1. Infra
1.1. Network
1.1.1. DDos
1.1.1.1. Cloud Based or local appliance
1.1.2. WAF
1.1.2.1. Disk encrpytion
1.2. Storage
1.3. Server/VM
1.3.1. MFA
1.3.2. Supported OS
1.3.2.1. Linux OS Version
1.3.2.2. Windows OS version
1.3.3. IPs/Network Zones
1.3.4. Segregation of Dev and Prod servers
1.3.4.1. Firewall Segregration
1.3.4.2. VLAN Segregration
1.3.5. Virtual or Physical
2. Application
2.1. Client layer
2.1.1. Access Control
2.1.1.1. Any MFA?
2.1.1.1.1. Token management process
2.1.1.2. Password policy (RM will lead)
2.1.2. Encrpytion
2.1.2.1. SSL Ciphers
2.2. application layer
2.2.1. Tiering
2.2.1.1. 2 tiers
2.2.1.1.1. Web server in DMZ?
2.2.1.2. 3 tiers
2.2.1.2.1. DB is in secure zone?
2.2.1.2.2. Web server in DMZ?
2.2.2. Privilege account control Process (work with RM)
2.2.3. HTTPS
2.2.3.1. CA
2.2.3.1.1. Register process
2.2.3.1.2. Deregister process
2.2.3.1.3. maintanance process
2.2.3.2. Mutual Authentication
2.2.3.2.1. key generation
2.2.3.2.2. key distribution
2.2.3.2.3. key validation period
2.2.3.3. Certificate Management process
2.2.4. Web
2.2.4.1. Is it pen tested before
2.3. Database
2.3.1. Encrpytion
2.3.1.1. Master key rotation period
2.3.1.2. masking
2.3.2. DB monitoring
2.3.2.1. SQL injection
2.3.2.2. Massive data download
2.3.2.3. Tools used
3. Third Party Review
3.1. Work with RM for Architecture review
3.2. Cloud Assessment Questionnaire if needed
3.3. site to site VPN
3.3.1. Encryption standard
3.3.1.1. 1st phase
3.3.1.2. 2nd phase
3.4. MPLS
3.4.1. Firewall rules
4. Cloud
4.1. PAAS and SAAS
4.1.1. Connectivity between Sony and Cloud
4.1.2. Data encryption in transit
4.1.3. Other assessment (lead by RM)
4.2. SSL VPN
4.2.1. Policy and firewall details
4.2.2. Token management process
4.3. IAAS
4.3.1. Cloud questionnaire