Assessment questions
The most effective way to find security gaps in the enterprise is to create an infrastructure threat model. It begins with a set of assessment questions, which feed directly into the threat modeling creation process. An infrastructure threat model helps you visualize how the enterprise is accessed, connected, and protected. It makes it easier to identify which security controls to use to help reduce or eliminate risk.
This list of assessment questions is a great starting point. You may add more questions depending on specific needs.
Access control
Why ask these questions
These questions allow you to:
- Come up with a complete list of user types, like employees, administrators, and vendors.
- Know who is authorized to access resources.
- Learn which security controls are used to restrict access, like Role-based Access Control (RBAC), Access Control Lists (ACL), or least-privilege access.
- Find out which identity management system is used by the enterprise, like Microsoft Entra ID.
- Learn which security controls are used to authenticate users, like Multi-Factor Authentication (MFA) or Single-Sign-On (SSO).
What questions to ask
Question | Areas to cover |
---|---|
Describe how you restrict access to physical and logical enterprise resources. |
|
How do you establish and verify the identity of each person? |
|
How do you know who can access enterprise resources? |
|
Describe the password policy for each user type. |
|
How do you manage access to your online social presence? |
|
How do you manage elevated, shared, alternate, and system accounts? |
|
Describe the process used to approve, audit, and manage resource access requests. |
|
Tip
Check out Azure identity fundamentals for tips on securing your identity infrastructure.
Secure development
Why ask these questions
These questions allow you to:
- Understand how engineering teams enforce security throughout the entire development lifecycle.
- Learn the systems used to protect source code and security bugs.
What questions to ask
Question | Areas to cover |
---|---|
Describe your Security Development Lifecycle (SDL). |
|
How do you handle and triage security bugs? |
|
How do you secure source code and bugs? |
|
Tip
Check out Microsoft SDL to learn how Microsoft integrates security across its development lifecycle.
Business continuity
Why ask these questions
These questions allow you to:
- Gauge enterprise resiliency against service outages.
- Learn how the enterprise identifies and protects critical services.
- Verify implementation and regular testing of backups and recovery techniques.
What questions to ask
Question | Areas to cover |
---|---|
How do you determine each critical asset in the enterprise? |
|
Describe the backup and recovery process |
|
Describe your disaster recovery plans. |
|
Tip
Check out Azure backup for tips on securely backing up your infrastructure.
Cryptography
Why ask these questions
These questions allow you to:
- Learn the cryptographic practices and baselines used to protect the enterprise.
- Know how cryptographic technologies are managed, like Public Key Infrastructure (PKI).
- Understand how Hardware Security Modules (HSM) are deployed, tracked, and administered.
What questions to ask
Question | Areas to cover |
---|---|
Describe the systems used to create, manage, and secure cryptographic keys. |
|
Describe the systems used to create, manage, and secure certificates. |
|
How is enterprise data protected in-transit, at-rest, and in-use? |
|
Tip
Check out Azure encryption for tips on encrypting enterprise data.
Asset management
Why ask these questions
These questions allow you to:
- Know how assets are identified, labeled, and classified.
- Learn the requirements that dictate how users should handle data.
- Verify how data is stored.
What questions to ask
Question | Areas to cover |
---|---|
Describe your data retention policy. |
|
Describe how physical assets are handled, transported, and destroyed. |
|
Describe the classification and labeling process for logical and physical assets. |
|
How are confidential assets destroyed when they’re no longer needed? |
|
What happens if an asset is lost, missing, or shipped outside of the enterprise? |
|
Describe how data is secured. |
|
What are the mechanisms in place to prevent unauthorized sharing and downloading of data? |
|
Describe the process used to time out working sessions across assets and services. |
|
Tip
Check out Azure data classification for tips on classifying enterprise data.
Legal
Why ask these questions
These questions allow you to:
- Understand the enterprise's legal and regulatory obligations.
- Verify content of contracts and agreements signed by employees and vendors.
