Security
Asset Management
- Is there a process to ensure all company owned assets are returned before an employee leaves?
- Are all assets clearly identified and an inventory of all critical assets maintained?
- Does Tax Systems require employees to take annual security training?
- Does Tax Systems perform onboarding training?
- Does Tax Systems have a policy to manage employees?
- Do Tax Systems employee’s sign confidentiality agreements?
- Does Tax Systems screen employees before they join?
- Are there any exclusions in the Tax Systems ISO 27001 certification?
- What are the boundaries for the Tax Systems ISO 27001 Certification?
- Are there any ISO 27001 Controls that are ‘Not Applicable’?
- What is the scope of Tax Systems ISO 27001 Certification?
- Is Tax Systems SOC 1 or SOC 2 certified?
- What mandatory policies does Tax Systems have in place?
- Are Tax Systems services security tested?
- Does Tax Systems undergo an audit or review and how frequently?
- Does Tax Systems adhere to Information Security Standards?
- Does Tax Systems have a Disaster Recovery Plan?
- How often is data backed up?
- What is Tax Systems back up procedure?
- What is Tax Systems product availability SLA commitment?
- Does Tax System prevent the removal of assets from the Azure Data Centers?
- What is Tax Systems physical and environmental security?
- Do you block third parties from connecting remotely to your environments?
- Do you configure remote access methods to prevent unauthorised connections?
- Do you periodically review the router / firewall logs, validating filter operation?
- Do you allow only authorised ports and services?
- Do you have a process on how permissions are granted to access the firewall?
- Is the production environment isolated from development or user acceptance test network?
- Do you appropriately secure the logs against unauthorised access?
- Do you periodically review the logs?
- Have you enabled logging for platforms, network devices, in accordance with security best practices to track user activity?
- Does Tax Systems isolate customer data?
- How will Tax Systems protect my stored data?
- Will Tax Systems move my data outside of the UK without my permission?
- Where is data held?
- Does Tax Systems classify information?
- Who owns the data stored by Tax Systems?
- Will Tax Systems have access to customer data?
- Does Tax Systems share customer data with 3rd parties?
- What are 3rd party rights over access to customer data?
- How can data be retrieved?
- What happens to it if I stop using the service?
- How will Tax Systems protect my stored data?
- How long does Tax System retain customer data?
- Is customer data covered by GDPR?
- What is Tax Systems Data Protection Policy?
- Do you notify customers of changes?
- What processes and procedures are in place for Change Management?
- Does Tax Systems use firewalls?
- Does Tax Systems use URL filtering?
- How does Tax Systems protect from malicious emails?
- Does Tax Systems protect laptops from malware?
- Does Tax System monitor vulnerabilities out of hours?
- Can customers view the results of independent tests?
- Are Tax Systems solutions independently tested?
- How often are security risk assessments done?
- Who does Tax Systems monitors for Information Security attacks?
- How does Tax Systems protect laptops from unauthorised use?
- How do you implement protection against Common Vulnerabilities and Exposure’s (CVEs)?
- How does Tax Systems protect laptops/endpoints?
- Has Tax Systems had a security breaches within the last 5 years?
- How and when will Tax Systems inform me if an incident or a breach have compromised my personal data?
- Does Tax Systems have a formal Incident Response plan?
- Does Tax Systems use vulnerability scanning tools in development?
- What coding standards does Tax Systems use?
- Does Tax Systems have supplier migration plans?
- Does Tax Systems use suppliers outside of the UK or EU?
- How often are suppliers agreements reviewed?
- Is Tax Systems Cyber Essentials certified?
- What ISO 27001 Statement of Applicability (SOA) controls are ‘Not Applicable’ for Tax Systems certification?
- Does the Tax Systems ISO 27001 scope cover the services provided to customers?
- How often are reviews conducted on policy?
- How does Tax Systems manage risk?
- Does Tax Systems monitor compliance with the policy and are the consequences of non-compliance clearly documented and communicated?
- How often does Tax Systems review its policies?
- Does Tax Systems require all employees and contractors associated with the services provided , to periodically sign that they understand and are awareness of security policies and procedures?
- Does Tax Systems communicate the information security policy to all employees, contractors and service providers?
- Does Tax Systems have a Clear Desk policy?
- Does Tax Systems have a Bring Your Own Device (BYOD) policy
- Does Tax Systems have a Business Continuity and Disaster Recovery policy?
- Does Tax Systems have an access Control for all standard, privileged and system accounts
- Does Tax Systems have security configuration standards for networks, operating systems, applications, desktops, and mobile technology
- Does Tax Systems have a data handling policy that includes secure use, storage, and destruction of confidential data?
- Do Tax Systems define roles and responsibilities for individuals in the security function?
- Does Tax Systems have an information security function responsible for security initiatives?
- Does Tax Systems separate Admin accounts from everyday user accounts?
- Are Admin accounts associated with employee names?
- Admin restricted
- Can Tax Systems infrastructure be accessed from the internet?
- How does Tax Systems assign privilege to accounts?