SIG Core

Summary

The Standardized Information Gathering (Questionnaire) (SIG) is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. The SIG gathers pertinent information to determine how security risks are managed across a spectrum of 18 risk control areas, or domains, within a service provider's environment. It was developed to enable a service provider to compile complete information about these risk domains in one document. As a core questionnaire, its objective is to provide a risk assessment for businesses in all industries.
The version used in this section is SIG 2019.

Definitions

Definition	Requirements
A_4_1_8. Risk assessment and treatment	318. Notify third parties of changes
B_1. Security policy	331. Guarantee legal compliance
B_1_1. Security policy	331. Guarantee legal compliance
D_1_1_2. Asset and information management	232. Require equipment identity
D_4_4. Asset and information management	314. Provide processing confirmation 315. Provide processed data information
D_4_4_1. Asset and information management	096. Set user's required privileges
D_4_4_2. Asset and information management	185. Encrypt sensitive information
D_4_4_4. Asset and information management	115. Filter malicious emails 118. Inspect attachments 181. Transmit data using secure protocols
D_6_1. Asset and information management	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 338. Implement perfect forward secrecy
D_6_5. Asset and information management	115. Filter malicious emails
D_6_6. Asset and information management	273. Define a fixed security suite
D_6_7. Asset and information management	173. Discard unsafe inputs
D_6_9_1. Asset and information management	172. Encrypt connection strings
D_6_11. Asset and information management	145. Protect system cryptographic keys
D_6_11_1. Asset and information management	224. Use secure cryptographic mechanisms
D_6_11_2. Asset and information management	145. Protect system cryptographic keys
D_6_13. Asset and information management	148. Set minimum size of asymmetric encryption
D_6_13_1. Asset and information management	149. Set minimum size of symmetric encryption
D_9_2. Asset and information management	259. Segment the organization network
F_1_4_2. Physical and environmental security	231. Implement a biometric verification component
G_2_10_2. Operations management	301. Notify configuration changes
G_3_4. Operations management	229. Request access credentials 264. Request authentication
G_4. Operations management	363. Synchronize system clocks
H_1_2. Access control	186. Use the principle of least privilege
H_2. Access control	143. Unique access credentials
H_2_1. Access control	334. Avoid knowledge-based authentication
H_2_3. Access control	144. Remove inactive accounts periodically
H_2_11. Access control	075. Record exceptional events in logs
H_2_12. Access control	075. Record exceptional events in logs
H_2_14. Access control	328. Request MFA for critical systems
H_2_15. Access control	095. Define users with privileges
H_3. Access control	229. Request access credentials
H_3_1_5. Access control	132. Passphrases with at least 4 words
H_3_1_6. Access control	133. Passwords with at least 20 characters
H_3_1_8. Access control	136. Force temporary password change 137. Change temporary passwords of third parties
H_3_1_9. Access control	367. Proper generation of temporary passwords
H_3_1_14. Access control	130. Limit password lifespan
H_3_1_15. Access control	130. Limit password lifespan
H_3_1_16. Access control	023. Terminate inactive user sessions
H_3_1_17. Access control	028. Allow users to log out
H_3_1_19. Access control	205. Configure PIN
H_3_2. Access control	181. Transmit data using secure protocols 185. Encrypt sensitive information
H_3_3. Access control	127. Store hashed passwords 185. Encrypt sensitive information
H_3_3_1. Access control	127. Store hashed passwords
H_3_4. Access control	300. Mask sensitive data
H_3_7. Access control	238. Establish safe recovery
H_4. Access control	153. Out of band transactions
H_4_1. Access control	338. Implement perfect forward secrecy
H_4_2. Access control	328. Request MFA for critical systems
H_4_6_1. Access control	095. Define users with privileges
H_4_6_3. Access control	095. Define users with privileges
H_6_1. Access control	095. Define users with privileges
I_1_3_1. Application security	264. Request authentication
I_1_3_2. Application security	062. Define standard configurations
I_1_6. Application security	153. Out of band transactions
I_1_9. Application security	075. Record exceptional events in logs
I_1_11. Application security	023. Terminate inactive user sessions
I_1_14. Application security	173. Discard unsafe inputs
I_1_16. Application security	051. Store source code in a repository
I_1_18_3. Application security	095. Define users with privileges
I_1_19_2. Application security	183. Delete sensitive data securely
I_1_19_3. Application security	159. Obfuscate code 300. Mask sensitive data
