Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

17-P: IT Infrastructure Management

This section evaluates how your organization designs, configures, and maintains its core IT infrastructure, including networks, servers, storage, and related platforms.

The questions focus on whether you follow documented standards and hardening guidelines, apply network segmentation, manage capacity and performance, and maintain appropriate redundancy, backup, and recovery capabilities.

Overall, this section confirms that your underlying infrastructure is managed in a stable, secure, and resilient manner that supports the services and data you provide.

Organization

Full Name

58.8- Do you maintain a current and up-to-date network diagram?

YES

NO

N/A

Explanation: A current network diagram provides visibility into the network architecture, helping to identify vulnerabilities and ensuring compliance with security frameworks.

Risks of Incorrect Answer: Lack of a network diagram may lead to gaps in monitoring, increasing the risk of undetected attacks.

Difficulty in troubleshooting network issues.

Applicable Frameworks: ISO 27001 (A.13.1.1): Requires documenting network security measures.

NIST CSF (ID.AM-4): Emphasizes visibility into network architecture.

PCI DSS (1.1.3): Requires a current network diagram.

58.6- If No or N/A, please provide an additional explanation

59.7- Have firewalls been deployed at all entry and exit points in your network?

YES

NO

N/A

Explanation: Firewalls are critical for filtering network traffic and preventing unauthorized access to sensitive data.

Risks of Incorrect Answer: Without firewalls, networks are vulnerable to unauthorized access, malware, and data breaches.

Regulatory non-compliance due to lack of perimeter security.

Applicable Frameworks: ISO 27001 (A.13.1.1): Requires controls for secure communication.

NIST CSF (PR.AC-5): Highlights boundary defense.

PCI DSS (1.1.4): Mandates firewall implementation.

59.7- If yes, please specify the firewall(s) used.

59.7- If No or N/A, please provide an additional explanation

60.7- Have you implemented network-based or host-based IDS/IPS systems?

YES

NO

N/A

Explanation: IDS/IPS systems detect and prevent potential intrusions, providing real-time protection against threats.

Risks of Incorrect Answer: Increased exposure to undetected cyberattacks.

Delayed response to security incidents, increasing potential damage.

Applicable Frameworks: ISO 27001 (A.13.1.3): Addresses network monitoring.

NIST CSF (DE.CM-1): Recommends continuous monitoring for anomalies.

PCI DSS (11.4): Requires IDS/IPS deployment.

60.7- If yes, please specify the IDS/IPS used.

60.7- If No or N/A, please provide an additional explanation

61.4- What operating systems do you use to store or process our client’s data?

YES

NO

N/A

Explanation: Understanding operating systems helps assess their security and patch levels, ensuring compatibility with security policies.

Risks of Incorrect Answer: Unsecured or outdated operating systems could introduce vulnerabilities.

Difficulty ensuring compliance with security requirements.

Applicable Frameworks: NIST CSF (PR.IP-12): Covers secure configurations.

CIS Controls (5.1): Focuses on secure configuration for OS and software

61.4- If No or N/A, please provide an additional explanation

62.6- Do you have formal hardening standards for your systems?

YES

NO

N/A

Explanation: System hardening involves reducing attack surfaces by disabling unnecessary services, enforcing strong configurations, and more.

Risks of Incorrect Answer: Misconfigured or exposed systems could lead to data breaches.

Non-compliance with frameworks that mandate hardening practices.

Applicable Frameworks: ISO 27001 (A.14.2.4): Requires secure development and configuration.

CIS Controls (5.3): Recommends system hardening.

62.6- If No or N/A, please provide an additional explanation

63.5- What antivirus software do you use, and what version is currently deployed?

YES

NO

N/A

Explanation: Antivirus software is essential for detecting and mitigating malware threats.

Risks of Incorrect Answer: Outdated antivirus software may fail to detect new threats.

Non-compliance with malware protection requirements.

Applicable Frameworks: ISO 27001 (A.12.2.1): Focuses on malware protection.

PCI DSS (5.1): Requires antivirus protection.

63.5- If No or N/A, please provide an additional explanation

64.7- Do you have a documented process for patching systems and applications?

YES

NO

N/A

Explanation: A patching process ensures that vulnerabilities are promptly addressed, reducing the risk of exploitation.

Risks of Incorrect Answer: Unpatched systems may be exploited by attackers.

Non-compliance with standards requiring vulnerability management.

Applicable Frameworks: ISO 27001 (A.12.6.1): Mandates timely patching.

NIST CSF (PR.IP-12): Addresses patch management.

64.7- If No or N/A, please provide an additional explanation

65.5- Are e-commerce websites or applications used to process our client’s data?

YES

NO

N/A

Explanation: E-commerce platforms often handle sensitive customer data, making their security critical.

Risks of Incorrect Answer: Insecure applications may expose customer data to breaches.

Failure to secure e-commerce systems could lead to financial fraud.

Applicable Frameworks: PCI DSS (6.5): Covers secure application development.

ISO 27001 (A.14.1.2): Addresses securing applications.

65.5- If No or N/A, please provide an additional explanation

66.6- Do you use web servers or services to collect, process, or transfer our client’s data?

YES

NO

N/A

Explanation: Securing web servers is essential to protect data during collection and transmission.

Risks of Incorrect Answer: Unsecured servers could lead to data leaks or breaches.

Vulnerabilities in web applications may expose client data.

Applicable Frameworks: ISO 27001 (A.13.1.1): Securing communications.

PCI DSS (4.1): Protecting data in transit

66.6- If No or N/A, please provide an additional explanation

67.8- Do you have a formal encryption policy in place?

YES

NO

N/A

Explanation: Encryption policies ensure that sensitive data is encrypted during storage and transmission, protecting it from unauthorized access.

Risks of Incorrect Answer: Lack of encryption could result in data breaches.

Non-compliance with data protection regulations.

Applicable Frameworks: ISO 27001 (A.10.1.1): Encryption for sensitive data.

PCI DSS (3.4): Encryption of stored data.

67.8- If No or N/A, please provide an additional explanation

68.6- Are mobile devices used to store, process, or access our client’s data?

YES

NO

N/A

Explanation: Mobile devices, if not secured, can be a weak link, exposing client data to unauthorized access.

Risks of Incorrect Answer: Lost or stolen devices may result in data breaches.

Non-compliance with security policies related to mobile devices.

Applicable Frameworks: ISO 27001 (A.6.2.1): Covers mobile device management.

NIST CSF (PR.AC-5): Highlights access controls for mobile devices

68.7- If No or N/A, please provide an additional explanation

THANK YOU

You have successfully completed
the IT Infrastructure
portion of this Assessment.

Please Press Submit
so that we can process your results

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

17-P: IT Infrastructure Management

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions