Assessment questions

  • 15 minutes

The most effective way to find security gaps in the enterprise is to create an infrastructure threat model. It begins with a set of assessment questions, which feed directly into the threat modeling creation process. An infrastructure threat model helps you visualize how the enterprise is accessed, connected, and protected. It makes it easier to identify which security controls to use to help reduce or eliminate risk.

This list of assessment questions is a great starting point. You may add more questions depending on specific needs.

Access control

Access Control category.

Why ask these questions

These questions allow you to:

  • Come up with a complete list of user types, like employees, administrators, and vendors.
  • Know who is authorized to access resources.
  • Learn which security controls are used to restrict access, like Role-based Access Control (RBAC), Access Control Lists (ACL), or least-privilege access.
  • Find out which identity management system is used by the enterprise, like Microsoft Entra ID.
  • Learn which security controls are used to authenticate users, like Multi-Factor Authentication (MFA) or Single-Sign-On (SSO).

What questions to ask

Question Areas to cover
Describe how you restrict access to physical and logical enterprise resources.
  • Domain controller type and configuration, like Active Directory.
  • Federations used for SSO experiences.
  • Trusts between two or more separate domains.
  • Process to provision and deprovision access to resources.
  • Who manages the domain controller, federations, trusts, and resource access control?
How do you establish and verify the identity of each person?
  • Process to create and manage aliases for each user type.
  • Authentication methods like MFA or SSO.
  • Authentication factors like biometric scanning, phone authentication, smart cards, and Trusted Platform Modules (TPM).
  • Who manages aliases, authentication methods, and factors?
How do you know who can access enterprise resources?
  • Access restriction mechanisms used. Examples include least-privilege, segregation of duties, RBAC, glass-break scenarios, vendor access restrictions, and group memberships.
  • Who manages access restriction mechanisms?
Describe the password policy for each user type.
  • Password requirements for each user type.
  • Password requirement differences between users, elevated users, smart cards, shared accounts, and service accounts.
  • Password guidelines for creation, modification, and reset.
  • Logging and monitoring mechanisms used to track password actions.
  • Password expiration policies for each user type.
  • Unsuccessful password attempt limits.
  • Password sharing restrictions.
  • Who manages passwords in the enterprise?
How do you manage access to your online social presence?
  • Prefix requirements used for social media branding.
  • Social media access guidelines.
  • Access audit cadence.
  • Who manages social media accounts?
How do you manage elevated, shared, alternate, and system accounts?
  • Approval process for each account type.
  • Expiration or deactivation dates.
  • Process used to monitor, log, and handle suspicious activity.
  • Accounts used for remote access.
  • Access restriction mechanisms like just-in-time access.
  • Local administrative account usage and security.
  • Administrative account restrictions, like using them only in secured environments.
  • Who manages these types of accounts and access restriction mechanisms?
Describe the process used to approve, audit, and manage resource access requests.
  • Initial request handling, the review process, initial training requirements, and audits.
  • Who manages resource access request process?

Tip

Check out Azure identity fundamentals for tips on securing your identity infrastructure.

Secure development

Secure Development category.

Why ask these questions

These questions allow you to:

  • Understand how engineering teams enforce security throughout the entire development lifecycle.
  • Learn the systems used to protect source code and security bugs.

What questions to ask

Question Areas to cover
Describe your Security Development Lifecycle (SDL).
  • Security trainings, design reviews, threat models, engineering security requirements, and other security processes.
  • Manual and automated tools used.
  • How engineering teams report and respond to issues in code.
How do you handle and triage security bugs?
  • Risk assessment management policies used to help distinguish between issue severities.
How do you secure source code and bugs?
  • Source code security classification.
  • Access controls used to secure source code.
  • Process to create, triage, fix, and store security bugs.
  • Dedicated workflow to manage security issues.
  • Bug severity baselines.

Tip

Check out Microsoft SDL to learn how Microsoft integrates security across its development lifecycle.

