General
- What are the audit and reporting capabilities of the solution related to user management?
- Do you have an identity and access management policy in place?
- Are factory default account details been changed?
- Do you monitor and review access attempts?
- Is access role based depending on the employee's function?
- Do you allow multiple employees to use the same login?
- Do you use generic accounts to access the servers and applications for administrator purposes?
- Do you allow remote access?
- Do you have a written password management policy?
- Are you disabling access rights immediately after the end of employment?
- Do you have a written policy for user changes (joiners, movers, leavers) to be handled?
- Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?
- Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only?
- Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege?
- Is physical and logical user access to audit logs restricted to authorized personnel?
- Which options for MFA (multi factor authentication) do you support?
- How is data from different customers separated?