What questions to ask
Question | Areas to cover |
---|---|
How do employees and vendors adhere to security policies? |
|
Are you prohibited from selling your product to any country/region because of encryption features? |
|
Describe the process used to meet all industry, legal, contractual, and regulatory compliance as it relates to enterprise assets. |
|
Tip
Check out Azure legal for ideas on protecting your enterprise.
Incident response
Why ask these questions
These questions allow you to:
- Know how the enterprise handles incidents against its infrastructure and product offerings.
- Learn strategies used to protect, detect, and respond to security incidents.
- Meet who manages these incidents.
What questions to ask
Question | Areas to cover |
---|---|
Describe the incident response process for the enterprise. |
|
Describe the incident response process for the product. |
|
Tip
Check out Azure incident response for enterprise incident response best practices.
Network
Why ask these questions
These questions allow you to:
- Learn how the network is segmented and protected.
- Know each detective and protective solution in place, like firewalls and Virtual Private Networks (VPN).
- Gauge existing monitoring capabilities.
- Verify how data is secured between internal and external endpoints.
What questions to ask
Question | Areas to cover |
---|---|
Describe how the network handles and encrypts enterprise data. |
|
Describe the use of network security detective and protective controls. |
|
How is the network segregated? |
|
How is the enterprise network managed? |
|
Tip
Check out Azure network for tips on securing your infrastructure network.
Operations
Why ask these questions
These questions allow you to:
- Learn about existing change control policies and procedures.
- Uncover important aspects of daily operations, like patch management, malicious code prevention, logging, and monitoring.
- Find out who can access administrative documents.
- Understand which tests are conducted to ensure smooth operations.
What questions to ask
Question | Areas to cover |
---|---|
How is the enterprise protected against vulnerabilities? |
|
How does the enterprise verify endpoint security health? |
|
How are endpoints updated? |
|
Describe the logging and monitoring systems used to protect the enterprise |
|
Describe your security operations processes as they relate to changes in the production environment. |
|
Tip
Check out Azure operations for tips on securing your infrastructure operations.
Physical and environmental
Why ask these questions
These questions allow you to:
- Learn the existing physical security requirements to help keep employees, assets, and facilities safe.
- Understand the security controls that are used to help prevent malicious attacks.
- Gauge how well the enterprise is prepared against natural disasters.
What questions to ask
Question | Areas to cover |
---|---|
Describe the physical security controls in place to protect people, assets, and buildings. |
|
Is there a special process to handle enterprise devices that are lost or left unattended? |
|
Describe the process for visitors. |
|
How is the enterprise prepared against natural disasters? |
|
Tip
Check out Azure physical for tips on securing your physical infrastructure.
Governance
Why ask these questions
These questions allow you to:
- Learn how the enterprise includes security in its strategic direction.
- Understand how risks are validated and managed.
- Uncover high-level compliance requirements.
What questions to ask
Question | Areas to cover |
---|---|
Describe your information security policy. |
|
Describe your risk management program. |
|
Tip
Check out Azure governance for tips on infrastructure governance.
Security architecture
Why ask these questions
These questions allow you to:
- Learn how technologies are selected, implemented, and managed.
- Find out collaboration requirements that prevent external data sharing.
- Understand how resiliency and security are achieved.
- Meet who creates and manages security baselines across platforms.
What questions to ask
Question | Areas to cover |
---|---|
Describe your infrastructure. |
|
Describe your infrastructure for containers and IoT devices. |
|
Define other security controls for hybrid case scenarios |
|
Tip
Check out Azure architecture for tips on securing your infrastructure architecture.
Supplier
Why ask these questions
These questions allow you to:
- Understand existing relationships with suppliers and third-party vendors.
- Identify the process used to identify supplier security risks.
- Confirm the types of service level agreements enforced.
What questions to ask
Question | Areas to cover |
---|---|
Describe the third-party vetting process to help you decide who to do business with. |
|
What does the service level agreement look like for each supplier? |
|
Tip
Use the same assessment questions from the other categories to help you develop your supplier management program.
Important
Visit Azure security benchmark to learn about each security category and associated requirements in Azure.