PR.PS-03.247

Does your organization have a formal process to replace hardware that lacks required security capabilities or cannot support secure software?

Explanation

This question assesses whether your organization systematically evaluates and replaces hardware that cannot meet security requirements, either due to inherent hardware limitations or inability to support necessary security software. This includes outdated servers, workstations, network devices, IoT devices, or specialized equipment that cannot be properly secured through updates or security controls. Evidence could include a documented hardware lifecycle management policy that specifically addresses security requirements, replacement criteria, and timelines; hardware inventory records showing security capability assessments; and documentation of recent hardware replacements due to security concerns.

Implementation Example

Replace hardware when it lacks needed security capabilities or when it cannot support software with needed security capabilities

ID: PR.PS-03.247

Context

Function: PR: PROTECT
Category: PR.PS: Platform Security
Sub-Category: Hardware is maintained, replaced, and removed commensurate with risk

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub