?

Manage technology associated with the critical functions and mission of the organization and work with IT Security staff to resolve technical issues.?

How do you see the roles of IT Security, governance and compliance changing in the long term?

Invest in developing long-term strategies and capacity planning for meeting future technology needs and operationalize the design, development, and implementation of strategic IT security projects and initiatives.?

How may an outsider misuse the information to advantage and to the detriment of your organization and its stakeholders?

Liaison so that your process stays abreast of current developments in IT technology, cloud services, IT security breaches, auditing standard updates and other emerging issues which may impact the audit process.?

Why is it important to understand the difference between IT security and information security?

Work closely with the Technology leadership team to identify solutions to meet or exceed business requirements and to understand the impact of service interruptions on respective business areas.?

How does your organization make the case for more IT security spending?

Liaison so that your process sources and negotiates Information Technology (IT) hardware, software and service contracts with the goal of lowering costs of goods, ensuring quality and service by leveraging total organization spending.?

Are technical support services included, and if so, what is the vendors commitment to timely response?

Interface so that your company assists CIO in the annual budgeting process for Information Technology to cost effectively provide needed information services and support.?

How do you leverage and integrate traditional infrastructure with public and private clouds to deliver the right performance at the right time and cost?

Make sure the function is strategically accountable for leveraging infrastructure technology solutions to enable the business to meet its goals, at an acceptable cost, and to deliver new systems at the right pace.?

DATA:

What is the budget for acquisition and lifecycle support of intrusion detection hardware, software, and infrastructure, including staffing to monitor and respond to intrusions?

Liaison so that your process ensures infrastructure and support meets IT security and compliance requirements, establishing controls and processes in support of data security and regulatory requirements.?

Does your organization have a dedicated threat hunting team within its IT Security function?

Manage IT Security Program involving services to include cybersecurity operations, continuous monitoring, security information and event management, security architecture, security engineering, vulnerability scanning, endpoint security, security analytics, network access control, penetration testing, data forensics, security data ingestion and analysis, incident analysis, threat monitoring/hunt and security situational awareness.?

How does your organization determine how identified risks are mitigated in product offering design?

Make sure your workforce is working with IT Security and Data Governance to ensure that your organizations data analytics and integration products are effectively secured and that risks are mitigated.?

Is there someone in your organization that might understand the risks involved better than you?

Check that your company is involved in IT Security management, access policy and management, authentication and SSO, authorization, audit, secure communications and network protection, data protection and privacy, and security administration.?

How do you manage which challenges for your organizations security operations team during the COVID 19 pandemic?

Apply your data analysis and management skills to lead cybersecurity managers solve an IT security challenge regarding collection and analysis of important cybersecurity data.?

How does the vendor handle software and hardware maintenance, end user support, and maintenance agreements?

Work closely with the legal and IT security teams to support data incident response efforts.?

Why do so many organizations still fail to adequately assess the third party supplier IT Security risks and ensure the on going security and availability of the business critical information?

Implement and/or assess enterprise IT security controls, including data classification/governance, cybersecurity incident response process, patch management, data security/retention, and access controls.?

Are contents of system logs protected from unauthorized access, modification, and/or deletion?

Ensure all IT activities conform to IT security standards and all data and systems are properly protected.?

Which strategies does your organization practice to overcome the shortage of qualified IT security talent?

Develop a data infrastructure that supports improvements to IT security and cybersecurity controls for major Departmental IT systems.?

SYSTEMS:

How transparent is the security rules/user account database made to the systems administrator by the security administrative application?

Ensure proactive compliance of IT security systems, processes and controls with organization information security program, security policies and regulatory compliance guidelines.?

Is there an automated alerting/notification process that is initiated when defined security thresholds are exceeded?

Coordinate and work with network engineers, systems engineers, solution architects, IT Security and/or an Implementation Managers (IM) to ensure to ensure timely delivery of defined project deliverables.?

How do you validate the integrity of the data being leveraged for evidence?

Respond to detected and reported problems and interface with vendor support service groups, network services, telecom, systems engineering, or IT security to ensure quick resolutions and appropriate notification during outages or periods of degraded performance.?

What do you believe to be the main causes for potential problems and harmful incidents related to IT?

Be certain that your personnel oversees implementation of IT Security Policies as they relate to database systems security.?

What industry standards or frameworks are being followed to ensure packaging is tamper evident?

