Here is a set of trust session questions that gives an idea of how deep we would like to see in the

vendor’s IT controls.

Security Monitoring:
1. Can you show ING the logging procedure and tools (e.g. a SIEM solution or managed security
services) that you use to monitor access to the application and the infrastructure?
2. Can you demonstrate how you detects suspicious activities?
3. Can you show ING how does your Application Security Administration detects (alerting
system) unauthorized access attempts? Are you able to detect correlated security event?
4. Are you able to share a demo of your Incident Response process with ING?
5. Can you show the intrusion prevention/detection systems you have and the current
configuration those tools are using?
6. Can you show ING an incident monitoring report and follow up procedure?
7. How do you monitor changes to system settings and configurations?
8. Do you have a file integrity monitoring in place to monitor changes to system files (DLL, SYS)/
application critical files (XMLs, properties)?
9. What is the frequency of Penetration test by external party? Can you demonstrate how you
track the identified vulnerabilities?
10. Can you show the latest PEN test finding being remediated and tested?

Change Management:
1. Can you share your change management policy?
2. Are you able to share with us your testing strategy and test cases from a previous test?
3. Can you show us different testing that are performed prior to deployment on production?
4. Do you use any tools (such as JIRA or SNOW) to document the test results? Can you show
the approvals of these test results?
5. Can you show ING a sample RFC ticket demonstrating the change life cycle from requirement
being gathered in the change ticket till the code is pushed to production?
6. Can you demonstrate the procedure of code deployment in production?
7. How do you maintain the code integrity of an approved version of code? Can you
demonstrate the procedure you use to protect the approved code from tampering before it
is released in the production?

Access Management:
1. Do you use Non-personal accounts for infra access (such as application server admins, DBAs
etc) and for application access(accounts used by SHL for assessment data comparison)?
2. Can we see evidence that a Vault is used for storing the passwords of NPA’s (Non personal
Accounts) used in the environment?
3. Can a developer push code in production? Can you demonstrate the access management
procedure for production?
4. If technical support roles are managed by you (System administrator, DBAs etc), What is the
process for requesting / authorizing / creating / updating such roles? (what kind of approval
process is applicable here)
5. Can we see a demo of how segregation of duties is implemented. If it is system enforced,
show us a demo of the ticketing tool where an employee can request for any access on
production.
6. Can we see evidence of production access request that shows the approval process?
7. Can we see the production access logs or log configurations that shows all production
activities are logged and the actions can be traced back to an individual.
Data Protection:
1. Can you demonstrate the backup/restore procedure?
2. Can you demonstrate the encryption (AES 256) in place for the production database and for
the backup?
3. Can we see evidence that passwords (specifically for High Privileged Users) are stored
encrypted?
4. How do you manage the keys being used for encryption?
5. What measures do you have to protect the asset against DDoS attacks? Can you
demonstrate the procedure?

Platform Security:
1. Can you demonstrate the documentation of vulnerability issues and follow ups on their
resolution?
2. Can you demonstrate the process of applying patches to the infra stack?
3. Can you show the process of testing the patches before being applied to production?
4. Can you show the implementation process of a sample patch?