Product Cybersecurity Posture Assessment - email campaign - Enterprise Survey Software

	Very Poor Very Good
How would you rate the organization's processes and structures for vulnerability remediation in the product post release phase?	1 Very Poor	2	3	4	5 Very Good

How would you rate the remote software update capability for the organization's products?	1 Very Poor	2	3	4	5 Very Good

How would you rate the organization's processes and structures for vulnerability remediation in the product post release phase?

How would you rate the remote software update capability for the organization's products?

	Very Poor Very Good
How well is the personal information regarding user identified by the organization's product, and secured in transit and at rest?	1 Very Poor	2	3	4	5 Very Good

How well is the personal information regarding user identified by the organization's product, and secured in transit and at rest?

	Very Poor Very Good
Are all functionalities that are used only for development securely disabled or removed from the production software images?	1 Very Poor	2	3	4	5 Very Good

Are all cipher suites listed and validated against the current security recommendations (such as NIST 800-131A or OWASP), where cryptographic suites are used such as TLS? For instance, using ephemeral key generation and authenticating and encrypting ciphers such as AES-GCM. This also includes that where insecure ciphers suites are identified, they are removed from the product.	1 Very Poor	2	3	4	5 Very Good

Does the product’s software source code follow the basic good practice of a Language subset (e.g., MISRA-C) coding standard?	1 Very Poor	2	3	4	5 Very Good

Are all OS command line access to the most privileged accounts removed from the operating system?	1 Very Poor	2	3	4	5 Very Good

Are all functionalities that are used only for development securely disabled or removed from the production software images?

Are all cipher suites listed and validated against the current security recommendations (such as NIST 800-131A or OWASP), where cryptographic suites are used such as TLS? For instance, using ephemeral key generation and authenticating and encrypting ciphers such as AES-GCM. This also includes that where insecure ciphers suites are identified, they are removed from the product.

Does the product’s software source code follow the basic good practice of a Language subset (e.g., MISRA-C) coding standard?

Are all OS command line access to the most privileged accounts removed from the operating system?

	Very Poor Very Good
Does the product have protection features against reverting the software to an earlier and potentially less secure version?	1 Very Poor	2	3	4	5 Very Good

Is the product is supported by public key infrastructure in the back-end to provide signed firmware for flashing, updates, issuing or validating device identity etc.?	1 Very Poor	2	3	4	5 Very Good

Are the sensitive software components such as cryptographic processes isolated, or are of a higher privilege, than other software components?	1 Very Poor	2	3	4	5 Very Good

Does the product have a secure boot process?	1 Very Poor	2	3	4	5 Very Good

Does the product have protection features against reverting the software to an earlier and potentially less secure version?

Is the product is supported by public key infrastructure in the back-end to provide signed firmware for flashing, updates, issuing or validating device identity etc.?

Are the sensitive software components such as cryptographic processes isolated, or are of a higher privilege, than other software components?

Does the product have a secure boot process?

	Very Poor Very Good
Are all unused communications port(s), such as USB, RS232, etc., which are not used as part of the product’s normal operation, physically inaccessible (or secured) on the production devices?	1 Very Poor	2	3	4	5 Very Good

Does the product support access control measures to the root account for restricting access to sensitive information or system processes?	1 Very Poor	2	3	4	5 Very Good

Are all unused communications port(s), such as USB, RS232, etc., which are not used as part of the product’s normal operation, physically inaccessible (or secured) on the production devices?

Does the product support access control measures to the root account for restricting access to sensitive information or system processes?

	Very Poor Very Good
Does the product have a feature for secure onboarding through process, like out of band pairing?	1 Very Poor	2	3	4	5 Very Good

Can the product prevent against brute force attempts by restricting maximum number of attempts and increasing delay time with each attempt?	1 Very Poor	2	3	4	5 Very Good

Are communication protocols like TCP, MQTT, CoAP or UDP etc. running over TLS or DTLS, respectively?	1 Very Poor	2	3	4	5 Very Good

Does the product have a feature for secure onboarding through process, like out of band pairing?

Can the product prevent against brute force attempts by restricting maximum number of attempts and increasing delay time with each attempt?

Are communication protocols like TCP, MQTT, CoAP or UDP etc. running over TLS or DTLS, respectively?

	Very Poor Very Good
Does the product have an intrusion protection or detection process in place for monitoring, analyzing and validating traffic to the device?	1 Very Poor	2	3	4	5 Very Good

Are the communication protocols like TCP, MQTT, CoAP or UDP, etc. running over TLS or DTLS respectively?	1 Very Poor	2	3	4	5 Very Good

Does the product prevent unauthorized connections to it or other devices that the product is connected to, at all levels of the relevant protocols?	1 Very Poor	2	3	4	5 Very Good

Does the product have an intrusion protection or detection process in place for monitoring, analyzing and validating traffic to the device?

Are the communication protocols like TCP, MQTT, CoAP or UDP, etc. running over TLS or DTLS respectively?

Does the product prevent unauthorized connections to it or other devices that the product is connected to, at all levels of the relevant protocols?