Make sure your workforce is directing activities in response to cybersecurity incidents and vulnerabilities for IT security systems.?

Is your organizations security planning approach effective in managing security risks and achieving objectives?

Establish that your team provides application or infrastructure technical expertise, analysis and specifications for IT systems to meet business requirements in accordance with IT architecture policies and standards; translate requirements into technical specifications, create detailed solution design, coordinate construction, installation, configuration and testing of IT systems; and identifies, troubleshoots and resolves system technical issues.?

How do you ensure your staff are aware of IT Security threats?

Invest in the overall IT security by reviewing logs, monitoring, patching/updating, and scanning/reviewing existing systems and policies.?

How do you audit your validation processes?

Check that your design processes vulnerability and threat data from a variety of sources to provide actionable intelligence to internal consumers; implement countermeasures and maintain and enhance the defenses for your information systems and resources.?

Does the internal audit function get appropriate support from the CEO and senior management team?

Verify that your strategy is managing an organizations office automation efforts to integrate, maintain, and enhance the organizations information management and information technology programs to provide systems, tools, and analytical capabilities in support of the organizations mission and operations.?

COMPLIANCE:

Do you have up to date, good quality malware protection installed, active and updated on all devices that access your network?

Make sure the Director, IT Security Governance, Risk and Compliance is responsible for understanding enterprise IT risks and creating strategic plans to mitigate risk on a priority basis and risks that are not remediated immediately must understood and accepted by corporate executives when appropriate.?

Are you confident that your enterprises business processes and supporting IT systems are free of functional or security deficiencies?

Make sure the IT Compliance Administrator is responsible for supporting existing IT security and compliance initiatives throughout your organization.?

Has the IT security office conducted a vulnerability scan, security review, or penetration test of critical departmental applications?

Oversee the operations of the IT organization including corporate/enterprise systems, commercial systems, R and D systems, infrastructure, and IT security and compliance.?

Should you build or buy new solutions and do any solutions already exist within your organization?

Ensure compliance of application or platform per IT Security recommendations and protocols.?

Is there an IT planning process in place that ensures that the IT solutions being developed comply with IT Security policy?

Certify your group responds to and remedies IT security incidents and ensures IT security related compliance.?

How can managers, CISOs and technicians be sure that network meets all relevant security requirements?

Ensure your company is accountable for working with Business Process Owner (BPO), IT Security, IT Infrastructure, and compliance teams to ensure the Windows product meets all policy and regulatory requirements.?

Do you have the IT security expertise on hand to assess IT security reports and properly manage any security incidents, are responsibilities within your organization clearly assigned?

Recruit reviews the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on operations and reports and whether the organization is in compliance.?

Is there a summary of the most important applications and IT systems and protection requirements?

Partner with teams across Samsara to enhance governance, protect (internal) customer and employee privacy, and ensure compliance with internal policies and external obligations such as SOC II audits, regional privacy laws, and industry guidelines (such as NIST CIS).?

CLOUD:

Are network security boundaries defined and enforced to group users, services and information that require different levels of protection?

Work with developers, IT infrastructure and operations teams, and IT security teams to ensure alignment to cloud platform governance and security standards.?

Are you aware of security training practices performed by your sub suppliers to the personnel?

Work with the IT Security Team, Solution Architects, and Cloud Operations Team with any security related issues that arise and maintain a log of operational activities performed.?

Did your organization program official plan and budget for IT Security and integrate security into all of the business cases?

Check that your strategy ensures that all cloud solutions follow security, compliance controls, and conformance to companys IT security standards.?

How do your customers keep up with attacks when there is a shortage of IT Security skills and rising costs to secure data?

Make sure the team is responsible of maintaining your Cloud solutions with top performance, availability and service level, and also ensure that it runs in a cost efficient way.?

Does your organization presently deploy, or plan to deploy, AI based security technologies?

Be a trusted Enterprise vendor, Oracle is in the early stages to provide highly cost effective, highly performance compute, storage, and PaaS Cloud solutions to its (internal) customer base.?

How essential is IT Security to supporting innovation with minimal impact on the goals of digital transformation?

Make sure your team works with architecting, designing, and supporting cloud infrastructure and its solutions.?

As your organization has increased your investment in public infrastructure cloud (IaaS), how have IT security factors changed?

Oversee that your organization is involved in IaaS cloud infrastructure, Kubernetes, containers, and service oriented architectures.?

