eee
L Assess any web interface to determine if
weak passwords ar allowed
[Assess the account lackout mechanism
[Assess the web interface for XSS, SLi
and CSRF vulhereiltes and other web
L application vuinerabities
Assess the use of HTTPS to protect
“transmitted information
[etme Tins
are
Assess the solution to determine the use
of encrypted communication between
devices and between devices B internat
Assess the solution to determine if
accepted encryption practices are used
and if proprietary protocols are avoided
Assess the solution to determin if a
firewall option available is avaible
[emia eng
Pe
Assess the solution to determine if
gassword security options are available
Assess the solution ta determine if
encryption options (eg Enabling
AES-256 where AES-128 isthe default
settingJare available
Assess the solution t determine if
logging for security events
LES
| Assess the device to ensure it utilizes
‘a minimal number of physical external
ports (eg, USB ports) onthe devine
L Assess the device to determine if it can
be accessed via unintended methods
such as through an unnecessary USB
port
i
f
‘ OU
=
&
Store Muar
PAO
Assess the solution for the use of strong
passwords where authentication is needed
Assess the solution for Implementation
{two-factor authentication where possible
Assess password recovery mechanisms
Assess te solution forthe opian ta require
strang passwords
Assess the solution far the option ta force
password expiration after a specfc period
Assess the solution for the option to change
the default username and password
eer
Assess the cloud interfaces for security
vwlrerabilities
Assess the cloud-based web interface to
ensure it isallows weak passwords
{Assess the cloud-based web interface to ensure
it includes an account lockout mechanism
} Assess the cloud-based web interface to
determine if two-factor authentications used
{Assess any cloud interfaces for YSS, SOliand
SRF vulnerabilities ad other wlerebltes
Assess all cloud interfaces to ensure transport
encryption is used
Assess the cloud interfaces ta determine ithe
aption a require strong passwords is avaiable
rae)
Assess the device to ensure it includes
update capability & can be updated
auicky when vulnerabilities are discovered
Assess the device to ensure it uses
encrypted update files and thatthe files
are transited using encryption
Assess the device to ensure is uses
signed files and thenvalates tat file before
instalation
AON
Mor
F ri AG Ss
Pade’ Sy, NOT TESTING GUIDANGE Pes 2
LOVE As
Assess the solution to determine the
‘amount of personal information collected
Assess the solution to determine i
collected persanal data is property
protected using encryption at rest and
in transit
‘Assess the solution to determine if
Ensuring data is de-identified or
anonynized
Assess the mobile interface to ensure it
disallows weak passwords
Assess the mobil interface to ensure it
includes an account lockout mechanism
Assess the mobil interface ta determine
if timplements two-factor authentication
Assess the mobil interface ta determine
if tuses transport encryption
Assess the mobil interface to determine
if the option ta require strong passwords
isavalable
Assess the mobil interface ta determine
if the option to force password expiration
after a speci period is available
Assess the mobil interface to determine
if he option to change the default
username and password is avaiable
Assess the mobil interface to determine
the amount of personal information
collected
Assess the solution to ensure network
services da't respond poorly ta buffer
overlow. fuzzing or denial of service
attacks
Assess the solution to ensure test
ports are not present