CISA Leak Questions

Whether there is a proper balance between the magnitude of the risk and the control measures implemented

Whether the implemented controls closely align with domestic and international industry best practices

Whether identified risks are being completely mitigated through the proper application of control mechanisms

Whether adequate resources are available for frequent and stringent control monitoring

Revise IT security procedures to require penetration tests for internally developed services prior to deployment.

Report a control deficiency, as no penetration test has been conducted and documented.

Confirm whether vulnerability scanning was conducted after the webpage was deployed.

Meet with IT and the information security team to determine why testing was not completed.

Documentation of the service provider’s security configuration controls

A review of the service provider's policies and procedures

An audit report of the controls by an external auditor

An interview with the service provider's senior management

Amount of successfully migrated software changes

Reduction in the help desk budget

Number of defects discovered in production

Increase in quality assurance (QA) activities