Framework Category
Platform Security
Platform Security focuses on securing hardware and software platforms through configuration management, lifecycle maintenance, and control of unauthorized changes.
It includes generating logs for monitoring, preventing unauthorized software execution, and embedding secure development practices throughout the software lifecycle.
Implementation Questions
PR.PS-01
Configuration management practices are established and applied
Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
Hardened baselines are standardized, security-focused configurations that remove unnecessary services, close security gaps, and ensure systems operate with minimal attack surface. These baselines should be thoroughly tested before deployment, regularly updated, and consistently applied across your environment to enforce the principle of least functionality.
Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
Default configurations in software often prioritize usability over security, potentially leaving systems vulnerable to attacks. This review process should identify and modify insecure default settings such as default credentials, unnecessary open ports, excessive permissions, or enabled but unneeded features that expand the attack surface.
Does your organization have a process to monitor software for deviations from approved baselines?
Software baseline monitoring ensures that deployed applications maintain their approved configurations and security settings over time. Without regular monitoring, unauthorized changes or drift from secure configurations can introduce vulnerabilities or compliance issues.
PR.PS-02
Software is maintained, replaced, and removed commensurate with risk
Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
This question assesses whether your organization has established clear timeframes for applying security patches and consistently follows these schedules based on patch criticality. Effective patch management requires differentiating between routine updates that can follow regular maintenance windows and emergency patches that address critical vulnerabilities requiring immediate attention.
Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
Immutable infrastructure is a security best practice where container instances are never modified after deployment. Instead, when updates are needed, new container instances are built from updated images and deployed to replace the existing instances. This approach reduces configuration drift, improves reliability, and minimizes the attack surface by ensuring all containers are built from known, verified images.
Does your organization have a process to identify and replace end-of-life software and services with supported versions?
Using outdated or unsupported software exposes organizations to security vulnerabilities that will no longer receive patches or updates from vendors. This includes operating systems, applications, libraries, frameworks, and cloud services that have reached their end-of-support dates. Organizations should maintain an inventory of all software assets with their version information and support timelines.
Does your organization have a process to identify, uninstall, and remove unauthorized software and services that pose security risks?
Unauthorized software and services can introduce significant security vulnerabilities into your environment, including malware, backdoors, or applications with known security flaws. A formal process to identify and remove such software helps maintain a secure and controlled IT environment by reducing the attack surface available to potential threats.
Has your organization implemented a process to identify and remove unnecessary software components and utilities from systems?
Unnecessary software components and utilities increase the attack surface of systems, providing potential entry points or tools that attackers can exploit. Examples include unused operating system utilities, sample applications, development tools left on production systems, or legacy components no longer required.
Has your organization established and implemented formal plans for managing software and service end-of-life, including maintenance support timelines and obsolescence procedures?
Software and services that reach end-of-life (EOL) without proper planning create significant security vulnerabilities when vendors stop providing security patches and updates. A formal EOL management plan ensures timely migration to supported alternatives, prevents security gaps, and maintains operational continuity when components become obsolete. This planning should include identification of all software assets, their lifecycle stages, and defined transition procedures.
PR.PS-03
Hardware is maintained, replaced, and removed commensurate with risk
Does your organization have a formal process to replace hardware that lacks required security capabilities or cannot support secure software?
This question assesses whether your organization systematically evaluates and replaces hardware that cannot meet security requirements, either due to inherent hardware limitations or inability to support necessary security software. This includes outdated servers, workstations, network devices, IoT devices, or specialized equipment that cannot be properly secured through updates or security controls.
Has your organization established and implemented a formal hardware lifecycle management plan that addresses end-of-life maintenance support and obsolescence?
This question assesses whether your organization has a structured approach to managing hardware throughout its lifecycle, particularly focusing on end-of-life planning. A comprehensive hardware lifecycle management plan helps prevent security vulnerabilities from outdated or unsupported hardware, ensures business continuity, and allows for proper budgeting and resource allocation for hardware replacements.
