High Level Application controls

  1. Only a password hash may be stored. Are passwords stored or strore in encrypted form? If so the application has medium level security controls.
  2. User passwords can only be transmitted in encrypted form, or as an encrypted hash, or the password hash modified and hashed again with another variable.
  3. Does the application use two factor authentication as a minimum. If not the application has medium level security controls.
  4. Is sensitive data transmitted in the clear? If so, the application has medium level security. If transmitted on the internet, the application has low level security.
  5. Is stored data encrypted? If not, the application has medium level security.
  6. Are public facing forms that allow user entry to a database or sending of email protected against automated entry? If not, the application has medium level security.
  7. Is one individual responsible for the security of the application? If so, who? If not, the application has medium level security.
  8. Is the database properly protected and is access limited only to computers that need access? If not, the application has medium level security.
  9. Does the application support user passwords with minimum complexity rules following the organizational password policies? If not, the application has medium level security.