CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

29-AB: Host VPN Configuration

This section evaluates how general user access to systems, applications, and data is controlled across your organization.

The questions focus on how you define standard user permissions, enforce acceptable use requirements, segregate general users from privileged functions, and manage shared or generic accounts. They also address how you monitor everyday user activity and respond to inappropriate or unauthorized access.

Overall, this section confirms that routine access to your environment is structured, appropriate, and not a backdoor to higher-risk capabilities.

Explanation: This question assesses how secure the connection is between the CSR and the company network. VPN devices or client applications should provide encrypted communication channels to prevent data interception.

Risks of Incorrect Answer: Without secure VPN connections, data can be intercepted, leading to breaches.

An insecure client application may expose vulnerabilities that attackers could exploit.

Applicable Frameworks: NIST CSF (PR.AC-5): Network integrity and security.

ISO 27001 (A.13.1.1): Secure communication.

HIPAA: Safeguarding protected health information in transit.

Explanation: The type of phone system determines how secure the communication channel is. Softphones running through a VPN typically offer secure VoIP communications, while hardphones depend on proper configuration to ensure secure calls.

Risks of Incorrect Answer: Use of unsecured communication tools could lead to eavesdropping or call interception.

Data transmitted over insecure channels could be compromised.

Applicable Frameworks: NIST CSF (PR.PT-4): Communication integrity.

ISO 27001 (A.13.2.1): Securing information transfer.

Explanation: Standard images ensure that devices are configured securely and meet organizational policies. This minimizes risks associated with inconsistencies in device security.

Risks of Incorrect Answer: Non-standard configurations could leave devices vulnerable to malware or misconfigurations.

Lack of baseline security controls may result in non-compliance with regulatory standards.

Applicable Frameworks: NIST CSF (PR.IP-1): Baseline configuration.

ISO 27001 (A.12.1.2): Secure configuration management.

PCI DSS (2.2): Implementing secure configuration standards.

THANK YOU.

You have completed the
Host VPN Configuration portion
of the vendor assessment


Press Submit
so that we can process
your responses

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.