ccs-digitalmarketplace-frameworks 4.11.28 → 4.11.30
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/frameworks/g-cloud-15/manifests/edit_service_as_admin.yml +17 -0
- package/frameworks/g-cloud-15/manifests/edit_submission.yml +19 -0
- package/frameworks/g-cloud-15/metadata/copy_services.yml +0 -29
- package/frameworks/g-cloud-15/questions/services/accessRestrictionManagementAndSupport.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/accessRestrictionTesting.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/accreditationsOther.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/accreditationsOtherList.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/auditBuyersActions.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/auditBuyersActionsStorage.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/auditSuppliersActions.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/auditSuppliersActionsStorage.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/boardLevelServiceSecurity.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/configurationAndChangeManagementProcesses.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/configurationAndChangeManagementType.yml +22 -0
- package/frameworks/g-cloud-15/questions/services/devicesUsersManageTheServiceThrough.yml +32 -0
- package/frameworks/g-cloud-15/questions/services/governmentSecurityClearances.yml +24 -0
- package/frameworks/g-cloud-15/questions/services/incidentManagementApproach.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/incidentManagementType.yml +24 -0
- package/frameworks/g-cloud-15/questions/services/informationSecurityPoliciesAndProcesses.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/managementAccessAuthentication.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/managementAccessAuthenticationDescription.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqAccessBuyersAudit.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqAccessSuppliersAudit.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqAccreditationsOther.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqManagementAccess.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqSecurityGovernance.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqStandardsCSASTAR.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqStandardsCyber.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqStandardsISO28000.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqStandardsISOIEC27001.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqStandardsPCI.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/multiqUserAuthenticationHosting.yml +14 -0
- package/frameworks/g-cloud-15/questions/services/multiqUserAuthenticationSoftware.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/pricingDocumentURL.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/protectiveMonitoringApproach.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/protectiveMonitoringType.yml +24 -0
- package/frameworks/g-cloud-15/questions/services/secureDevelopment.yml +26 -0
- package/frameworks/g-cloud-15/questions/services/securityGovernanceAccreditation.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/securityGovernanceApproach.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/securityGovernanceStandards.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/securityGovernanceStandardsOther.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/serviceDefinitionDocumentURL.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/staffSecurityClearanceChecks.yml +28 -0
