CAS Implementation Group 1 Audit Questions
A “Yes” equates to a pass and a “No” equates to a fail. If “Yes”, the location or specific answer is needed in the second part of the audit question. For example, for 1.4 - Maintain Detailed Asset Inventory, if the answer is yes, then you must answer the second part of the audit question about the location of the policy or policy statement. Please note there is a 160 character limit for each answer.
| Audit Question | Answer |
|---|---|
| 1.4 - Maintain Detailed Asset Inventory | No |
| 1.4: Location of Policy or Policy Statement | None |
| 1.6 - Unauthorized assets are removed | No |
| 1.6: Timeframe for removing/updating assets | 999 |
| 10.1 - Ensure Regular Automated Backups | No |
| 10.1: Location of List of which services are in use | None |
| 10.2 - Perform Complete System Backups |
No |
| 10.4 - Protect Backups | No |
| 10.5 - Ensure All Backups Have Offline Backup Destination | No |
| 12.1 - Maintain an Inventory of Network Boundaries | No |
| 12.1: Location of the diagram/plan | None |
| 12.4(a) - Deny Communications Over Unauthorized Ports | No |
| 12.4(a): Location of the list/document | None |
| 12.4(b) - Deny Communications Over Unauthorized Ports | No |
| 12.4(b): Location of Policy or Policy Statement | None |
| 13.1 - Maintain an Inventory of Sensitive Information | No |
| 13.1: Location of Policy or Policy Statement | None |
| 13.2 - Remove Sensitive Data on Systems Not Accessed | No |
| 13.2: Location of Policy or Policy Statement | None |
| 13.6 - Encrypt Mobile Device Data | No |
| 13.6: Location of Policy or Policy Statement | None |
| 14.6 - Protect Information Through Access Control Lists | No |
| 14.6: Location of Policy or Policy Statement | None |
| 2.1(a) - Maintain an Inventory of Authorized Software | None |
| 2.1(a): Location of List of Approved Software | None |
| 2.1(b)) - Maintain Inventory of Authorized Software | No |
| 2.1(b): Location of Policy or Policy Statement | None |
| 3.4(a) - Deploy Automated OS Patch Management Tools | No |
| 3.4(a): Location of Policy or Policy Statement | None |
| 3.4(b) - Deploy Automated OS Patch Management Tools | No |
| 3.4(b): Location of the exception policy | None |
| 3.4(b): Location of the list of endpoints that have an exception | None |
| 3.4(c)) - Deploy Automated OS Patch Management Tools | None |
| 3.4(c): Location of Policy or Policy Statement | None |
| 3.6(a) - Deploy Automated Software Patch Management Tools | No |
| 3.6(a): Location of Policy or Policy Statement | None |
| 3.6(b) - Deploy Automated Software Patch Management Tools | No |
| 3.6(b): Location of the exception policy | None |
| 3.6(b): Location of the list of endpoints that have an exception | None |
| 4.2 - Change Default Passwords | No |
| 4.2: Location of Policy or Policy Statement | None |
| 4.3 - Ensure the Use of Dedicated Administrative Accounts | No |
| 5.1 - Establish Secure Configurations | No |
| 5.1: Location of the Secure Configuration documentation | No |
| 6.2(a) - Activate Audit Logging | No |
| 6.2(a): Location of Policy or Policy Statement | None |
| 6.2(b) - Activate Audit Logging | No |
| 7.7 - Use of DNS Filtering Services | No |
| 7.7: Location of List of which services are in use | None |
| 8.4 - Configure Anti-Malware Scanning of Removable Media | No |
| 8.5 - Configure Devices to Not Auto Run Content | No |
| 16.8(a) - Does the Organization have a list of all business roles? | No |
| 16.8(a) - Location of Policy or Policy Statement | None |
| 16.8(b) - Does the Organization have a list of all computer and applications accounts? | No |
| 16.8(b) - Location of Policy or Policy Statement | None |
| Attesting user to the answers provided for this report. | Attesting User |