Redback_E8_ML1_Assessment_Checklist
Last updated by: vivek-shreyas, Last updated on: 22/05/2025
Last updated by: shreyas-vivek, Last updated on: 17/05/2025
Last updated by: shreyas-vivek, Last updated on: 17/05/2025
Instructions
| Redback E8 ML1 Assessment Checklist – Instructions |
|---|
| Purpose: |
| This workbook is designed to support Maturity Level 1 (ML1) assessments across all Essential Eight strategies. Each strategy tab contains ISM-mapped controls, audit test descriptions, and expected artefacts. |
| What You Need to Fill In (per row): |
| Compliance Status (Column K): Select from the dropdown list |
| Findings/Comments (Column L): Describe the audit result or observation |
| Evidence Location (Column M): File path or reference to supporting artefacts |
| Date Tested (Column N): Format as DD/MM/YYYY |
| Assessor (Column O): Your name or initials |
| Do Not Modify: |
| Locked columns such as test description, ISM mapping, audit procedure, or control ID |
| Any formula or data validation dropdowns already in place |
| Scoring Guidance: |
| ❌ Not Implemented – No evidence the control is in place |
| ⚠️ Partially Implemented – Some implementation but incomplete or inconsistent |
| ✅ Implemented – Fully in place and functioning as described |
| 🔁 Alternate Control – A compensating control exists |
| ⛔ Not Applicable – The control is not relevant in this context |
| Additional Notes: |
| Please ensure all evidence referenced is stored in a central location and consistently named |
| You can review worked examples in the first 3 rows of most tabs |
| Need Help? Contact: |
| Shreyas Vivek (ML1 Assessment Lead) |
Glossary
| Term | Definition |
|---|---|
| Control Assessment | The evaluated status of a control (e.g., effective, partially effective, etc.) |
| Responsible Team | The team accountable for operating or implementing the control |
| Assessor | The GRC team member reviewing and recording assessment evidence |
| Evidence Location | Path or reference to the artefact (e.g., logs, screenshots, configs) |
| Effective | Fully meets ISM/Essential Eight requirements |
| Partially Effective | Implemented but with known limitations or gaps |
| Alternate Control | A compensating control exists and achieves the same objective |
| Not Implemented | No evidence that the control is present or functioning |
| Not Applicable | The control does not apply in the system or environment being assessed |
Application Control
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Application Control | ML1-AC | ML1-AC-01 | ISM-0843 | Prevent execution of EXE/COM files in user profile directories by standard users. | Attempt to run benign EXE/COM file in temp directories or Desktop. | Execution logs, screenshots of failed attempts. | E8MVT, Manual Execution Test | Cybersecurity GRC | Quarterly | Example: Attempt EXE execution in C:\Users\TestUser\AppData\Local\Temp using E8MVT. | Ex: \share\redback-evidence\ML1-AC-04-MSItest.png |
| Application Control | ML1-AC | ML1-AC-02 | ISM-1870 | Block software library files (DLL/OCX) from executing in user profile/temp folders. | Place DLL/OCX files in user space and attempt to invoke using standard tools. | System logs, execution attempts, allowlist enforcement logs. | E8MVT | Cybersecurity GRC | Quarterly | Example: Place DLL in Downloads folder, log execution attempt and result. | nan |
| Application Control | ML1-AC | ML1-AC-03 | ISM-1657 | Prevent script file (BAT, PS, VBS, JS) execution in restricted paths. | Deploy test scripts into temp folders and execute with user permissions. | Screenshots of blocked script runs, log entries showing prevention. | ACVT, PowerShell | Cybersecurity GRC | Quarterly | Example: Execute BAT script in temp folder, validate block via ACVT and logs. | nan |
| Application Control | ML1-AC | ML1-AC-04 | ISM-1657 | Prevent installation via MSI/MST/MSP in non-privileged locations. | Attempt to install dummy MSI via user Desktop or Downloads. | E8MVT reports, MSI install logs, endpoint monitoring logs. | E8MVT | Cybersecurity GRC | Quarterly | Attempted MSI install from Desktop. Execution blocked by allowlist policy. Logs captured. | nan |
