SIG Core

Summary

The Standardized Information Gathering (Questionnaire) (SIG) is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks, curated by Shared Assessments. The SIG gathers pertinent information to determine how security risks are managed across a spectrum of 18 risk control areas, or domains, within a service provider's environment. It was developed to enable a service provider to compile complete information about these risk domains in one document. As a core questionnaire, its objective is to provide a risk assessment for businesses in all industries. The version used in this section is SIG 2019.

Definitions

Definition	Requirements
SIG-A_4_1_8. Risk assessment and treatment	318. Notify third parties of changes
SIG-B_1. Security policy	331. Guarantee legal compliance
SIG-B_1_1. Security policy	331. Guarantee legal compliance
SIG-D_1_1_2. Asset and information management	232. Require equipment identity
SIG-D_4_4. Asset and information management	314. Provide processing confirmation 315. Provide processed data information
SIG-D_4_4_1. Asset and information management	096. Set user's required privileges
SIG-D_4_4_2. Asset and information management	185. Encrypt sensitive information
SIG-D_4_4_4. Asset and information management	115. Filter malicious emails 118. Inspect attachments 181. Transmit data using secure protocols
SIG-D_6_1. Asset and information management	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 338. Implement perfect forward secrecy
SIG-D_6_5. Asset and information management	115. Filter malicious emails
SIG-D_6_6. Asset and information management	273. Define a fixed security suite
SIG-D_6_7. Asset and information management	173. Discard unsafe inputs
SIG-D_6_9_1. Asset and information management	172. Encrypt connection strings
SIG-D_6_11. Asset and information management	145. Protect system cryptographic keys
SIG-D_6_11_1. Asset and information management	224. Use secure cryptographic mechanisms
SIG-D_6_11_2. Asset and information management	145. Protect system cryptographic keys
SIG-D_6_13. Asset and information management	148. Set minimum size of asymmetric encryption
SIG-D_6_13_1. Asset and information management	149. Set minimum size of symmetric encryption
SIG-D_9_2. Asset and information management	259. Segment the organization network
SIG-F_1_4_2. Physical and environmental security	231. Implement a biometric verification component
SIG-G_2_10_2. Operations management	301. Notify configuration changes
SIG-G_3_4. Operations management	229. Request access credentials 264. Request authentication
SIG-G_4. Operations management	363. Synchronize system clocks
SIG-H_1_2. Access control	186. Use the principle of least privilege
SIG-H_2. Access control	143. Unique access credentials
SIG-H_2_1. Access control	334. Avoid knowledge-based authentication
SIG-H_2_3. Access control	144. Remove inactive accounts periodically
SIG-H_2_11. Access control	075. Record exceptional events in logs
SIG-H_2_12. Access control	075. Record exceptional events in logs
SIG-H_2_14. Access control	328. Request MFA for critical systems
SIG-H_2_15. Access control	095. Define users with privileges
SIG-H_3. Access control	229. Request access credentials
SIG-H_3_1_5. Access control	132. Passphrases with at least 4 words
SIG-H_3_1_6. Access control	133. Passwords with at least 20 characters
SIG-H_3_1_8. Access control	136. Force temporary password change 137. Change temporary passwords of third parties
SIG-H_3_1_9. Access control	367. Proper generation of temporary passwords
SIG-H_3_1_14. Access control	130. Limit password lifespan
SIG-H_3_1_15. Access control	130. Limit password lifespan
SIG-H_3_1_16. Access control	023. Terminate inactive user sessions
SIG-H_3_1_17. Access control	028. Allow users to log out
SIG-H_3_1_19. Access control	205. Configure PIN
SIG-H_3_2. Access control	181. Transmit data using secure protocols 185. Encrypt sensitive information
SIG-H_3_3. Access control	127. Store hashed passwords 185. Encrypt sensitive information
SIG-H_3_3_1. Access control	127. Store hashed passwords
SIG-H_3_4. Access control	300. Mask sensitive data
SIG-H_3_7. Access control	238. Establish safe recovery
SIG-H_4. Access control	153. Out of band transactions
SIG-H_4_1. Access control	338. Implement perfect forward secrecy
SIG-H_4_2. Access control	328. Request MFA for critical systems
SIG-H_4_6_1. Access control	095. Define users with privileges
SIG-H_4_6_3. Access control	095. Define users with privileges
SIG-H_6_1. Access control	095. Define users with privileges
SIG-I_1_3_1. Application security	264. Request authentication
SIG-I_1_3_2. Application security	062. Define standard configurations
SIG-I_1_6. Application security	153. Out of band transactions
SIG-I_1_9. Application security	075. Record exceptional events in logs
SIG-I_1_11. Application security	023. Terminate inactive user sessions
SIG-I_1_14. Application security	173. Discard unsafe inputs
SIG-I_1_16. Application security	051. Store source code in a repository
SIG-I_1_18_3. Application security	095. Define users with privileges
SIG-I_1_19_2. Application security	183. Delete sensitive data securely