I_1_20. Application security	319. Make authentication options equally secure
I_2_1. Application security	154. Eliminate backdoors 155. Application free of malicious code 156. Source code without sensitive information 158. Use a secure programming language 159. Obfuscate code 162. Avoid duplicate code 164. Use optimized structures 173. Discard unsafe inputs 266. Disable insecure functionalities 302. Declare dependencies explicitly 344. Avoid dynamic code execution 345. Establish protections against overflows 366. Associate type to variables
I_2_6. Application security	154. Eliminate backdoors
I_2_7_1. Application security	029. Cookies with security attributes 173. Discard unsafe inputs
I_2_9_4. Application security	266. Disable insecure functionalities
I_3_2_1. Application security	062. Define standard configurations
I_3_2_4. Application security	029. Cookies with security attributes
I_3_2_4_1. Application security	336. Disable insecure TLS versions
I_3_2_4_2. Application security	089. Limit validity of certificates 090. Use valid certificates 093. Use consistent certificates
I_3_2_5. Application security	167. Close unused resources
I_3_2_5_1. Application security	255. Allow access only to the necessary ports
I_3_2_7. Application security	171. Remove commented-out code
I_3_2_10. Application security	095. Define users with privileges
I_3_4_6. Application security	342. Validate request parameters
L_1. Compliance	331. Guarantee legal compliance
L_2_1. Compliance	337. Make critical logic flows thread safe
L_11_1. Compliance	075. Record exceptional events in logs
M_1_2. End user device security	167. Close unused resources
M_1_5. End user device security	023. Terminate inactive user sessions
M_1_10. End user device security	075. Record exceptional events in logs
M_1_14. End user device security	075. Record exceptional events in logs 080. Prevent log modification 378. Use of log management system
M_1_25. End user device security	205. Configure PIN 206. Configure communication protocols 210. Delete information from mobile devices 213. Allow geographic location 214. Allow data destruction
N_1_3. Network security	258. Filter website content
N_1_4. Network security	249. Locate access points 250. Manage access points
N_1_7. Network security	259. Segment the organization network
N_1_9. Network security	341. Use the principle of deny by default
N_1_11. Network security	255. Allow access only to the necessary ports
N_1_12. Network security	252. Configure key encryption
N_1_13. Network security	142. Change system default credentials
N_1_15_4. Network security	338. Implement perfect forward secrecy
N_1_15_5. Network security	328. Request MFA for critical systems
P_1_3_1. Privacy	183. Delete sensitive data securely
P_1_5_3. Privacy	189. Specify the purpose of data collection
P_2. Privacy	314. Provide processing confirmation
P_2_1. Privacy	315. Provide processed data information
P_2_4. Privacy	314. Provide processing confirmation
P_3_1. Privacy	310. Request user consent
P_3_3. Privacy	315. Provide processed data information
P_4_1. Privacy	315. Provide processed data information
P_5_1. Privacy	360. Remove unnecessary sensitive information
P_5_3. Privacy	300. Mask sensitive data
P_6. Privacy	312. Allow user consent revocation 316. Allow rectification requests 317. Allow erasure requests
P_7_1. Privacy	315. Provide processed data information
P_8_2. Privacy	095. Define users with privileges
P_8_5. Privacy	315. Provide processed data information
U_1_2. Server security	062. Define standard configurations
U_1_2_1. Server security	167. Close unused resources
U_1_2_2. Server security	186. Use the principle of least privilege
U_1_2_4. Server security	023. Terminate inactive user sessions
U_1_2_5. Server security	142. Change system default credentials
U_1_4. Server security	075. Record exceptional events in logs 322. Avoid excessive logging 376. Register severity level
U_1_4_2. Server security	080. Prevent log modification
U_1_6_1. Server security	095. Define users with privileges
U_1_6_2. Server security	328. Request MFA for critical systems
U_1_8_1. Server security	181. Transmit data using secure protocols
U_1_9_8. Server security	378. Use of log management system
U_1_9_9. Server security	080. Prevent log modification
U_1_9_11. Server security	133. Passwords with at least 20 characters
U_1_9_12. Server security	130. Limit password lifespan
U_1_9_13. Server security	136. Force temporary password change 140. Define OTP lifespan
U_1_9_15. Server security	338. Implement perfect forward secrecy
U_1_9_16. Server security	127. Store hashed passwords
U_1_9_18. Server security	143. Unique access credentials
U_1_9_20. Server security	033. Restrict administrative access
U_1_9_27. Server security	328. Request MFA for critical systems
U_1_10_5. Server security	116. Disable images of unknown origin

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

SIG Core | Compliance | Fluid Attacks Help

SIG Core

Summary

Definitions