Does your organization have a documented hardware disposal process that ensures secure, responsible, and auditable destruction or recycling of equipment?
Improper hardware disposal can lead to data breaches if storage media containing sensitive information is not properly sanitized before disposal. A comprehensive hardware disposal process should include data wiping/destruction procedures, environmentally responsible recycling, and documentation for chain of custody and final disposition of assets.
PR.PS-04
Log records are generated and made available for continuous monitoring
Are all operating systems, applications, and services (including cloud-based services) configured to generate appropriate log records?
Log generation is a fundamental security control that provides visibility into system activities, user actions, and potential security incidents. Without proper logging configured across all systems, it becomes extremely difficult to detect unauthorized access, investigate security incidents, or maintain an audit trail for compliance purposes.
Are all log generators configured to securely transmit logs to your organization's centralized logging infrastructure?
This question assesses whether your organization has properly configured all systems, applications, and devices that generate logs to securely send those logs to your centralized logging infrastructure. Secure log transmission typically involves encrypted connections (TLS/SSL), authentication mechanisms, and proper access controls to prevent tampering or interception during transit.
Has your organization configured log generators to capture the data required for zero-trust architecture implementation?
Zero-trust architectures require comprehensive logging of authentication attempts, access requests, network traffic, and system activities to verify user identities and enforce least-privilege access continuously. This includes configuring logs to capture user context (identity, device, location), resource access attempts, authentication events, and anomalous behaviors that might indicate security incidents.
PR.PS-05
Installation and execution of unauthorized software are prevented
Has your organization implemented software execution controls to restrict execution to permitted applications and/or block unauthorized software?
Software execution controls help prevent malicious or unauthorized programs from running in your environment, reducing the risk of malware infections and data breaches. These controls can include application allowlisting (permitting only approved software), application blocklisting (denying specific prohibited software), or a combination of both approaches based on your risk assessment.
Does your organization have a process to verify the authenticity and integrity of software before installation?
This question assesses whether your organization validates that software comes from legitimate sources and hasn't been tampered with before installation. This includes checking digital signatures, verifying checksums, downloading from official repositories or vendor websites, and confirming software hasn't been modified in transit.
Has your organization configured all platforms to use only approved DNS services that include protection against malicious domains?
DNS (Domain Name System) services translate human-readable domain names into IP addresses. Configuring platforms to use only approved DNS services with malicious domain blocking capabilities helps prevent users from accessing known harmful websites and blocks communication with command and control servers used by malware. This control acts as an important security layer that can prevent data exfiltration and malware infections.
Has your organization implemented application control mechanisms that restrict software installation to only approved applications?
Application control mechanisms prevent unauthorized software from being installed on systems, reducing the risk of malware and unauthorized applications that could compromise security. These controls can include allowlisting approved applications, implementing software restriction policies, or using mobile device management (MDM) solutions to control application installations.
PR.PS-06
Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
Does your organization implement controls to protect all components of internally developed software from tampering and unauthorized access throughout the software development lifecycle?
This question assesses whether your organization has implemented safeguards to prevent unauthorized modifications to source code, build systems, deployment pipelines, and other software components. Effective controls might include code signing, access restrictions to repositories, secure build environments, integrity verification mechanisms, and change management processes.
Does your organization implement secure software development practices to minimize vulnerabilities in released products?
This question assesses whether your organization follows secure coding standards, performs security testing, and implements vulnerability management throughout the software development lifecycle. Effective secure development practices include threat modeling, code reviews, static/dynamic application security testing, and pre-release security validation.
Does your organization have a documented process for maintaining production software throughout its lifecycle and securely disposing of it when no longer needed?
This question assesses whether your organization properly manages software in production environments from implementation through retirement. Proper software maintenance includes regular patching, updates, version control, and configuration management, while secure disposal ensures that outdated software doesn't create security vulnerabilities or compliance issues.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
