Do you perform Periodic red teaming against organizational assets in order to validate defensive capabilities?
Do you conduct automated scanning of your parimeted or network segments ?
Do you perform pentesting using human experts?
Do you maintain an organizational security strategy ?
Do you maintain a security roadmap aligned with strategy ?
Do you conduct penetration testing periodically on specified systems?
Does the assessment include, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and talking with company employees?
Is there an action plan to remediate identified weaknesses or deficiencies?
Are continuous monitoring tools deployed for front internet facing systems (computers with IP addresses that can be reached from the internet) ?
Are continuous monitoring reports and alerts reviewed frequently (e.g., daily)?