| Application Control | ML1-AC | ML1-AC-05 | ISM-1657 | Block execution of Compiled HTML (CHM) files from temp/user locations. | Run benign CHM files from various folders and log behavior. | Screenshot and CHM handling logs. | Manual Test, E8MVT | Cybersecurity GRC | Quarterly | CHM file opened in Downloads. Block confirmed via error dialog and policy log. | nan |
| Application Control | ML1-AC | ML1-AC-06 | ISM-1657 | Block execution of HTML applications (HTA) from browser cache or download folders. | Attempt to run HTA file from Downloads directory. | Browser logs, application policy evidence, HTA test file logs. | E8MVT, Manual Browser Test | Cybersecurity GRC | Quarterly | HTA blocked in browser sandbox. Logged via E8MVT and registry policy audit. | nan |
| Application Control | ML1-AC | ML1-AC-07 | ISM-1657 | Block Control Panel Applet (CPL) execution from non-system folders. | Run benign CPL from Downloads and verify execution is blocked. | ACVT reports, Windows logs, allowlist policies. | ACVT | Cybersecurity GRC | Quarterly | CPL file blocked from Downloads. Control panel execution policy verified. | nan |
| Application Control | ML1-AC | ML1-AC-08 | ISM-1657 | Application allowlisting enforced via policy and managed centrally. | Review allowlist management system and policy distribution (e.g., Intune, GPO). | Allowlist configuration files, policy logs. | Group Policy, Config Audit | Cybersecurity GRC | Quarterly | Intune policy pushes tested. Whitelist entries confirmed via config diff. | nan |
| Application Control | ML1-AC | ML1-AC-09 | ISM-1657 | Execution prevention enforced even when file renamed or copied across locations. | Rename known executables (e.g., .txt to .exe) and attempt execution. | Test logs, screenshots, renamed file handling logs. | Manual Tests, E8MVT | Cybersecurity GRC | Quarterly | Renamed .txt to .exe. Block succeeded. Manual trace via endpoint logs. | nan |
| Application Control | ML1-AC | ML1-AC-10 | ISM-1657 | File execution control verified against known bypass vectors. | Attempt to exploit known paths (e.g., 8.3 name format, symbolic links). | Output of exploit test cases, logs from bypass attempts. | E8MVT, ACVT, Script Toolkit | Cybersecurity GRC | Quarterly | Symbolic link test generated expected block. Logs show rule match. | nan |
Patch Applications
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Patch Applications | ML1-PA | ML1-PA-01 | ISM-1807 | Automated asset discovery runs at least fortnightly to detect new systems and applications. | Review scan configuration and logs; validate schedule enforcement. | Scan logs, scheduler output, discovery delta reports. | Qualys, Nessus, GVM | DevSecOps | Fortnightly | Discovery job ran on full subnet range. Delta logs confirmed new hosts were registered in CMDB. | \share\redback-evidence\ML1-PA-02-dbupdate.png |
| Patch Applications | ML1-PA | ML1-PA-02 | ISM-1808 | Vulnerability scanner uses an up-to-date vulnerability database. | Check database version and last update timestamps in scanner console. | Scanner config files, version logs. | Qualys, Nessus, Rapid7 | DevSecOps | Daily | Scanner auto-update setting verified. Last update 24h from scan. Screenshot in audit folder. | nan |
| Patch Applications | ML1-PA | ML1-PA-03 | ISM-1698 | Vulnerability scans run daily on all internet-facing applications and services. | Validate daily scan logs and alerting mechanisms for exposed services. | Daily reports, alerting logs. | Nessus, Tenable.io | DevSecOps | Daily | Daily job logs confirmed for VPN and GitHub endpoints. Alert emails validated. | nan |
| Patch Applications | ML1-PA | ML1-PA-04 | ISM-1699 | Fortnightly scans run for office software, email clients, and browsers. | Verify credentials, schedules, and scope of scan. | Fortnightly reports, credentialed scan logs. | GVM, Nessus Pro | DevSecOps | Fortnightly | Fortnightly scan covers PDF, Chrome, Outlook. Credentialed access tested. | nan |
| Patch Applications | ML1-PA | ML1-PA-05 | ISM-1876 | Exploitable vulnerabilities on internet-facing services are patched within 48 hours. | Map CVE disclosure date to patch application date and analyze lag. | Patch timeline table, remediation logs, CVE tracker screenshots. | CVE Scanner, Manual review | DevSecOps | As needed | Logs show patch was applied within 30h of advisory. Exception process documented. | nan |
| Patch Applications | ML1-PA | ML1-PA-06 | ISM-1876 | Confirm all known exploitable vulnerabilities older than 48 hours are patched or mitigated. | Run patch verification and determine lag beyond allowed window. | Remediation evidence, exception logs. | Qualys, Sysmon | DevSecOps | Weekly | Patch validation shows high severity CVE remediated in 36h. Logged in JIRA. | nan |
| Patch Applications | ML1-PA | ML1-PA-07 | ISM-1690 | All internet-facing apps patched within 2 weeks of patch availability. | Compare software patch date with original vendor release. | System patch logs, vendor release notes. | Patch management dashboard | DevSecOps | Weekly | GitHub vulnerability flagged on 12 Mar, patched by 24 Mar. Audit trail captured. | nan |
| Patch Applications | ML1-PA | ML1-PA-08 | ISM-1691 | Patches for internal apps (Office, PDF, browsers) applied within one month. | Review patch cycles and correlate version info with vendor dates. | Patch audit reports, software version matrix. | E8MVT, Software Inventory | DevSecOps | Monthly | Version diff shows PDF reader patched on time. Screenshot in patch folder. | nan |
| Patch Applications | ML1-PA | ML1-PA-09 | ISM-1691 | Internal applications contain no vulnerabilities older than one month. | Use scanner to verify version compliance. | List of vulnerable versions, patch timestamps. | Qualys, Nessus, E8MVT | DevSecOps | Monthly | No critical CVEs older than 30d detected. Scanner report archived. | nan |
| Patch Applications | ML1-PA | ML1-PA-10 | ISM-1905 | All unsupported third-party software removed from internal and internet-facing systems. | Scan and inventory all active applications; check vendor support lifecycle. | List of deprecated apps, decommission evidence. | Nessus, Software Asset Management | DevSecOps | Quarterly | List cross-checked with vendor lifecycle dates. Deprecated versions uninstalled. | nan |
Multi-Factor Authenticatio
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Multi-Factor Authentication | ML1-MF | ML1-MF-01 | ISM-1504 | MFA is enforced on all internet-facing Redback services (e.g., GitHub, GCP). | Attempt user authentication and verify MFA challenge on login. | Access attempt logs, screenshots of MFA prompts, enforcement settings. | GitHub, GCP IAM, Azure Console | Cybersecurity GRC | Monthly | Login attempts from unmanaged device prompted MFA. GitHub org settings verified. | \share\redback-evidence\ML1-MF-02-dbupdate.png |
| Multi-Factor Authentication | ML1-MF | ML1-MF-02 | ISM-1504 | MFA challenge is triggered for remote desktop access to internal systems. | Perform test RDP session and check for MFA prompt. | VPN/RDP access logs, security group enforcement evidence. | Azure AD, Duo, RDP Config | DevSecOps | Monthly | Test RDP connection from home IP required MFA token. Logs captured via Duo dashboard. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-03 | ISM-1679 | All other internet-facing systems require MFA on login. | Enumerate services; attempt user login; confirm MFA challenge. | MFA logs, system login records, user directory screenshots. | Okta, PingID, Azure MFA | Cybersecurity GRC | Monthly | Web portal MFA enforced via PingID. Screenshot of challenge retained. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-04 | ISM-1679 | MFA enforced on third-party services handling sensitive Redback data. | Identify third-party vendors and check their MFA configuration. | Third-party admin console screenshots, vendor policy docs. | Admin Portals, Vendor Reviews | Cybersecurity GRC | Quarterly | MFA enabled for billing and support platforms. Vendor policy PDF stored. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-05 | ISM-1680 | MFA enabled (where available) on third-party systems even for non-sensitive use cases. | Attempt login with a test account; check if MFA can be bypassed or disabled. | User access logs, account configuration settings. | Google Admin, Microsoft 365 | Cybersecurity GRC | Quarterly | Test account prompted for MFA on Outlook web access. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-06 | ISM-1680 | MFA is enabled by default for external (non-organisational) users accessing Redback services. | Simulate an external login; verify default MFA behavior. | Login test results, configuration screen evidence. | Azure B2B, GitHub Organization | Cybersecurity GRC | Bi-annually | GitHub default MFA settings for B2B users validated. Screenshot attached. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-07 | ISM-1680 | MFA bypass policies are reviewed monthly and exceptions require formal approval. | Review all policy exceptions and approvals for validity. | Exception tracking sheets, approval forms. | IAM Dashboard, Jira, Confluence | Cybersecurity GRC | Monthly | 2 active exceptions reviewed; Jira tickets matched with approvals. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-08 | ISM-1680 | MFA logs are collected and reviewed for suspicious login attempts. | Inspect SIEM logs and MFA monitoring dashboards. | SIEM alerts, login pattern reports. | Splunk, Microsoft Sentinel | Cybersecurity GRC | Weekly | SIEM rule triggered on unusual geo-login. Event closed with follow-up. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-09 | ISM-1680 | Users are periodically trained on recognizing MFA-related phishing and social engineering attempts. | Review training logs, completion rates, and test scores from awareness modules. | Training records, quiz results. | KnowBe4, LMS Reports | Cybersecurity GRC | Annually | Completion rate was 94% this cycle. Quiz results archived. | nan |
| Multi-Factor Authentication | ML1-MF | ML1-MF-10 | ISM-1680 | Lost or stolen MFA tokens/devices are reported and revoked within 24 hours. | Review helpdesk tickets and IAM logs for revocation response time. | Incident reports, audit trail of token disablement. | Helpdesk Portal, IAM Logs | Cybersecurity GRC | As needed | One incident reported in last quarter. Response time 3 hours. | nan |
Restrict Admin Privileges
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Restrict Admin Privileges | ML1-RA | ML1-RA-01 | ISM-0439 | Access to administrative privileges is granted only with documented and approved justification. | Review access request forms and change control logs. | Request logs, approval emails, workflow tickets. | Active Directory, JIRA, Confluence | Cybersecurity GRC | Quarterly | JIRA change requests matched with AD privilege assignments. Confluence records archived. | \share\redback-evidence\ML1-RA-01-priv-approval.pdf |
| Restrict Admin Privileges | ML1-RA | ML1-RA-02 | ISM-0402 | Privileged accounts are restricted from accessing the internet and web services. | Attempt to access internet from admin account; validate proxy/firewall blocks. | Access logs, proxy blocks, firewall rules. | Squid Proxy, FW ACLs, AD GPO | DevSecOps | Quarterly | Admin account internet access denied by proxy. Squid logs show block and policy hit. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-03 | ISM-0411 | Privileged accounts are not used for email communication. | Test mailbox functionality for admin accounts. | User directory exports, mail server configs, admin logs. | Exchange Admin Center, ADUC | Cybersecurity GRC | Quarterly | Mail server config shows SMTP/IMAP disabled for admin accounts. No active mailboxes. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-04 | ISM-0412 | All privileged activities are performed from a separate, secure administrative environment. | Confirm use of separate workstations or virtual environments. | Network segmentation plans, admin workstation list. | AD Groups, VLAN configs, BloodHound | DevSecOps | Quarterly | Privileged workstation IPs confirmed isolated. VLAN config and jump server logs validated. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-05 | ISM-0403 | Standard (unprivileged) accounts cannot log into privileged environments. | Attempt login using unprivileged account; verify group policy enforcement. | AD logs, denied login attempts, policy snapshots. | BloodHound, GPO reports | Cybersecurity GRC | Quarterly | Login attempt using unprivileged account denied. Policy enforcement verified via AD logs. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-06 | ISM-0404 | Unprivileged users cannot run PowerShell remoting (PSRemote) or elevate through RDP/WinRM. | Test PSRemote as a normal user and monitor event logs. | Remote command attempt logs, permission settings. | PowerShell, Windows Event Logs | DevSecOps | Quarterly | PSRemote blocked for non-admin users. Event logs captured failed remoting attempts. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-07 | ISM-0414 | Admin accounts cannot be used to log into unprivileged workstations or environments. | Attempt login from domain admin account to standard user machine. | Deny login logs, group policy configuration. | GPO settings, WinEventLogs | Cybersecurity GRC | Quarterly | GPO policy prevents domain admins from accessing standard endpoints. Logs confirmed. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-08 | ISM-0413 | User cannot elevate privilege from unprivileged session using tools like ‘runas’, RDP, or remote management. | Run tests using ‘runas’, RDP tools and remote admin tools from user accounts. | Privilege escalation logs, blocked actions, audit logs. | Runas, RDP, Local Group Policy | Cybersecurity GRC | Quarterly | ‘Runas’ and RDP elevation attempts blocked. Logs show failed escalation events. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-09 | ISM-0420 | All administrative accounts are reviewed quarterly for relevance and activity. | Review access logs, AD membership, last login timestamps. | Admin account audit logs, usage review records. | AD Audit, Splunk | Cybersecurity GRC | Quarterly | Inactive admin accounts reviewed and deactivated. AD group membership updated. | nan |
| Restrict Admin Privileges | ML1-RA | ML1-RA-10 | ISM-0421 | Admin accounts are separated from daily-use standard user accounts (no shared accounts). | Validate dual-identity enforcement and unique IDs for admin tasks. | User ID records, account naming policy, IAM reports. | IAM System, ADUC | Cybersecurity GRC | Quarterly | Admin IDs use +admin suffix. Dual identities verified across IAM and ADUC exports. | nan |
Office Macros
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Office Macros | ML1-OM | ML1-OM-01 | ISM-1710 | Microsoft Office macros are disabled for all users without a documented business requirement. | Run RSOP or review Group Policy settings; test macro execution on unapproved user accounts. | GPO config screenshots, test results, approved user list. | RSOP, GPMC, Office | Cybersecurity GRC | Quarterly | GPO restricts macro execution; unapproved user account blocked from running macro in Word. | \share\redback-evidence\ML1-OM-01-disabled.png |
| Office Macros | ML1-OM | ML1-OM-02 | ISM-1710 | A record is maintained of users approved to run macros, which matches policy enforcement. | Compare macro-enabled group membership to access approval list. | Approval requests, group membership exports. | Active Directory, Confluence | Cybersecurity GRC | Quarterly | AD group matches Confluence approval table. No mismatches detected. | nan |
| Office Macros | ML1-OM | ML1-OM-03 | ISM-1711 | Macros embedded in files downloaded from the internet are blocked by default. | Download Office files with macros and verify execution is blocked. | E8MVT output, file logs, macro execution error screenshots. | Office, GPO, E8MVT | Cybersecurity GRC | Quarterly | E8MVT flagged macro execution error for web-downloaded document. Policy working. | nan |
| Office Macros | ML1-OM | ML1-OM-04 | ISM-1711 | Office is configured via Group Policy to block macros in internet-sourced files. | Review registry keys and GPO settings enforcing internet macro blocking. | Registry export, Group Policy screenshots. | RegEdit, GPMC | Cybersecurity GRC | Quarterly | MacroPolicy reg key value = 6 verified across Word, Excel, PowerPoint. | nan |
| Office Macros | ML1-OM | ML1-OM-05 | ISM-1712 | Antivirus scans are triggered when Office macros are run. | Attempt to execute a macro with EICAR test string; check AV response. | AV logs, EICAR detection report, alerting configuration. | E8MVT, Windows Defender, McAfee | DevSecOps | Quarterly | EICAR macro detected. Alert raised and blocked by AV. | nan |
| Office Macros | ML1-OM | ML1-OM-06 | ISM-1713 | AV engine detects and blocks known macro-based malicious payloads. | Inject known safe malicious pattern and confirm detection and alerting. | SIEM alerts, AV block logs. | AV Console, EICAR Macros | Cybersecurity GRC | Quarterly | EICAR test macro blocked. SIEM alert received and logged. | nan |
| Office Macros | ML1-OM | ML1-OM-07 | ISM-1714 | Standard users are restricted from changing macro security settings in the Trust Center. | Attempt to modify Trust Center settings in Word, Excel, PowerPoint. | Screenshots of locked settings, GPO config. | Office Apps, GPMC | Cybersecurity GRC | Quarterly | Trust Center config greyed out for standard users. GPO confirmed locked state. | nan |
| Office Macros | ML1-OM | ML1-OM-08 | ISM-1714 | All Office apps are configured consistently to enforce macro policy across Word, Excel, and PowerPoint. | Review registry or Group Policy enforcement across all Office components. | Consistency checks, registry snapshots. | Office Deployment Tool, RegEdit | Cybersecurity GRC | Quarterly | Registry export confirmed uniform settings across all Office apps. | nan |
| Office Macros | ML1-OM | ML1-OM-09 | ISM-1715 | Updates to Office macro policy are documented, reviewed, and approved. | Inspect change management and policy versioning records. | Change logs, approval emails, version control history. | Confluence, SharePoint, GitHub | Cybersecurity GRC | Annually | Macro policy versioning tracked via GitHub; approvals in Confluence. | nan |
| Office Macros | ML1-OM | ML1-OM-10 | ISM-1716 | Microsoft Office macro usage logs are retained for audit trail and incident investigation. | Verify log retention settings; ensure logs are centralized. | Sysmon logs, GPO logging configuration, centralized log exports. | SIEM, Event Viewer, Syslog Server | Cybersecurity GRC | Monthly | Log retention enabled; logs synced to central SIEM every 24h. | nan |
User App Hardening
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| User App Hardening | ML1-AH | ML1-AH-01 | ISM-1701 | Web browsers do not process Java from internet-based websites. | Attempt to load Java content in Edge from known test sites. | Screenshot of blocked Java content, registry key verification. | Edge browser, RegEdit, test website | DevSecOps | Quarterly | Edge failed to load Java applet from test site. Registry setting confirmed. | \share\redback-evidence\ML1-AH-01-java-block.png |
| User App Hardening | ML1-AH | ML1-AH-02 | ISM-1701 | Java content is disabled in Google Chrome. | Attempt Java content execution and verify result in Chrome. | Chrome plugin settings, screenshots, blocked content logs. | Chrome, test site, GPO | DevSecOps | Quarterly | Chrome plugin blocked Java by default. Screenshot shows blocked alert. | |
| User App Hardening | ML1-AH | ML1-AH-03 | ISM-1701 | Java content is disabled in Mozilla Firefox. | Test Java plugin activation and loading behavior. | Firefox about:config, Java plugin settings. | Firefox browser, plugin audit | DevSecOps | Quarterly | Java plugin disabled in about:config. No prompt to run Java content. | |
| User App Hardening | ML1-AH | ML1-AH-04 | ISM-1702 | Web ads from the internet are blocked in Microsoft Edge. | Load ad-heavy test page in Edge and inspect rendering. | Screenshots, ad-blocking extension configs, browser policy. | Edge, test pages, GPO settings | DevSecOps | Quarterly | Edge blocked banner and popup ads on test domain. Extension enabled. | |
| User App Hardening | ML1-AH | ML1-AH-05 | ISM-1702 | Ads from the internet are blocked in Google Chrome. | Visit known ad sites in Chrome and validate ad blocking functionality. | Browser policy, plugin settings, screenshots. | Chrome, uBlock Origin, test domains | DevSecOps | Quarterly | uBlock enforced via GPO. Chrome blocked all ad scripts. | |
| User App Hardening | ML1-AH | ML1-AH-06 | ISM-1702 | Web ads are blocked in Mozilla Firefox. | Test ad rendering in Firefox with/without plugin enabled. | AdBlock logs, Firefox settings, screenshots. | Firefox, plugin, GPO | DevSecOps | Quarterly | Firefox blocked inline and popup ads. Policy enforcement confirmed. | |
| User App Hardening | ML1-AH | ML1-AH-07 | ISM-1703 | Internet Explorer 11 is unable to access internet sites or is removed. | Attempt to open external websites using IE11 and inspect firewall/proxy logs. | Screenshots, blocked network logs, registry settings. | Proxy logs, curl/IE header spoofing | DevSecOps | Quarterly | IE11 uninstalled via policy. Access blocked in logs and UI. | |
| User App Hardening | ML1-AH | ML1-AH-08 | ISM-1704 | Standard users cannot modify security settings in Microsoft Edge. | Attempt to change Edge security settings and document access limitations. | Locked setting indicators, GPO evidence. | GPMC, Edge browser | Cybersecurity GRC | Quarterly | Settings grayed out in Edge; verified GPO lock applied. | |
| User App Hardening | ML1-AH | ML1-AH-09 | ISM-1704 | Security settings in Google Chrome are managed and cannot be changed by standard users. | Attempt changes to Chrome proxy or security settings. | Screenshot of locked settings, policy verification. | Chrome Admin Console, GPO | Cybersecurity GRC | Quarterly | Chrome settings locked. Banner shows "managed by organization". | |
| User App Hardening | ML1-AH | ML1-AH-10 | ISM-1704 | Mozilla Firefox security settings are centrally controlled and cannot be altered by users. | Try to change TLS/JavaScript/network settings as user; verify GPO enforcement. | About:config snapshot, policy enforcement logs. | Firefox Policy Templates, RegEdit | Cybersecurity GRC | Quarterly | about:config locked. Registry policy in place for browser security. |
Regular Backups
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Regular Backups | ML1-RB | ML1-RB-01 | ISM-0455 | Identify and document important data, software, and configuration items in BCP for backup inclusion. | Review BCP and confirm data classification for backup. | Business Continuity Plan (BCP), asset register. | Confluence, Excel, Asset Manager | Cybersecurity GRC | Annually | BCP inventory reviewed; backup-relevant config and databases listed. | \share\redback-evidence\ML1-RB-01-bcp-assets.xlsx |
| Regular Backups | ML1-RB | ML1-RB-02 | ISM-0456 | Important data and configuration settings are backed up per BCP frequency and retention policies. | Inspect backup logs and compare to policy schedule. | Backup job reports, retention policy, storage logs. | Veeam, GCP Snapshot, AWS Backup | DevSecOps | Weekly | Schedule aligned with policy. Logs show successful daily backup. | nan |
| Regular Backups | ML1-RB | ML1-RB-03 | ISM-0457 | Backups are performed in a synchronised manner, enabling restoration to a common point in time. | Confirm snapshot coordination across systems. | Timestamps of snapshots, recovery point reports. | ZFS, RAID Logs, Cloud Sync Reports | DevSecOps | Weekly | All systems show synced snapshots within defined RPO. | nan |
| Regular Backups | ML1-RB | ML1-RB-04 | ISM-0458 | Backups are stored securely and resiliently (e.g., encrypted, geographically separate). | Review encryption settings and storage redundancy mechanisms. | Encryption logs, offsite storage reports. | GCP, AWS S3, Backup Vaults | DevSecOps | Weekly | Offsite encryption enabled; S3 logs confirm cross-region replication. | nan |
| Regular Backups | ML1-RB | ML1-RB-05 | ISM-0459 | Disaster recovery tests include restoration of data to confirm reliability. | Review DR test results and associated recovery reports. | Restoration logs, test reports, screenshots. | DR Runbooks, Simulated Restore Logs | Cybersecurity GRC | Quarterly | Test restore completed successfully. Screenshot attached. | nan |
| Regular Backups | ML1-RB | ML1-RB-06 | ISM-0460 | Only authorised users can access backups; unprivileged users are restricted. | Attempt access using standard user account and verify access denial. | Access logs, file permission maps, IAM policy screenshots. | IAM Roles, ACLs, File Explorer | DevSecOps | Quarterly | Access denied for test user; IAM role confirmed. | nan |
| Regular Backups | ML1-RB | ML1-RB-07 | ISM-0461 | Backups are immutable or protected against deletion/modification by unprivileged accounts. | Attempt deletion or modification from unprivileged account; confirm logs. | Audit logs, ACLs, storage-level controls. | Object Locking, WORM Policies | DevSecOps | Quarterly | Delete attempt logged and blocked. Immutable flag enforced. | nan |
| Regular Backups | ML1-RB | ML1-RB-08 | ISM-0462 | Backup job failures are logged and promptly alerted to responsible personnel. | Review failure alerting mechanism and past alert logs. | Alert notification logs, escalation flowcharts. | SIEM, Opsgenie, PagerDuty | DevSecOps | Weekly | PagerDuty alert triggered on missed job. Resolved in under 2h. | nan |
| Regular Backups | ML1-RB | ML1-RB-09 | ISM-0463 | Backup systems are regularly patched and updated to prevent exploitation of backup infrastructure. | Check patch levels, CVEs, and update history of backup systems. | Patch management reports, CVE summaries. | Nessus, GVM, Patch Logs | DevSecOps | Monthly | Nessus scan passed. All backup nodes patched this cycle. | nan |
| Regular Backups | ML1-RB | ML1-RB-10 | ISM-0464 | Backup logs and access events are centrally stored and retained for investigation and forensics. | Verify central logging for backup infrastructure and access. | SIEM logs, syslog records, retention policy evidence. | Splunk, CloudWatch Logs, Graylog | Cybersecurity GRC | Monthly | Logs centralised in Splunk. Retention policy: 180 days. | nan |
Patch Operating Systems
| Control Area | Control ID | Test ID | ISM Control ID | Test Description | Audit Procedure | Evidence Required | Tools/Method Used | Responsible Team | Frequency | Findings/Comments | Evidence Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Patch Operating Systems | ML1-PO | ML1-PO-01 | ISM-1807 | An automated method of asset discovery is run and reviewed at least fortnightly. | Validate discovery tool schedule, logs, and exception handling. | Discovery logs, schedule screenshots, output files. | Qualys, Nessus, CMDB | DevSecOps | Fortnightly | CMDB updated via Nessus discovery every 14 days. Log verified. | \share\redback-evidence\ML1-PO-01-asset-discovery.pdf |
| Patch Operating Systems | ML1-PO | ML1-PO-02 | ISM-1808 | Vulnerability scanner used has an up-to-date vulnerability database. | Check scanner config and verify update frequency. | Scanner version info, update logs. | Nessus, OpenVAS, GVM | DevSecOps | Daily | Update job runs daily. Version and CVE feed logs attached. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-03 | ISM-1698 | Daily scans are performed on operating systems of internet-facing services. | Validate daily scan frequency; review issue triage and response logs. | Daily scan reports, incident tickets. | Nessus Pro, InsightVM | DevSecOps | Daily | Nightly scan targets public-facing IPs. SIEM logs confirm regular execution. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-04 | ISM-1699 | Fortnightly scans are conducted for workstations, servers, and network devices. | Check scan history and review report completeness across all environments. | Full vulnerability scan report logs. | Qualys, GVM | DevSecOps | Fortnightly | Scan reports confirm coverage across servers, desktops, network gear. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-05 | ISM-1876 | Exploited vulnerabilities on internet-facing OSs are patched or mitigated within 48 hours. | Compare known exploit CVE release vs. patch implementation time. | CVE timelines, patch logs, incident response summary. | CVE Tracker, Patch Management Tools | DevSecOps | As needed | CVE-2024-XXXX patched 34h after advisory. Logs validated. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-06 | ISM-1876 | Vulnerabilities with known exploits older than 48 hours are not present in the environment. | Scan systems for open CVEs 48 hours and validate patch presence. | Vulnerability reports, scan logs, system patch status. | Nessus, GVM | DevSecOps | Weekly | Weekly scan confirms 0 open high-severity CVEs 48h. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-07 | ISM-1690 | Vulnerabilities in internet-facing operating systems are patched within two weeks. | Compare OS patch levels to vendor release schedules. | Update history, vendor advisories. | OS Patch Logs, GCP/AWS Console | DevSecOps | Weekly | Patch timelines matched vendor release for all critical fixes. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-08 | ISM-1691 | Workstation and server OS patches are applied within one month of release. | Match scan output with patch application dates; check backlog or exceptions. | Patch cycle report, dashboard exports. | WSUS, Linux YUM/APT Logs | DevSecOps | Monthly | All systems patched within 30-day window. No exceptions pending. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-09 | ISM-1691 | No OS vulnerabilities older than one month exist in any production environment. | Run full authenticated vulnerability scan and compare to patch registry. | Vulnerability scan logs, remediation reports. | Qualys, Nessus | DevSecOps | Monthly | Scan logs confirm 0 critical vulnerabilities 30 days. | nan |
| Patch Operating Systems | ML1-PO | ML1-PO-10 | ISM-1905 | Unsupported operating systems are replaced or removed from the environment. | Compare list of active systems with vendor lifecycle documentation. | System inventory, vendor EOL documentation. | CMDB, OS Scan Tools | DevSecOps | Quarterly | Legacy Windows 2012 decommissioned. CMDB updated. | nan |