Security Update Management

A6.1

Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes?

yesno

A6.2

Is all the software on your devices supported by a supplier that produces regular vulnerability fixes for any security problems?

yesno

A6.2.1

Please list your internet browser(s).

list

A6.2.2

Please list your malware protection software.

list

A6.2.3

Please list your email applications installed on end user devices and servers.

list

A6.2.4

Please list all office applications that are used to create organisational data.

list

A6.3

Are any of the in-scope software or cloud services unlicensed or unsupported?

yesno

A6.3.1

If yes to A6.3, please list the unsupported or unlicensed software or cloud services.

list

A6.4

Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

yesno Auto-fail

A6.4.1

Are all updates applied for operating systems by enabling auto updates?

yesno

A6.4.2

Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes are applied within 14 days of release?

text

A6.5

Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

yesno Auto-fail

A6.5.1

Are all updates applied on your applications by enabling auto updates?

yesno

A6.5.2

Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?

text

A6.6

Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates or vulnerability fixes?

yesno

A6.7

Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment?

yesnodescribe