Name: Position held: Company Name: Is your organisation ISO27001 accredited:



Similar documents
Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Data Access Request Service

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Service Children s Education

Supplier Information Security Addendum for GE Restricted Data

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Client Security Risk Assessment Questionnaire

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Small Business IT Risk Assessment

ULH-IM&T-ISP06. Information Governance Board

Policy Document. Communications and Operation Management Policy

U06 IT Infrastructure Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Supplier Security Assessment Questionnaire

IT Security Standard: Computing Devices

Intel Enhanced Data Security Assessment Form

HIPAA Security Alert

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IBX Business Network Platform Information Security Controls Document Classification [Public]

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Payment Card Industry Self-Assessment Questionnaire

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Cyber Self Assessment

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Network Security Policy

PCI Data Security and Classification Standards Summary

TECHNICAL SECURITY AND DATA BACKUP POLICY

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Newcastle University Information Security Procedures Version 3

Fortinet Solutions for Compliance Requirements

How To Audit Health And Care Professions Council Security Arrangements

United States Trustee Program s Wireless LAN Security Checklist

INCIDENT RESPONSE CHECKLIST

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

BKDconnect Security Overview

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Introduction to Cyber Security / Information Security

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Best Practices For Department Server and Enterprise System Checklist

How To Protect Decd Information From Harm

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Protection of Computer Data and Software

External Supplier Control Requirements

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Making the leap to the cloud: IS my data private and secure?

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

A practical guide to IT security

HIPAA Information Security Overview

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Hengtian Information Security White Paper

Data Management Policies. Sage ERP Online

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Web Site Download Carol Johnston

Project Title slide Project: PCI. Are You At Risk?

H.I.P.A.A. Compliance Made Easy Products and Services

Policies and Procedures

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Security Controls What Works. Southside Virginia Community College: Security Awareness

ACE Advantage PRIVACY & NETWORK SECURITY

Information security controls. Briefing for clients on Experian information security controls

DHHS Information Technology (IT) Access Control Standard

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

University of Liverpool

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Computer Security Policy (Interim)

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

PCI DSS Requirements - Security Controls and Processes

Standard Information Communications Technology. Multifunction Device. January 2013 Version 2.2. Department of Corporate and Information Services

A Rackspace White Paper Spring 2010

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Silent Safety: Best Practices for Protecting the Affluent

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

ICANWK406A Install, configure and test network security

Transcription:

Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held: Company Name: Is your organisation ISO27001 accredited: If yes please provide a copy of your current certificate 1. What Information Security training is given to employees, relevant contractors and third party users? 2. What security checks are made on employees prior to commencement of employment?

3. What Information Security policies do you have in place? Please provide copies, and confirm whether your users are required to sign an Acceptable Use declaration. 4. What is your company policy for password formation in respect of the following and how is it enforced? 1) Password minimum length/complexity 2) Password change interval 3) Password history 4) Account lockout (after invalid password entries) Is a screen lock enforced after a set amount of user inactivity? 5. What disaster recovery and business continuity policies and procedures do you have in place? Please provide copies.

6. What is the process for notifying customers if their data has been compromised? 7. What are your company s backup procedures including frequency of the backups, the retention schedule and the storage location of backup media? 8. What hardware based firewalls do you have in situ protecting your internal network? 9. What network Intrusion Detection or Intrusion Prevention Systems do you have installed?

10. What is the process for applying OS and Software security updates to your company s PCs and Servers? Please state if updates and patches are tested before being applied. Is the process documented? 11. What process and procedures are applied to remove unnecessary services from running automatically on operating systems? 12. Are all pre-installed system account passwords changed from their defaults on your internal systems? 13. What Anti-Virus solution(s) do you have installed on your servers, filers and desktops? What is your policy for the application of updates?

14. What personal firewalls do you have installed on your company s devices? 15. What email anti-virus solution(s) do you have at the gateway and on the email servers? 16. Do you commission penetration testing on your organisation s networks and ICT systems? What is the frequency of the testing? Is the testing carried out by independent CLAS,CHECK or CREST accredited testing providers? 17. What SSL/TLS encryption is used to protect data in transit?

18. What methods are used if data needs to be transferred physically? How is the data secured in transit? 19. If wireless connectivity is deployed within your network what wireless security mechanisms do you have in place? 20. What is your policy for the use of laptops and other mobile devices? Please include the security mechanisms applied e.g. encryption and two factor authentication. 21. What is your policy for the use of removable media such as memory sticks and CD/DVDs? Please include the security mechanisms in place such as encryption

22. Please detail the physical security implemented at your data centres. Information to include: 1) Manned guarding 2) Electronic Surveillance 3) Intruder Detection Systems 4) Access Control Systems 5) Recording of access 6) Locks on windows, cabinets and doors. 23. Please detail the specification of servers used for hosting customer services or processing customer data including the encryption in place. 24. What technical and organisational measures do you use to restrict and regulate your employee s access to customer s data?

25. Is there auditing of your employee s access to customer s information systems? If so what is audited? E.g. changes made, failed access attempts etc. 26. If there is auditing in place what is the retention schedule for the audit logs? 27. What is your policy for the secure disposal of hardware and media containing customer data (e.g. back-ups, print outs, tapes etc.)? 28. Where subcontractors provide any service as part of the ICT solution, the provisions in place with the subcontractor(s) ensure that the same levels of protection can be guaranteed in regard to data security.

Section 2: Personal Data security questions The following questions are for systems that will process and/or store personal data. 29. Please give details of your data protection infrastructure (including any policies and procedures) 30. Who is the person within your company responsible for data protection? 31. Please give your ICO Registration Number. 32. What training do your employees receive in data protection and confidentiality?

33. Please provide evidence that a breach of the data protection act is a disciplinary offence within your organisation (e.g. condition of contract etc.). 34. Are any of the servers that will be used to host university data located outside of the EEA? If so where are they located? If they are outside of the EEA please detail any agreements that are in place. 35. If Sub Contractors are to be used what mechanisms will be in place to ensure that the same levels of protection can be guaranteed where the subcontractor has access to personal or sensitive data?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information