- package/frameworks/g-cloud-15/questions/services/standardsCSASTAR.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsCSASTARExclusions.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsCSASTARLevel.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsCSASTARWhen.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsCyberEssentials.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsCyberEssentialsPlus.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISO28000.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISO28000Exclusions.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISO28000When.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISO28000Who.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISOIEC27001.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISOIEC27001Exclusions.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISOIEC27001When.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsISOIEC27001Who.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsPCI.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsPCIExclusions.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsPCIWhen.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/standardsPCIWho.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/termsAndConditionsDocumentURL.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/userAuthenticationDescription.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/userAuthenticationHosting.yml +43 -0
- package/frameworks/g-cloud-15/questions/services/userAuthenticationNeeded.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/userAuthenticationSoftware.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/vulnerabilityManagementApproach.yml +1 -0
- package/frameworks/g-cloud-15/questions/services/vulnerabilityManagementType.yml +24 -0
- package/package.json +1 -1
|
@@ -152,18 +152,35 @@
|
|
|
152
152
|
- name: Operational security
|
|
153
153
|
editable: True
|
|
154
154
|
questions:
|
|
155
|
+
- configurationAndChangeManagementType
|
|
155
156
|
- configurationAndChangeManagementProcesses
|
|
157
|
+
- vulnerabilityManagementType
|
|
156
158
|
- vulnerabilityManagementApproach
|
|
159
|
+
- protectiveMonitoringType
|
|
157
160
|
- protectiveMonitoringApproach
|
|
161
|
+
- incidentManagementType
|
|
158
162
|
- incidentManagementApproach
|
|
159
163
|
|
|
164
|
+
- name: Staff security
|
|
165
|
+
editable: True
|
|
166
|
+
questions:
|
|
167
|
+
- staffSecurityClearanceChecks
|
|
168
|
+
- governmentSecurityClearances
|
|
169
|
+
|
|
170
|
+
- name: Secure development
|
|
171
|
+
editable: True
|
|
172
|
+
questions:
|
|
173
|
+
- secureDevelopment
|
|
174
|
+
|
|
160
175
|
- name: Identity and authentication
|
|
161
176
|
editable: True
|
|
162
177
|
questions:
|
|
178
|
+
- multiqUserAuthenticationHosting
|
|
163
179
|
- multiqUserAuthenticationSoftware
|
|
164
180
|
- accessRestrictionManagementAndSupport
|
|
165
181
|
- accessRestrictionTesting
|
|
166
182
|
- multiqManagementAccess
|
|
183
|
+
- devicesUsersManageTheServiceThrough
|
|
167
184
|
|
|
168
185
|
- name: Audit information for users
|
|
169
186
|
editable: True
|
|
@@ -181,19 +181,38 @@
|
|
|
181
181
|
editable: False
|
|
182
182
|
edit_questions: True
|
|
183
183
|
questions:
|
|
184
|
+
- configurationAndChangeManagementType
|
|
184
185
|
- configurationAndChangeManagementProcesses
|
|
186
|
+
- vulnerabilityManagementType
|
|
185
187
|
- vulnerabilityManagementApproach
|
|
188
|
+
- protectiveMonitoringType
|
|
186
189
|
- protectiveMonitoringApproach
|
|
190
|
+
- incidentManagementType
|
|
187
191
|
- incidentManagementApproach
|
|
188
192
|
|
|
193
|
+
- name: Staff security
|
|
194
|
+
editable: False
|
|
195
|
+
edit_questions: True
|
|
196
|
+
questions:
|
|
197
|
+
- staffSecurityClearanceChecks
|
|
198
|
+
- governmentSecurityClearances
|
|
199
|
+
|
|
200
|
+
- name: Secure development
|
|
201
|
+
editable: False
|
|
202
|
+
edit_questions: True
|
|
203
|
+
questions:
|
|
204
|
+
- secureDevelopment
|
|
205
|
+
|
|
189
206
|
- name: Identity and authentication
|
|
190
207
|
editable: False
|
|
191
208
|
edit_questions: True
|
|
192
209
|
questions:
|
|
210
|
+
- multiqUserAuthenticationHosting
|
|
193
211
|
- multiqUserAuthenticationSoftware
|
|
194
212
|
- accessRestrictionManagementAndSupport
|
|
195
213
|
- accessRestrictionTesting
|
|
196
214
|
- multiqManagementAccess
|
|
215
|
+
- devicesUsersManageTheServiceThrough
|
|
197
216
|
|
|
198
217
|
- name: Audit information for users
|
|
199
218
|
editable: False
|
|
@@ -3,17 +3,9 @@ questions_to_exclude:
|
|
|
3
3
|
- APISoftware
|
|
4
4
|
- QAAndTesting
|
|
5
5
|
- QAAndTestingDescription
|
|
6
|
-
- accessRestrictionManagementAndSupport
|
|
7
|
-
- accessRestrictionTesting
|
|
8
|
-
- auditBuyersActions
|
|
9
|
-
- auditBuyersActionsStorage
|
|
10
|
-
- auditSuppliersActions
|
|
11
|
-
- auditSuppliersActionsStorage
|
|
12
6
|
- browsersAccess
|
|
13
7
|
- browsersSupported
|
|
14
8
|
- cloudDeploymentModel
|
|
15
|
-
- configurationAndChangeManagementProcesses
|
|
16
|
-
- configurationAndChangeManagementType
|
|
17
9
|
- covid19Recovery
|
|
18
10
|
- customisationAvailable
|
|
19
11
|
- customisationDescription
|
|
@@ -24,7 +16,6 @@ questions_to_exclude:
|
|
|
24
16
|
- dataImportFormatsOther
|
|
25
17
|
- datacentreSecurityStandards
|
|
26
18
|
- dataSanitisationTypeSoftware
|
|
27
|
-
- devicesUsersManageTheServiceThrough
|
|
28
19
|
- educationPricing
|
|
29
20
|
- emailOrTicketingSupport
|
|
30
21
|
- emailOrTicketingSupportAccessibility
|
|
@@ -38,15 +29,9 @@ questions_to_exclude:
|
|
|
38
29
|
- freeVersionDescription
|
|
39
30
|
- freeVersionLink
|
|
40
31
|
- freeVersionTrialOption
|
|
41
|
-
- governmentSecurityClearances
|
|
42
32
|
- governmentSecurityClearancesFilter
|
|
43
|
-
- incidentManagementApproach
|
|
44
|
-
- incidentManagementType
|
|
45
|
-
- informationSecurityPoliciesAndProcesses
|
|
46
33
|
- installation
|
|
47
34
|
- installationCompatibleOperatingSystems
|
|
48
|
-
- managementAccessAuthentication
|
|
49
|
-
- managementAccessAuthenticationDescription
|
|
50
35
|
- metrics
|
|
51
36
|
- metricsDescription
|
|
52
37
|
- metricsHow
|
|
@@ -72,18 +57,11 @@ questions_to_exclude:
|
|
|
72
57
|
- priceMax
|
|
73
58
|
- priceMin
|
|
74
59
|
- priceUnit
|
|
75
|
-
- protectiveMonitoringApproach
|
|
76
|
-
- protectiveMonitoringType
|
|
77
60
|
- publicSectorNetworks
|
|
78
61
|
- publicSectorNetworksOther
|
|
79
62
|
- publicSectorNetworksTypes
|
|
80
63
|
- scaling
|
|
81
64
|
- scalingType
|
|
82
|
-
- secureDevelopment
|
|
83
|
-
- securityGovernanceAccreditation
|
|
84
|
-
- securityGovernanceApproach
|
|
85
|
-
- securityGovernanceStandards
|
|
86
|
-
- securityGovernanceStandardsOther
|
|
87
65
|
- securityTesting
|
|
88
66
|
- securityTestingAccreditations
|
|
89
67
|
- securityTestingAccredited
|
|
@@ -112,7 +90,6 @@ questions_to_exclude:
|
|
|
112
90
|
- setupAndMigrationServiceSpecificList
|
|
113
91
|
- sfiaRateDocumentURL
|
|
114
92
|
- socialValue
|
|
115
|
-
- staffSecurityClearanceChecks
|
|
116
93
|
- standardsISO28000
|
|
117
94
|
- standardsISO28000Exclusions
|
|
118
95
|
- standardsISO28000Who
|
|
@@ -125,13 +102,7 @@ questions_to_exclude:
|
|
|
125
102
|
- trainingServiceSpecific
|
|
126
103
|
- trainingServiceSpecificList
|
|
127
104
|
- userAuthentication
|
|
128
|
-
- userAuthenticationDescription
|
|
129
|
-
- userAuthenticationHosting
|
|
130
|
-
- userAuthenticationNeeded
|
|
131
|
-
- userAuthenticationSoftware
|
|
132
105
|
- userSupportAccessibility
|
|
133
|
-
- vulnerabilityManagementApproach
|
|
134
|
-
- vulnerabilityManagementType
|
|
135
106
|
- webChatSupport
|
|
136
107
|
- webChatSupportAccessibility
|
|
137
108
|
- webChatSupportAccessibilityDescription
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
name: Configuration and change management standard
|
|
2
|
+
question: Which configuration and change management processes does your organisation comply with?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the government’s <a
|
|
5
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-5-operational-security#config" target="_blank"
|
|
6
|
+
rel="noopener noreferrer">5th cloud security principle: ‘Operational security’ (link opens in a new tab)</a>.
|
|
7
|
+
|
|
8
|
+
depends:
|
|
9
|
+
- "on": lot
|
|
10
|
+
being:
|
|
11
|
+
- saas
|
|
12
|
+
|
|
13
|
+
type: radios
|
|
14
|
+
options:
|
|
15
|
+
- label: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
|
|
16
|
+
value: recognised_standard
|
|
17
|
+
- label: Supplier-defined controls
|
|
18
|
+
value: supplier_defined
|
|
19
|
+
|
|
20
|
+
validations:
|
|
21
|
+
- name: answer_required
|
|
22
|
+
message: Select if your organisation conforms to a recognised standard or defines its own controls.
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
name: Devices users manage the service through
|
|
2
|
+
question: Which devices can be used to manage the service?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the <a href="https://www.ncsc.gov.uk/guidance/systems-administration-architectures" target="_blank" rel="noopener noreferrer">systems administration models (link opens in a new tab)</a>
|
|
5
|
+
that can be used to design the administration approach for IT systems.
|
|
6
|
+
|
|
7
|
+
depends:
|
|
8
|
+
- "on": lot
|
|
9
|
+
being:
|
|
10
|
+
- saas
|
|
11
|
+
|
|
12
|
+
type: checkboxes
|
|
13
|
+
options:
|
|
14
|
+
- label: Dedicated device on a segregated network (providers own provision)
|
|
15
|
+
value: dedicated_device_on_segregated_network
|
|
16
|
+
- label: Dedicated device on a government network (for example PSN)
|
|
17
|
+
value: dedicated_device_on_government_network
|
|
18
|
+
- label: Dedicated device over multiple services or networks
|
|
19
|
+
value: dedicated_device_over_multiple_networks
|
|
20
|
+
- label: >
|
|
21
|
+
Any device but through a bastion host (a bastion host is a server that provides access to a private network from
|
|
22
|
+
an external network such as the internet)
|
|
23
|
+
value: any_device_using_bastion_host
|
|
24
|
+
|
|
25
|
+
- label: >
|
|
26
|
+
Directly from any device which may also be used for normal business (for example web browsing or viewing external
|
|
27
|
+
email)
|
|
28
|
+
value: any_device
|
|
29
|
+
|
|
30
|
+
validations:
|
|
31
|
+
- name: answer_required
|
|
32
|
+
message: Select a device type.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
name: Government security clearance
|
|
2
|
+
question: >
|
|
3
|
+
If the role requires it, what level of security clearance are you prepared to make sure your staff have?
|
|
4
|
+
question_advice: Read the <a href="https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels/national-security-vetting-clearance-levels" target="_blank" rel="noopener noreferrer">government guidance on security vetting and clearance (link opens in a new tab)</a>.
|
|
5
|
+
|
|
6
|
+
depends:
|
|
7
|
+
- "on": lot
|
|
8
|
+
being:
|
|
9
|
+
- saas
|
|
10
|
+
|
|
11
|
+
type: radios
|
|
12
|
+
options:
|
|
13
|
+
- label: Up to Developed Vetting (DV)
|
|
14
|
+
value: dv
|
|
15
|
+
- label: Up to Security Clearance (SC)
|
|
16
|
+
value: sc
|
|
17
|
+
- label: Up to Baseline Personnel Security Standard (BPSS)
|
|
18
|
+
value: bpss
|
|
19
|
+
- label: None
|
|
20
|
+
value: none
|
|
21
|
+
|
|
22
|
+
validations:
|
|
23
|
+
- name: answer_required
|
|
24
|
+
message: Select what level of security clearance you are prepared to offer.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
name: Incident management type
|
|
2
|
+
question: Which incident management processes does your organisation comply with?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the government’s <a
|
|
5
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-5-operational-security#incident" target="_blank"
|
|
6
|
+
rel="noopener noreferrer">5th cloud security principle: ‘Operational security’ (link opens in a new tab)</a>.
