The Essential Security Questions

The Security Posture of Your Hosting and Technical Infrastructure

Infrastructure security, hosting environment, and technical safeguards.

Questions in this Category

Where is your service hosted? (Own data center, public cloud, or on-premise deployment)

Explanation of the Question: This question is asking about the physical or virtual location where your service is running.

Which cloud provider(s) do you use? (AWS, Azure, GCP, etc.)

Explanation of the Question: This question is asking you to identify which cloud service providers your organization uses to host its applications, store data, or run other services.

In which geographic regions/countries is customer data stored and processed?

Explanation of the Question: This question is asking you to identify the specific geographic locations or countries where your organization stores and processes customer data.

Is your production network segmented into different security zones? Please describe your network architecture.

Explanation of the Question This question is asking whether the organization has divided its production network into distinct security zones.

What cryptographic standards do you use to protect data in transit? (e.g., TLS 1.2+)

Explanation of the Question: This question is asking about the specific cryptographic protocols your organization uses to secure data while it is being transferred between different systems or ove...

What cryptographic standards do you use to protect data at rest? (e.g., AES-256)

Explanation of the Question: This question is asking about the specific cryptographic standards your organization uses to secure data that is stored, or "at rest." Cryptographic standards are esta...

How do you manage cryptographic keys? Describe your key management system and practices.

Explanation of the Question This question is asking about the processes and systems your organization uses to handle cryptographic keys.

Describe your secrets management strategy for API credentials, tokens, passwords, and certificates.

Explanation of the Question: This question is asking you to detail how your organization handles sensitive information such as API credentials, tokens, passwords, and certificates.

Are all security events logged in production? (authentication events, privilege escalations, access to sensitive data)

Explanation of the Question This question is asking whether your organization systematically records all significant security-related activities that occur in your production environment.

Do you have intrusion detection/prevention systems, WAFs, or anomaly detection with alerting?

Understanding the Question This question is asking whether your organization has implemented specific security technologies designed to detect and respond to unauthorized access attempts, web-base...

Describe your network vulnerability management program, including scanning frequency, tools used, and remediation SLAs.

Explanation of the Question This question is asking you to detail how your organization identifies, assesses, and addresses potential weaknesses in your network.

Describe your application vulnerability management program, including tools and remediation processes.

Understanding the Question This question is asking you to detail how your organization identifies, assesses, and addresses vulnerabilities within your applications.

How do you manage patching for your infrastructure? What are your SLAs based on vulnerability severity?

Understanding the Question This question is asking about your organization's process for updating and securing its infrastructure through patching.

Do you perform penetration testing? How often, and is it conducted by internal teams or third parties?

Explanation of the Question This question is asking whether your organization conducts penetration testing, a simulated cyber-attack against your own computer system to check for exploitable vulne...