This question is mainly for Anvil staff, I think.
A potential client has a number of specific data security related queries. E.g. disaster recovery, pen testing and intrusion detection etc. Please could you point me in the right direction to any docs relating to this?
Thanks,
Raj
Hi, We are collaborating with a third party and the client needs the following questions about data security answered. I’m really sorry it’s rather long but it forms part of the contract 
so will appreciate any help. They will be accessing code on Anvil server via an API.
| Do you utilize a synchronized time-service protocol (ex. NTP) to ensure all systems have a common time reference? | |
|---|---|
| Are activity logging and security alerts managed through a SIEM? | |
| Do you use file-integrity monitoring or change-detection software? | |
| Are logs protected to ensure existing log data cannot be changed? | |
| Has malware protection software been configured to perform regular periodic scans (e.g. daily)? | |
| Do you have a DLP strategy? | |
| Do you apply security patches to software running on computers and network devices? | |
| Within what timeframe are security patches, particularly critical security patches, installed? | |
| Do you have a server hardening process? | |
| What industry standard does your hardening process align to? | STIG |
| NIST | |
| Other |
| Do you conduct internal pen testing? | |
|---|---|
| Do you conduct external pen testing? | |
| How often are internal pen tests conducted? | Quarterly |
| Annually | |
| Longer | |
| N/a | |
| How often are external pen tests conducted? | Quarterly |
| Annually | |
| Longer | |
| N/a | |
| Do you conduct quarterly vulnerability scanning? | |
| Is penetration testing conducted on UAT testing environments, live environments or both? | UAT only |
| Live | |
| Both | |
| What is your SLA for resolving vulnerabiltiies identified in penetration testing? | 7 days |
| 14 days | |
| 30 days | |
| 40 days or more | |
| Do you have an audit programme that reviews security working practices annually? |
Is there any way I can get some help answering these questions please? Or any re-direction to appropriate documentation also will do.
Many many thanks.