|
|
7
|
+
|
|
8
|
+
depends:
|
|
9
|
+
- "on": lot
|
|
10
|
+
being:
|
|
11
|
+
- saas
|
|
12
|
+
|
|
13
|
+
type: radios
|
|
14
|
+
options:
|
|
15
|
+
- label: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
|
|
16
|
+
value: recognised_standard
|
|
17
|
+
- label: Supplier-defined controls
|
|
18
|
+
value: supplier_defined
|
|
19
|
+
- label: Undisclosed
|
|
20
|
+
value: undisclosed
|
|
21
|
+
|
|
22
|
+
validations:
|
|
23
|
+
- name: answer_required
|
|
24
|
+
message: Select which incident management processes your organisation complies with.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
name: Protective monitoring type
|
|
2
|
+
question: Which protective monitoring processes does your organisation comply with?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the government’s <a
|
|
5
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-5-operational-security#protective" target="_blank"
|
|
6
|
+
rel="noopener noreferrer">5th cloud security principle: ‘Operational security’ (link opens in a new tab)</a>.
|
|
7
|
+
|
|
8
|
+
depends:
|
|
9
|
+
- "on": lot
|
|
10
|
+
being:
|
|
11
|
+
- saas
|
|
12
|
+
|
|
13
|
+
type: radios
|
|
14
|
+
options:
|
|
15
|
+
- label: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
|
|
16
|
+
value: recognised_standard
|
|
17
|
+
- label: Supplier-defined controls
|
|
18
|
+
value: supplier_defined
|
|
19
|
+
- label: Undisclosed
|
|
20
|
+
value: undisclosed
|
|
21
|
+
|
|
22
|
+
validations:
|
|
23
|
+
- name: answer_required
|
|
24
|
+
message: Select the type of protective monitoring process you comply with.
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
name: Approach to secure software development best practice
|
|
2
|
+
question: How does your organisation demonstrate that it adheres to best practice in secure software development?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the government’s <a
|
|
5
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-7-secure-development" target="_blank"
|
|
6
|
+
rel="noopener noreferrer">7th cloud security principle: ‘Secure development’ (link opens in a new tab)</a>.
|
|
7
|
+
|
|
8
|
+
depends:
|
|
9
|
+
- "on": lot
|
|
10
|
+
being:
|
|
11
|
+
- saas
|
|
12
|
+
|
|
13
|
+
type: radios
|
|
14
|
+
options:
|
|
15
|
+
- label: >
|
|
16
|
+
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM
|
|
17
|
+
v3.0)
|
|
18
|
+
value: independent_review
|
|
19
|
+
- label: Conforms to a recognised standard, but self-assessed
|
|
20
|
+
value: recognised_standard
|
|
21
|
+
- label: Supplier-defined process
|
|
22
|
+
value: supplier_defined
|
|
23
|
+
|
|
24
|
+
validations:
|
|
25
|
+
- name: answer_required
|
|
26
|
+
message: Select how you demonstate that you adhere to secure software development best practice.
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
name: Staff security clearance
|
|
2
|
+
question: How do you manage staff security clearance checks?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the government’s <a
|
|
5
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-6-personnel-security" target="_blank" rel="noopener
|
|
6
|
+
noreferrer">6th cloud security principle: ‘Personnel security’ (link opens in a new tab)</a>.
|
|
7
|
+
|
|
8
|
+
depends:
|
|
9
|
+
- "on": lot
|
|
10
|
+
being:
|
|
11
|
+
- saas
|
|
12
|
+
|
|
13
|
+
type: radios
|
|
14
|
+
options:
|
|
15
|
+
- label: Staff screening performed with conforms to BS7858:2019
|
|
16
|
+
value: "staff_screening_to_bs7858_2019"
|
|
17
|
+
filter_label: conforms to BS7858:2019
|
|
18
|
+
- label: Staff screening performed but doesn’t conform with BS7858:2019
|
|
19
|
+
value: "staff_screening_not_bs7858_2019"
|
|
20
|
+
filter_label: other security clearance
|
|
21
|
+
filter_ignore: true
|
|
22
|
+
- label: Staff screening not performed
|
|
23
|
+
value: none
|
|
24
|
+
filter_ignore: true
|
|
25
|
+
|
|
26
|
+
validations:
|
|
27
|
+
- name: answer_required
|
|
28
|
+
message: Select how you manage staff security clearance checks.