Business continuity

Business Continuity category.

Why ask these questions

These questions allow you to:

  • Gauge enterprise resiliency against service outages.
  • Learn how the enterprise identifies and protects critical services.
  • Verify implementation and regular testing of backups and recovery techniques.

What questions to ask

Question Areas to cover
How do you determine each critical asset in the enterprise?
  • Process to identify what needs to be backed up.
  • High-level list of critical assets.
Describe the backup and recovery process
  • Complete backup and recovery processes.
  • Backup and recovery cadence.
  • Backup retention periods.
  • Short-term and long-term backup options used.
  • Monitoring and reporting mechanisms used for backup and recovery activities.
  • Encryption used to protect backups.
Describe your disaster recovery plans.
  • Availability and resiliency test cadence.
  • Recovery and restore audit cadence.
  • Hot-sites and other high-availability mechanisms.

Tip

Check out Azure backup for tips on securely backing up your infrastructure.

Cryptography

Cryptography category.

Why ask these questions

These questions allow you to:

  • Learn the cryptographic practices and baselines used to protect the enterprise.
  • Know how cryptographic technologies are managed, like Public Key Infrastructure (PKI).
  • Understand how Hardware Security Modules (HSM) are deployed, tracked, and administered.

What questions to ask

Question Areas to cover
Describe the systems used to create, manage, and secure cryptographic keys.
  • PKI and HSM physical and logical deployment requirements.
  • PKI and HSM maintenance.
  • Key rotation guidelines.
Describe the systems used to create, manage, and secure certificates.
  • Certificate lifecycle.
  • Self-signed certificate guidelines.
How is enterprise data protected in-transit, at-rest, and in-use?
  • Cryptographic practices and baselines used.

Tip

Check out Azure encryption for tips on encrypting enterprise data.

Asset management

Asset category.

Why ask these questions

These questions allow you to:

  • Know how assets are identified, labeled, and classified.
  • Learn the requirements that dictate how users should handle data.
  • Verify how data is stored.

What questions to ask

Question Areas to cover
Describe your data retention policy.
  • How long documents are kept for.
Describe how physical assets are handled, transported, and destroyed.
  • Process to secure assets during transport or destruction.
  • Security controls used during handling, like encryption, locks, memory wipes, and trusted vendors.
  • Systems used to prevent accidental data leakage during asset handling.
Describe the classification and labeling process for logical and physical assets.
  • Asset labeling and classification process.
  • Label and classification review cadence.
  • Process used to assess risk or make classification level changes.
  • Employee training on data classification.
  • Process used to store classified data in assets of the same or higher classification levels.
  • Asset tracking systems used.
  • Asset groupings.
  • Security and privacy control implementations based on classification levels.
  • Requirements for everyone managing the process.
How are confidential assets destroyed when they’re no longer needed?
  • Security requirements for data destruction across all mediums, like hard drives, tapes, and disks.
  • Third-party system or company used to assist with asset destruction.
What happens if an asset is lost, missing, or shipped outside of the enterprise?
  • Workflow used for each scenario.
  • Data security process before and after each workflow is completed.
Describe how data is secured.
  • Data encryption at-rest, in-use, and in-transit.
  • Use of digital signatures, HMACs, and hashes.
  • Use of blockchain and off-chain encryption to prevent collusion.
  • This question is similar to another one under Cryptography.
What are the mechanisms in place to prevent unauthorized sharing and downloading of data?
  • Security controls used to prevent unauthorized sharing and downloading of data. Examples include notifications, logs, sharing review process, or other restrictions.
Describe the process used to time out working sessions across assets and services.
  • Automatically time out sessions designed to prevent unauthorized access.

Tip

Check out Azure data classification for tips on classifying enterprise data.

Legal category.

Why ask these questions

These questions allow you to:

  • Understand the enterprise's legal and regulatory obligations.
  • Verify content of contracts and agreements signed by employees and vendors.

