Hi Zoho Desk Team, Good day!
Please answer the ff. queries
1. Does the system supports multi-factor authentication and other supporting mechanisms, such as banned password lists, detection of password guessing attacks, enforcing password change (for first time passwords), and detection of anomalous logon attempts?
2. Does the system have protecting against brute force log-on attempts?
3. Does the system have raising of security events if potential attempted or successful breach of long-on controls is detected?
4. Does the system support terminating inactive sessions (i.e., sessions that have been idle for more than 15 minutes)?
5. Password complexity / composition –
o Length at not less than eight characters
o Contain at least one upper case letter
o Contain at least one lower case letter
o Contain at least one numeric character
o Contain at least one special character
o Should not be words found in dictionary
6. Password history and password change – remember last 13 passwords and change every 30 days, unless suitable alternative is implemented aligned with the information security policy and guidelines ?
7. Account lock out – after five unsuccessful logon attempts?
8. Password encryption – passwords are encrypted when stored and transmitted ?
9. The system supports regular review of user access rights through the generation of access control lists or users lists with adequate information, i.e., creation date, last modification date, expiration date?
10. Privileged utility programs needed by the system has been identified, justified for use, and controlled. A privileged utility program is an application that requires some level of system administrative privilege capable of overriding system and application controls?
11. The system is processing information that requires the use of cryptographic controls (e.g., personal data, confidential information passing through the network)?
12. The system supports the standard user ID naming convention?
13. Program source codes are protected. The following security requirements enforced:
a. Where possible, program source libraries not held in production environment
b. Restriction of support personnel and other users to access program source libraries
c. Maintenance of an audit log of all accesses to program source code libraries
d. Change control procedures in maintenance and copying of program source libraries
14. Relevant data at rest and in-transit are protected by cryptographic controls (e.g., private key cryptography, secret key cryptography – AES 256, hash functions, message authentication codes, digital signatures, digital certificates)?
15. Cryptographic keys in use for the system are protected throughout its lifecycle?