| No | Check |
| 1 | Are there any known vulnerabilities and are all vulnerabilities with CVE above 4.0 are patched? |
| 2 | Is there a link on the website for patch releases and how do we ensure latest security patches are applied, wherever applicable.? |
| 3 | Is there a defined vulnerability discovery mechanism? |
| 4 | Is there a criteria defined for releasing a security patch? |
| 5 | Is there a timeline defined for vulnerability discovery to patch roll-out? |
| 6 | Is internet access required? If yes, access shall be for which ports? (e.g. FTP, SSH/SFTP, Telnet, SMTP, DNS, Win Shares, RDP) |
| 7 | All security settings recommended by vendor shall be applied (Hardening) |
| 8 | Is there any exceptions for AV, patch, USB or other exceptions on system where this is to be installed? |
| 9 | What are the privileges required for using/running the file? |
| 10 | If ports need to be opened to extranet systems, vulnerabilities associated shall be assessed and remediated |
| 11 | Is there a process for patch deployment at remote locations? |