What questions to ask

Question Areas to cover
How do employees and vendors adhere to security policies?
  • Terms and conditions, NDAs, policies, agreements, and other contracts signed by employees and vendors.
Are you prohibited from selling your product to any country/region because of encryption features?
  • Markets that prohibit the sale of a product because of encryption features.
Describe the process used to meet all industry, legal, contractual, and regulatory compliance as it relates to enterprise assets.
  • How the enterprise meets compliance requirements.
  • Compliance risk assessment reviews.
  • Logging and monitoring mechanisms in place.
  • Access controls used for each user type.
  • Asset security baselines used.
  • How each endpoint connecting to the network meets security compliance.
  • Detection and protection systems in place to enforce compliance.
  • Specialized facility operations to meet regulatory compliance.
  • who manages requirement compliance?
  • This question is similar to the ones asked under Access control, operations, network, and security architecture.

Tip

Check out Azure legal for ideas on protecting your enterprise.

Incident response

Incident response category.

Why ask these questions

These questions allow you to:

  • Know how the enterprise handles incidents against its infrastructure and product offerings.
  • Learn strategies used to protect, detect, and respond to security incidents.
  • Meet who manages these incidents.

What questions to ask

Question Areas to cover
Describe the incident response process for the enterprise.
  • Strategies used to protect, detect, and respond to incidents for the enterprise.
  • How the enterprise minimizes exposure to risk, including steps to avoid loss or destruction.
  • Trainings, table-top exercises, and other activities.
Describe the incident response process for the product.
  • Strategies used to protect, detect, and respond to incidents for the product.
  • How the enterprise minimizes exposure to risk, including steps to avoid loss or destruction.
  • Trainings, table-top exercises, and other activities.

Tip

Check out Azure incident response for enterprise incident response best practices.

Network

Network category.

Why ask these questions

These questions allow you to:

  • Learn how the network is segmented and protected.
  • Know each detective and protective solution in place, like firewalls and Virtual Private Networks (VPN).
  • Gauge existing monitoring capabilities.
  • Verify how data is secured between internal and external endpoints.

What questions to ask

Question Areas to cover
Describe how the network handles and encrypts enterprise data.
  • Network handling process for each data classification type.
  • Network encryption.
Describe the use of network security detective and protective controls.
  • Network handling process of each data classification type.
  • Use and implementation of firewalls.
  • Use and implementation of VPNs.
  • Logging and monitoring systems and capabilities.
  • Network access restrictions.
  • Firewall inbound and outbound rules.
How is the network segregated?
  • Use of trust zone levels.
  • Network segregation strategies, like perimeter networks, Virtual Local Area Networks (VLAN), and firewalls.
How is the enterprise network managed?
  • VPN and remote network access management process.
  • Configuration of allow and deny rules for out-of-band connection points and endpoints.
  • Network identity verification.
  • Updated network diagrams.

Tip

Check out Azure network for tips on securing your infrastructure network.

Operations

Operations category.

Why ask these questions

These questions allow you to:

  • Learn about existing change control policies and procedures.
  • Uncover important aspects of daily operations, like patch management, malicious code prevention, logging, and monitoring.
  • Find out who can access administrative documents.
  • Understand which tests are conducted to ensure smooth operations.

What questions to ask

Question Areas to cover
How is the enterprise protected against vulnerabilities?
  • Antivirus (AV) implementation and enforcement details.
  • First party vulnerability and penetration testing programs.
  • Third-party vulnerability and penetration testing programs.
How does the enterprise verify endpoint security health?
  • Mobile Device Management (MDM) implementation and enforcement details.
  • Policies and systems used to disconnect unhealthy devices from the enterprise.
How are endpoints updated?
  • Security patch delivery process to all endpoints.
  • Update cadence.
Describe the logging and monitoring systems used to protect the enterprise
  • Security event identification, logging, and monitoring implementation.
  • Intelligence platform use and configuration details.
  • Security event ingestion workflow.
Describe your security operations processes as they relate to changes in the production environment.
  • How changes to the production environment are documented, accessed, and updated.
  • Change management policy details.
  • How and when employees can access security operation policies.