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
id: userAuthentication
|
|
2
|
+
name: User authentication
|
|
3
|
+
question: How do you authenticate users when they access the service?
|
|
4
|
+
question_advice: >
|
|
5
|
+
Read about the government’s <a
|
|
6
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-10-identity-and-authentication" target="_blank"
|
|
7
|
+
rel="noopener noreferrer">10th cloud security principle ‘Identity and authentication’ (link opens in a new tab)</a>.
|
|
8
|
+
|
|
9
|
+
depends:
|
|
10
|
+
- "on": lot
|
|
11
|
+
being:
|
|
12
|
+
- saas
|
|
13
|
+
followup:
|
|
14
|
+
userAuthenticationDescription:
|
|
15
|
+
- other
|
|
16
|
+
|
|
17
|
+
type: checkboxes
|
|
18
|
+
options:
|
|
19
|
+
- label: 2-factor authentication
|
|
20
|
+
value: two_factor
|
|
21
|
+
filter_label: 2-factor authentication
|
|
22
|
+
- label: Public key authentication (including by TLS client certificate)
|
|
23
|
+
value: pka
|
|
24
|
+
filter_label: public key authentication (including by TLS client certificate)
|
|
25
|
+
- label: Identity federation with existing provider (for example Google apps)
|
|
26
|
+
value: identity_federation
|
|
27
|
+
filter_label: identity federation with existing provider (for example Google apps)
|
|
28
|
+
- label: Limited access over government network (for example PSN)
|
|
29
|
+
value: government_network
|
|
30
|
+
filter_label: limited access network (for example PSN)
|
|
31
|
+
- label: Dedicated link (for example VPN or bonded fibre)
|
|
32
|
+
value: dedicated_link
|
|
33
|
+
filter_label: dedicated link (for example VPN)
|
|
34
|
+
- label: Username or password
|
|
35
|
+
value: username_or_password
|
|
36
|
+
filter_label: username or password
|
|
37
|
+
- label: Other
|
|
38
|
+
value: other
|
|
39
|
+
filter_ignore: true
|
|
40
|
+
|
|
41
|
+
validations:
|
|
42
|
+
- name: answer_required
|
|
43
|
+
message: Select an authentication method.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
name: Vulnerability management type
|
|
2
|
+
question: Which vulnerability management processes does your organisation comply with?
|
|
3
|
+
question_advice: >
|
|
4
|
+
Read about the government’s <a
|
|
5
|
+
href="https://www.ncsc.gov.uk/guidance/cloud-security-principle-5-operational-security#vulnerability" target="_blank"
|
|
6
|
+
rel="noopener noreferrer">5th cloud security principle: ‘Operational security’ (link opens in a new tab)</a>.
|
|
7
|
+
|
|
8
|
+
depends:
|
|
9
|
+
- "on": lot
|
|
10
|
+
being:
|
|
11
|
+
- saas
|
|
12
|
+
|
|
13
|
+
type: radios
|
|
14
|
+
options:
|
|
15
|
+
- label: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
|
|
16
|
+
value: recognised_standard
|
|
17
|
+
- label: Supplier-defined controls
|
|
18
|
+
value: supplier_defined
|
|
19
|
+
- label: Undisclosed
|
|
20
|
+
value: undisclosed
|
|
21
|
+
|
|
22
|
+
validations:
|
|
23
|
+
- name: answer_required
|
|
24
|
+
message: Select which vulnerability management process your organisation complies with.
|