Do you utilize an exception process for non-whitelisted software?
Are you evaluating on an annual basis the effectiveness of security measures ?
Is the annual evaluation plan been updated based on updated intelligence and threat scenarios?
Have risk assessments been conducted?
Do you use a dedicated solution for assessing and monitoring supply chain risks?
Do you perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries?
Please describe the scanning periods and procedures
Do you implement a supply chain risk management plan
How many critical and or CUI related vendors do you monitor annualy?
Is there a process in place to include the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities in the threat intelligence cycle