SIG Lite

Summary

The Standardized Information Gathering (Questionnaire) (SIG) Lite is a repository of third-party information security and privacy questions, indexed to multiple regulations, and control frameworks, curated by Shared Assessments. SIG Lite takes the high-level concepts and questions from the larger SIG assessments, distilling them down to a few questions. The version used in this section is SIG Lite 2019.

Definitions

Definition	Requirements
SIGLITE-SL_18. Are there regular privacy risk assessments conducted?	173. Discard unsafe inputs
SIGLITE-SL_23. Is there an information security policy that has been approved by management and an owner to maintain and review the policy?	331. Guarantee legal compliance
SIGLITE-SL_30. Are encryption tools managed and maintained for Scoped Data?	224. Use secure cryptographic mechanisms
SIGLITE-SL_31. Are clients provided with the ability to generate a unique encryption key?	351. Assign unique keys to each device
SIGLITE-SL_34. Are clients provided with the ability to rotate their encryption key on a scheduled basis?	145. Protect system cryptographic keys
SIGLITE-SL_33. Are staff able to access client Scoped Data in an unencrypted state?	096. Set user's required privileges
SIGLITE-SL_45. Termination or change of status process?	114. Deny access with inactive credentials
SIGLITE-SL_46. Are background checks performed for Service Provider Contractors and Subcontractors?	330. Verify Subresource Integrity
SIGLITE-SL_65. Is there a process to ensure clients are notified prior to changes being made which may impact their service?	301. Notify configuration changes
SIGLITE-SL_70. Are individual IDs required for user authentication to applications, operating systems, databases and network devices?	229. Request access credentials
SIGLITE-SL_71. Are passwords used?	229. Request access credentials
SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?	129. Validate previous passwords 130. Limit password lifespan 131. Deny multiple password changing attempts 133. Passwords with at least 20 characters 238. Establish safe recovery 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication
SIGLITE-SL_73. Is remote access permitted?	153. Out of band transactions
SIGLITE-SL_75. Is two factor authentication required to access the production environment containing scoped data?	362. Assign MFA mechanisms to a single account
SIGLITE-SL_76. Are staff able to access client scoped data?	362. Assign MFA mechanisms to a single account 095. Define users with privileges
SIGLITE-SL_78. Are applications used to transmit, process or store scoped data?	181. Transmit data using secure protocols 185. Encrypt sensitive information 338. Implement perfect forward secrecy
SIGLITE-SL_79. Is a web site supported, hosted or maintained that has access to scoped systems and data?	045. Remove metadata when sharing files
SIGLITE-SL_81. Is HTTPS enabled for all web pages used as part of the scoped service?	029. Cookies with security attributes
SIGLITE-SL_85. Operating system and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?	376. Register severity level 075. Record exceptional events in logs 080. Prevent log modification
SIGLITE-SL_88. Is development, test, and staging environment separate from the production environment?	259. Segment the organization network 374. Use of isolation methods in running applications
SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?	154. Eliminate backdoors 155. Application free of malicious code 156. Source code without sensitive information 158. Use a secure programming language 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs 266. Disable insecure functionalities 302. Declare dependencies explicitly 344. Avoid dynamic code execution 345. Establish protections against overflows 366. Associate type to variables
SIGLITE-SL_90. Are change control procedures required for all changes to the production environment?	301. Notify configuration changes
SIGLITE-SL_98. Are mobile applications that access scoped systems and data developed?	315. Provide processed data information
SIGLITE-SL_110. Are there any dependencies on critical third party service providers?	302. Declare dependencies explicitly 330. Verify Subresource Integrity
SIGLITE-SL_131. Are end user devices used for transmitting, processing or storing scoped data?	320. Avoid client-side control enforcement 329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
SIGLITE-SL_142. Is there a mobile device management solution in place?	206. Configure communication protocols 210. Delete information from mobile devices 214. Allow data destruction
SIGLITE-SL_148. Is there a process that requires security approval to allow external networks to connect to the company network, and enforces the least privilege necessary?	186. Use the principle of least privilege 253. Restrict network access
SIGLITE-SL_151. Are wireless networking devices connected to networks containing scoped systems and data?	249. Locate access points
SIGLITE-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?	189. Specify the purpose of data collection 262. Verify third-party components 310. Request user consent 315. Provide processed data information
SIGLITE-SL_160. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
SIGLITE-SL_162. Is there an anti-malware program that has been approved by management, communicated to appropriate constituents and an owner to maintain?	273. Define a fixed security suite

Last updated

2025/07/23