Tip

Check out Azure operations for tips on securing your infrastructure operations.

Physical and environmental

Physical category.

Why ask these questions

These questions allow you to:

  • Learn the existing physical security requirements to help keep employees, assets, and facilities safe.
  • Understand the security controls that are used to help prevent malicious attacks.
  • Gauge how well the enterprise is prepared against natural disasters.

What questions to ask

Question Areas to cover
Describe the physical security controls in place to protect people, assets, and buildings.
  • How the company is physically protecting its employees, assets, and facilities.
  • Server room security and handling.
Is there a special process to handle enterprise devices that are lost or left unattended?
  • Engagement process.
  • Guidelines to wipe devices or take them to a holding location.
Describe the process for visitors.
  • Visitor registration process.
  • Special badges.
  • Chaperoning requirements.
How is the enterprise prepared against natural disasters?
  • Use of hot sites.
  • High-availability controls.

Tip

Check out Azure physical for tips on securing your physical infrastructure.

Governance

Governance category.

Why ask these questions

These questions allow you to:

  • Learn how the enterprise includes security in its strategic direction.
  • Understand how risks are validated and managed.
  • Uncover high-level compliance requirements.

What questions to ask

Question Areas to cover
Describe your information security policy.
  • How the information security policy is created, deployed, and maintained.
  • Policy contents.
  • Process for tracking exceptions to these policies.
Describe your risk management program.
  • Types of employee security training available to enforce each security policy.
  • Security risk management program, which includes how risk is handled across the enterprise.

Tip

Check out Azure governance for tips on infrastructure governance.

Security architecture

Security architecture category.

Why ask these questions

These questions allow you to:

  • Learn how technologies are selected, implemented, and managed.
  • Find out collaboration requirements that prevent external data sharing.
  • Understand how resiliency and security are achieved.
  • Meet who creates and manages security baselines across platforms.

What questions to ask

Question Areas to cover
Describe your infrastructure.
  • Learn if the infrastructure is on-premises, cloud-based, or a hybrid of both.
  • Software usage restrictions.
  • Baselines used to provide acceptable levels of security across different platforms and operating systems.
Describe your infrastructure for containers and IoT devices.
  • Use of IoT and containers.
  • Security controls used for network access, device configuration, and data handling.
  • Security requirements for containers as they relate to containerization and orchestrators.
Define other security controls for hybrid case scenarios
  • Access controls used to secure the infrastructure, especially hybrid or cloud-based scenarios.
  • Hardware tracking mechanisms used across data-centers.
  • Back up mechanisms in place.
  • Network security controls.
  • Testing and monitoring systems used, especially in hybrid or cloud-based scenarios.
  • Data handling processes.

Tip

Check out Azure architecture for tips on securing your infrastructure architecture.

Supplier

Supplier category.

Why ask these questions

These questions allow you to:

  • Understand existing relationships with suppliers and third-party vendors.
  • Identify the process used to identify supplier security risks.
  • Confirm the types of service level agreements enforced.

What questions to ask

Question Areas to cover
Describe the third-party vetting process to help you decide who to do business with.
  • How the company handles third-party security risk.
  • Communication process of issues with the supplier.
  • Questionnaire sent to the supplier to learn more about their security process.
What does the service level agreement look like for each supplier?
  • How long it takes for the supplier to update their service.
  • How long it takes to hear back from their support team.

Tip

Use the same assessment questions from the other categories to help you develop your supplier management program.

Important

Visit Azure security benchmark to learn about each security category and associated requirements in Azure.

Check your knowledge

1.

A supplier management program gives me the ability to

2.

What can you find out by asking questions from the Operations category?