Assessment DD
Technology due-diligence questions (CSV-driven). Table or guided view.
Provide a high-level overview of the company's technology environment.
Describe the primary products, platforms, websites, and digital services operated.
Provide an organisational chart for Engineering/Development, IT Operations, and Security/Compliance.
How many employees are developers, IT administrators, security personnel, and contractors/freelancers?
Describe the software development lifecycle (SDLC).
What are the primary technology objectives over the next 24 months?
Provide details of all outsourced technology providers and managed service providers (MSPs).
Identify any key-person dependencies in engineering or IT operations.
Describe current technology budget allocation across infrastructure, SaaS, security, contractors, and development.
Describe the architecture of the company's websites and applications.
List all production environments and hosting providers.
Provide an inventory of websites, applications, APIs, CMS platforms, and mobile apps.
Which technologies/frameworks are used?
Are systems monolithic or microservices-based?
Describe database technologies in use.
Describe CDN and caching architecture.
Are environments segregated (development/staging/production)?
Are infrastructure resources cloud-native, hybrid, or on-premise?
Describe sprint/release methodology.
How frequently are releases deployed?
Is CI/CD implemented? If so, describe tooling and controls.
Are code reviews mandatory?
Describe branch management and version control practices.
Is automated testing implemented?
Provide test coverage metrics where available.
Are security checks integrated into the development pipeline?
Describe rollback and release recovery procedures.
Are coding standards formally documented?
Where is source code hosted?
Who owns the intellectual property for internally developed software?
Are any contractors involved in software development?
Are signed IP assignment agreements in place?
Identify any open-source software dependencies.
Describe the process for managing open-source vulnerabilities and licensing risks.
Are there any known technical debt concerns?
Are there undocumented or unsupported legacy systems?
What uptime SLAs exist?
Provide historical uptime/availability metrics for the past 24 months.
Describe monitoring and alerting capabilities.
How are traffic spikes handled?
Describe scalability testing performed.
Have there been any major outages in the past 24 months?
Provide details of any Sev-1 or customer-impacting incidents.
Provide a full inventory of servers, end-user devices, network equipment, and cloud services.
Describe the network architecture.
What cloud providers are used?
Are there any on-premise data centres?
Describe remote access infrastructure.
Describe Wi-Fi segmentation and guest network controls.
Is infrastructure documented and regularly updated?
What identity provider(s) are used?
Is single sign-on (SSO) implemented?
Is multi-factor authentication (MFA) enforced?
Describe joiner/mover/leaver processes.
How are privileged accounts managed?
Are shared accounts used?
How frequently are access reviews conducted?
Describe password policy enforcement.
Are admin accounts separated from standard user accounts?
What endpoint management platform is used?
Are devices centrally managed?
Is full-disk encryption enforced?
Describe patch management processes.
What is the average patch deployment timeframe?
Are endpoint detection and response (EDR) tools deployed?
Are BYOD devices permitted?
Describe mobile device management (MDM) controls.
How are lost/stolen devices handled?
Describe the IT service desk structure.
What ticketing system is used?
Describe change management procedures.
Is there a formal asset lifecycle management process?
Describe backup procedures and retention policies.
How often are restores tested?
What are the RPO and RTO targets?
Describe disaster recovery arrangements.
Has disaster recovery been formally tested?
Provide copies of information security policies, acceptable use policies, incident response plans, and business continuity plans.
Who is accountable for cybersecurity?
Does the company maintain a security committee or governance forum?
What security frameworks are followed?
Is there a formal risk register?
Are cyber risks reported to the board?
Describe perimeter security controls.
Is network segmentation implemented?
Are firewalls centrally managed?
Is SIEM or centralised logging deployed?
Describe vulnerability management processes.
How frequently are vulnerability scans conducted?
Are penetration tests performed annually?
Provide summaries of the last penetration test, vulnerability assessment, and security audit.
Describe email security protections.
Are phishing simulations conducted?
Is DNS/web filtering implemented?
Describe DLP controls.
Is privileged access monitored and logged?
Describe encryption standards for data at rest and in transit.
Describe the incident response process.
Has the company experienced any cybersecurity incidents in the last 5 years?
Provide details of ransomware events, data breaches, business email compromise, or service disruptions.
Were any incidents reported to the ICO?
Were customers or partners notified?
What lessons learned activities were completed?
Is mandatory security awareness training conducted?
How frequently is training refreshed?
Are developers provided with secure coding training?
Are privileged users subject to enhanced controls/training?
Describe the company's GDPR compliance programme.
Who is the Data Protection Officer (DPO)?
What categories of personal data are processed?
Are special category data processed?
Describe lawful bases for processing.
Provide records of processing activities (RoPA).
Describe consent management processes.
Describe cookie compliance practices.
Are DPIAs conducted?
Describe data retention and deletion policies.
Are international data transfers performed?
What third parties process personal data?
Are DPAs in place with all processors?
Has the company received any ICO complaints or investigations?
Describe subject access request (SAR) handling processes.
Describe data breach notification procedures.
Provide a complete list of SaaS platforms, hosting providers, managed services, and security vendors.
Which systems are considered business critical?
Describe vendor due diligence procedures.
Are security reviews performed before onboarding vendors?
Are vendor SLAs formally monitored?
Describe dependency risks relating to key vendors.
Are subcontractors used by critical vendors?
Are vendors contractually required to notify of breaches?
Describe offboarding procedures for terminated vendors.
Describe the digital publishing workflow.
What CMS platforms are used?
How are editorial permissions managed?
Describe media asset storage architecture.
Is DRM or content protection implemented?
Describe video/audio transcoding infrastructure.
How are large media files transferred securely?
Describe advertising technology integrations.
Are audience analytics platforms integrated?
Describe controls around sponsored content and ad tech security.
Are there risks associated with third-party scripts or plugins?
Describe moderation processes for user-generated content.
Identify any major planned infrastructure investments.
Describe all material recurring software licensing costs.
Are any critical licences nearing expiration?
Are there unsupported/end-of-life systems in production?
What percentage of infrastructure spend is variable vs fixed?
Describe cloud cost management processes.
Are there material vendor lock-in risks?
Identify any pending litigation or disputes involving technology or IP.
Are ads scanned pre-bid and pre-render for malvertising?
Does bidstream include user IDs, precise location, or device fingerprints?
Which DSPs and SSPs are integrated? Are they vetted?
Can you trace a malicious ad back to the buying source?
What brand safety blocks are in place (keywords, categories, content adjacency)?
How is user-generated content scanned pre-publish (image, video, text)?
Is hash-based detection (e.g., PhotoDNA, PDQ) used for CSAM or terrorist content?
What is median time for illegal content removal?
What tools do human moderators use? Are actions logged?
What wellbeing support is provided to content moderators?
What is the user appeals process for content takedown?
How are law enforcement requests (e.g., National Center for Missing & Exploited Children) handled?
How is video packaged and encrypted (HLS, DASH, Clear Key, Widevine)?
How often are encryption keys rotated? Where are keys stored?
Is the video player hardened against screen capture or stream ripping?
Can a specific video be purged from all CDN edges in <5 minutes?
Are transcoding jobs isolated per tenant/user?
Is forensic watermarking used for leaked content?
What is the account takeover rate over last 12 months? How detected?
Are login velocity, geovelocity, and device fingerprinting enforced?
What protections exist against credential stuffing attacks?
What signals detect bot/sybil account creation?
What is the account recovery process? Is it vulnerable to social engineering?
Is MFA offered to end users? Is it enforced for high-risk accounts?
Are API rate limits per key, per IP, and per endpoint?
How is large-scale scraping detected and mitigated?
How is fake like/follow/share/friend activity detected?
How are coordinated inauthentic behaviour (networks) detected?
What spam detection is applied to comments, DMs, and posts?
What user reporting mechanisms exist for abusive content?
How are recommendations generated? What data is used?
Where does training data come from? Is it versioned and integrity-checked?
What protections exist against feedback loop poisoning?
Can you explain why a specific post was recommended to a user?
Are models tested for demographic or content bias?
What user profiles exist? Is profiling minimised?
What is the process when an ad runs next to banned content?
What is the process for a leak of internal comms or influencer platform data?
What customer-facing comms template exists for major outages?
Who is notified internally for ICO/Ofcom/FTC inquiries?
Please provide network diagrams.
Please provide infrastructure architecture diagrams.
Please provide asset inventory.
Please provide security policies.
Please provide DR/BCP documentation.
Please provide penetration test reports.
Please provide vulnerability assessment reports.
Please provide SOC reports/certifications.
Please provide GDPR documentation.
Please provide incident logs.
Please provide uptime reports.
Please provide cloud architecture diagrams.
Please provide vendor list.
Please provide software licence inventory.
Please provide SDLC documentation.
Please provide access control matrix.
Please provide change management policies.
Please provide backup and restore test evidence.
Please provide cyber insurance documentation.