How to use this worksheet
Use this as a meeting agenda. It is not a substitute for an assessment, but it can reveal weak or unsupported answers. Keep answers factual. If a question affects a contract, legal duty, official program submission, or customer representation, verify it before relying on it.
1Scope and responsibility
- Which systems do you manage?
- Which systems do you not manage?
- Who approves access changes?
- Who documents exceptions?
- What services are included in our agreement?
2Identity and access
- Is multifactor authentication enabled where it matters?
- Are administrator accounts separate and limited?
- How are users removed when they leave?
- Are shared links reviewed?
- Are customer portals included?
3Logs and response
- What activity records are available?
- How long are logs kept?
- Who reviews alerts?
- What happens after a suspected compromise?
- How would you help preserve evidence?
4Claims and limits
- Will you put your technical answers in writing?
- Will you avoid official compliance claims unless qualified?
- Can you identify which answers require legal, contract, or assessment review?
- What would cost extra to implement?
Suggested output
After completing this worksheet, create a dated internal note listing open questions, documents to verify, people to involve, and decisions that should not be made without qualified review.
Official sources to verify
Use these official sources for current requirements. This page is educational and may not reflect every contract-specific detail.