Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

26-Y: Asset Consideration/Configuration

This section evaluates how your organization configures and protects systems and devices based on their role, criticality, and the data they handle.

The questions focus on whether you apply secure baseline configurations, hardening standards, and consistent settings for servers, workstations, network devices, and other assets; how you manage configuration changes; and how you validate that configurations remain compliant over time.

Overall, this section confirms that assets are deliberately configured to reduce risk, rather than left in default or inconsistent states that could expose vulnerabilities.

Organization

Full Name

119.5 Is the device being used a company asset or the property of the employee?

YES

NO

N/A

Explanation: Differentiating between company-owned and employee-owned devices is critical for implementing security policies tailored to the ownership type. Company assets typically have more stringent control measures than employee-owned devices.

Risks of Incorrect Answer: Employee-owned devices may lack enterprise-level security controls, increasing the risk of data breaches.

Lack of clear asset ownership can lead to compliance issues in audits.

Applicable Frameworks: NIST CSF (PR.AC-4): Access control based on roles or device ownership.

ISO 27001 (A.8.1.1): Identification of assets.

HIPAA: Security of devices used to access Protected Health Information (PHI).

119.5- If No or N/A, please provide an additional explanation

120.6- If the device is an employee-owned asset, is a Mobile Device Management (MDM) application used to secure it?

YES

NO

N/A

Explanation: MDM ensures that employee-owned devices meet corporate security standards, such as encryption and secure access controls, reducing the attack surface.

Risks of Incorrect Answer: Lack of MDM can result in unauthorized access or unencrypted data being exposed on personal devices.

Non-compliance with regulatory requirements for securing endpoints.

Applicable Frameworks: NIST CSF (PR.IP-12): Security solutions for mobile devices.

ISO 27001 (A.6.2.1): Controls for mobile devices.

PCI DSS (6.5): Secure handling of payment data on devices.

120.6- If No or N/A, please provide an additional explanation

121.5- Does the employee have administrator access to the device, whether it is personal or company-owned?

YES

NO

N/A

Explanation: Administrator access increases the risk of unauthorized changes to security settings, installation of unverified applications, or disabling security controls.

Risks of Incorrect Answer: Elevated privileges could allow malware installation or circumvention of corporate controls.

Violations of access control policies.

Applicable Frameworks: NIST CSF (PR.AC-5): Separation of administrative functions.

ISO 27001 (A.9.2.3): Management of privileged access rights.

SOC 2 (CC6.3): Role-based access controls.

121.5- If No or N/A, please provide an additional explanation

122.6- Have all input/output (I/O) ports, such as USB, serial ports, and CD writers, been disabled on the device (personal or company-owned)?

YES

NO

N/A

Explanation: Disabling unused I/O ports prevents data exfiltration and the introduction of malicious software through removable media.

Risks of Incorrect Answer: Open ports can be exploited for data theft or malware deployment.

Regulatory non-compliance for data protection standards.

Applicable Frameworks: NIST CSF (PR.PT-4): Restrictions on removable media.

ISO 27001 (A.13.1.3): Controls to protect against unauthorized access via removable media.

122.6- If No or N/A, please provide an additional explanation

123.7- Are CSR (Customer Service Representative) sessions logged?

YES

NO

N/A

Explanation: Session logging ensures accountability and provides a forensic trail for auditing or investigating incidents.

Risks of Incorrect Answer: Lack of logs can hinder incident investigations or compliance audits.

Reduced transparency into potential misuse of systems.

Applicable Frameworks: NIST CSF (DE.CM-3): Monitoring of network and system activities.

ISO 27001 (A.12.4.1): Logging of system events.

SOC 2 (CC7.2): Log monitoring and analysis.

123.7- If No or N/A, please provide an additional explanation

124.7- Are CSR sessions recorded?

YES

NO

N/A

Explanation: Session recording provides an additional layer of oversight for ensuring compliance with operational and security policies.

Risks of Incorrect Answer: Lack of recordings may lead to challenges in resolving disputes or addressing customer complaints.

Missed opportunities for process improvement through review.

Applicable Frameworks: NIST CSF (PR.MA-1): Maintenance records.

ISO 27001 (A.12.3.1): Documentation of user activities for non-repudiation

124.7- If No or N/A, please provide an additional explanation

125.7- Can emails be received or transmitted from the CSR device (personal or company-owned)?

YES

NO

N/A

Explanation: Email functionality on CSR devices must be controlled to prevent unauthorized data sharing or phishing attacks.

Risks of Incorrect Answer: Unrestricted email access can lead to data leakage or spear-phishing incidents.

Regulatory violations for mishandling sensitive information.

Applicable Frameworks: NIST CSF (PR.DS-5): Protection of transmitted data.

ISO 27001 (A.13.2.1): Controls for electronic messaging.

HIPAA: Secure handling of email containing PHI.

125.7- If No or N/A, please provide an additional explanation

THANK YOU.

You have completed the
Asset Consideration/Configuration portion of the vendor assessment

Press Submit
so that we can process
your responses

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

26-Y: Asset Consideration/Configuration

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions