User Access Control

A7.1

Are users only provided with user accounts after a process has been followed to approve their creation?

yesnodescribe

A7.2

Are all user and administrative accounts accessed by entering a unique username and password?

yesno

A7.3

How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

text

A7.4

Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

yesnodescribe

A7.5

Do you have a formal process for giving someone access to systems at an 'administrator' level and can you describe this process?

yesnodescribe

A7.6

How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?

text

A7.7

How does your organisation prevent administrator accounts from being used to carry out every day tasks like browsing the web or accessing email?

text

A7.8

Do you formally track which users have administrator accounts in your organisation?

yesno

A7.9

Do you review who should have administrative access on a regular basis?

yesno

A7.10

Describe how you protect accounts from brute-force password guessing in your organisation.

text

A7.11

Which technical controls are used to manage the quality of your passwords within your organisation?

text

A7.12

Please explain how you encourage people to use unique and strong passwords.

text

A7.13

Do you have a process for when you believe the passwords or accounts have been compromised?

yesno

A7.14

Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?

yesno

A7.15

If you have answered 'No' to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.

list

A7.16

Has MFA been applied to all administrators of your cloud services?

yesno

A7.17

Has MFA been applied to all users of your cloud services?

yesno