Are there certain devices or hosts which are more prone to security issues, causing increased risk?

Develop experience building and/or operating new products and services using cloud service providers.?

Have you an automated alert system to inform key IT personnel of unwanted behavior or activity on the network?

Support enterprise partners implementing automated and cloud application platform solutions.?

How does your organization gain assurance in the operation of the security features of commercial off the shelf (COTS) products?

Develop experience deploying applications in cloud environments and developing containerized applications.?

DEVELOPMENT:

Which personnel would be involved in the containment, eradication, and/or recovery processes?

Make sure your team is involved in IT Security and compliance, operations and network services, and application development.?

Does the contract spell out audit provisions and specific details regarding who is responsible for security defects?

Operationalize overall strategy development related to IT security as well as IT more broadly and the business.?

What information is generated by, consumed by, processed on, stored in, and retrieved by the system?

Make headway so that your process collaborates with IT and Finance regarding standards for application development, upgrades, maintenance and compliance, security and span of control design.?

What do you expect of your service providers, infrastructures and services, in terms of quality?

Ensure strong grounding in fundamentals of web application development identity, security etc.?

Does the assessment of a risk include a perspective on your organizations capability to recover from that risk should it materialize?

Perform/arrange for static, dynamic, and penetration tests for development projects; work with project teams to evaluate the risk exposure of the findings; drive the effective design, prioritization, and implementation of remediating controls in collaboration with development teams.?

Do metrics support investment in technologies that address your organizations security risks?

Partner with Business representatives, Application Portfolio and Application Development, Engineering, Operations and Support, IT Security, Digital partners, IT Planning, and the Project Management Office.?

Which organizational challenges between the networking and IT security teams in relation to network security have you experienced?

Be confident that your group is defining, implementing, documenting, and maintaining the framework for system architecture design, software design and development, IT security, and performance testing platforms.?

How do you quickly and cost effectively respond to legal matters requiring information under your management?

Ensure you will provide support to ensure that the program achieves an optimum mix of cost, schedule, performance and system-supportability throughout its life cycle (design, development, testing and evaluation, production and disposition).?

Are there any measures in place that are aimed at raising the security awareness of the workforce?

Make sure there is involvement and your organization needs in depth knowledge with software development methodologies, CI/CD, and DevSecOps.?

AUDIT:

When auditing your organization for compliance, what role does IT Security policies and an IT Security policy framework play in the compliance audit?

Serve as primary liaison between auditing bodies, IT Security Management, compliance and Business Stakeholders.?

How do you assess the effectiveness of your internal audit function?

Plan, lead, execute, and report on medium to complex IT general and application control audits, IT security and governance reviews, and drive control/process optimization to assess existence, effectiveness, and efficiency of the IT control environment.?

How does the vendor handle software and hardware maintenance, end user support, and maintenance agreements?

Certify your operation works in close partnership with internal peers and external service providers to recommend technologies or systems improvements that support organizational goals and ensure data center performance and operation is reliable and compliant with the respective Service Level Agreements, audit requirements and local regulations.?

How do you leverage and integrate traditional infrastructure with public and private clouds to deliver the right performance at the right time and cost?

Orchestrate the IT Audit Manager in planning audit projects by developing risk-based scopes, methodologies, and audit programs; prepares, researches and designs evaluations of programs, systems, controls, policies, procedures and other functions using audit and analytical techniques; executes complex information technology tests of controls associated with applications, system operations, and supporting infrastructure; and analyzes supporting evidence, draws logical conclusions and develops appropriate findings and recommendations.?

Are training sessions conducted for all relevant personnel on backup, recovery, and contingency operating procedures?

Check that your workforce refocus responsibilities which need to be in place include planning, executing, and reporting on internal control and internal audit engagements that develop, assess, or help improve the design and operating effectiveness of IT risk management and internal control activities.?

How do you go about finding the right partners who share your view of IT as your organization enabler?

Build audit and Assess internal organization systems as well as business partner/service provider information system.?

How do you conduct ongoing monitoring of the risk posture?

Orchestrate risk assessments over the underlying Technology applications of the WM/IM business area, conduct audit planning, test Technology general controls over distributed and mainframe environments, conduct reporting, and conduct closure verification of issues.?

How do you encourage workers to collaborate while minimizing risks of compromised information?

Collaborate with Internal Audit and business process owners, and system owners in the testing of new software capabilities, programs and applications requirements.?

?