SIG-I_1_19_3. Application security	159. Obfuscate code 300. Mask sensitive data
SIG-I_1_20. Application security	319. Make authentication options equally secure
SIG-I_2_1. Application security	154. Eliminate backdoors 155. Application free of malicious code 156. Source code without sensitive information 158. Use a secure programming language 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs 266. Disable insecure functionalities 302. Declare dependencies explicitly 344. Avoid dynamic code execution 345. Establish protections against overflows 366. Associate type to variables
SIG-I_2_6. Application security	154. Eliminate backdoors
SIG-I_2_7_1. Application security	173. Discard unsafe inputs 029. Cookies with security attributes
SIG-I_2_9_4. Application security	266. Disable insecure functionalities
SIG-I_3_2_1. Application security	062. Define standard configurations
SIG-I_3_2_4. Application security	029. Cookies with security attributes
SIG-I_3_2_4_1. Application security	336. Disable insecure TLS versions
SIG-I_3_2_4_2. Application security	089. Limit validity of certificates 090. Use valid certificates 093. Use consistent certificates
SIG-I_3_2_5. Application security	167. Close unused resources
SIG-I_3_2_5_1. Application security	255. Allow access only to the necessary ports
SIG-I_3_2_7. Application security	171. Remove commented-out code
SIG-I_3_2_10. Application security	095. Define users with privileges
SIG-I_3_4_6. Application security	342. Validate request parameters
SIG-L_1. Compliance	331. Guarantee legal compliance
SIG-L_2_1. Compliance	337. Make critical logic flows thread safe
SIG-L_11_1. Compliance	075. Record exceptional events in logs
SIG-M_1_2. End user device security	167. Close unused resources
SIG-M_1_5. End user device security	023. Terminate inactive user sessions
SIG-M_1_10. End user device security	075. Record exceptional events in logs
SIG-M_1_14. End user device security	378. Use of log management system 075. Record exceptional events in logs 080. Prevent log modification
SIG-M_1_25. End user device security	205. Configure PIN 206. Configure communication protocols 210. Delete information from mobile devices 213. Allow geographic location 214. Allow data destruction
SIG-N_1_3. Network security	258. Filter website content
SIG-N_1_4. Network security	249. Locate access points 250. Manage access points
SIG-N_1_7. Network security	259. Segment the organization network
SIG-N_1_9. Network security	341. Use the principle of deny by default
SIG-N_1_11. Network security	255. Allow access only to the necessary ports
SIG-N_1_12. Network security	252. Configure key encryption
SIG-N_1_13. Network security	142. Change system default credentials
SIG-N_1_15_4. Network security	338. Implement perfect forward secrecy
SIG-N_1_15_5. Network security	328. Request MFA for critical systems
SIG-P_1_3_1. Privacy	183. Delete sensitive data securely
SIG-P_1_5_3. Privacy	189. Specify the purpose of data collection
SIG-P_2. Privacy	314. Provide processing confirmation
SIG-P_2_1. Privacy	315. Provide processed data information
SIG-P_2_4. Privacy	314. Provide processing confirmation
SIG-P_3_1. Privacy	310. Request user consent
SIG-P_3_3. Privacy	315. Provide processed data information
SIG-P_4_1. Privacy	315. Provide processed data information
SIG-P_5_1. Privacy	360. Remove unnecessary sensitive information
SIG-P_5_3. Privacy	300. Mask sensitive data
SIG-P_6. Privacy	312. Allow user consent revocation 316. Allow rectification requests 317. Allow erasure requests
SIG-P_7_1. Privacy	315. Provide processed data information
SIG-P_8_2. Privacy	095. Define users with privileges
SIG-P_8_5. Privacy	315. Provide processed data information
SIG-U_1_2. Server security	062. Define standard configurations
SIG-U_1_2_1. Server security	167. Close unused resources
SIG-U_1_2_2. Server security	186. Use the principle of least privilege
SIG-U_1_2_4. Server security	023. Terminate inactive user sessions
SIG-U_1_2_5. Server security	142. Change system default credentials
SIG-U_1_4. Server security	322. Avoid excessive logging 376. Register severity level 075. Record exceptional events in logs
SIG-U_1_4_2. Server security	080. Prevent log modification
SIG-U_1_6_1. Server security	095. Define users with privileges
SIG-U_1_6_2. Server security	328. Request MFA for critical systems
SIG-U_1_8_1. Server security	181. Transmit data using secure protocols
SIG-U_1_9_8. Server security	378. Use of log management system
SIG-U_1_9_9. Server security	080. Prevent log modification
SIG-U_1_9_11. Server security	133. Passwords with at least 20 characters
SIG-U_1_9_12. Server security	130. Limit password lifespan
SIG-U_1_9_13. Server security	136. Force temporary password change 140. Define OTP lifespan
SIG-U_1_9_15. Server security	338. Implement perfect forward secrecy
SIG-U_1_9_16. Server security	127. Store hashed passwords
SIG-U_1_9_18. Server security	143. Unique access credentials
SIG-U_1_9_20. Server security	033. Restrict administrative access
SIG-U_1_9_27. Server security	328. Request MFA for critical systems
SIG-U_1_10_5. Server security	116. Disable images of unknown origin

Last updated

2024/02/09