APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST



Similar documents
Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Client Security Risk Assessment Questionnaire

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Supplier Information Security Addendum for GE Restricted Data

University of Pittsburgh Security Assessment Questionnaire (v1.5)

IBX Business Network Platform Information Security Controls Document Classification [Public]

BMC s Security Strategy for ITSM in the SaaS Environment

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

PCI Requirements Coverage Summary Table

Small Business IT Risk Assessment

Projectplace: A Secure Project Collaboration Solution

Hong Kong Baptist University

PCI Requirements Coverage Summary Table

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Security Threat Risk Assessment: the final key piece of the PIA puzzle

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Cybersecurity Health Check At A Glance

Becoming PCI Compliant

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Vendor Audit Questionnaire

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Supplier Security Assessment Questionnaire

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Security from a customer s perspective. Halogen s approach to security

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Introduction to Cyber Security / Information Security

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

CloudCheck Compliance Certification Program

Security Controls What Works. Southside Virginia Community College: Security Awareness

Vendor Questionnaire

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Securing the Service Desk in the Cloud

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

SUPPLIER SECURITY STANDARD

SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan

Josiah Wilkinson Internal Security Assessor. Nationwide

State of Texas. TEX-AN Next Generation. NNI Plan

CHIS, Inc. Privacy General Guidelines

Security Policy for External Customers

Retention & Destruction

A Rackspace White Paper Spring 2010

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

GE Measurement & Control. Cyber Security for NEI 08-09

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI DSS Requirements - Security Controls and Processes

A Decision Maker s Guide to Securing an IT Infrastructure

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Secure, Scalable and Reliable Cloud Analytics from FusionOps

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

PCI Compliance. Top 10 Questions & Answers

CONTENTS. PCI DSS Compliance Guide

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

General Computer Controls

SRA International Managed Information Systems Internal Audit Report

Birst Security and Reliability

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Network and Security Controls

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

BKDconnect Security Overview

Security Controls for the Autodesk 360 Managed Services

Overcoming PCI Compliance Challenges

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

How To Protect Your Data From Being Stolen

Autodesk PLM 360 Security Whitepaper

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Security + Certification (ITSY 1076) Syllabus

Enterprise level security, the Huddle way.

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Alliance Key Manager Cloud HSM Frequently Asked Questions

PCI Compliance Top 10 Questions and Answers

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Frequently Asked Questions

Transcription:

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data that will be 1) stored on the application server at the Vendor site, and 2) that will be transmitted between the application and the. Also include information on the user authentication process. Details on How Vendor Meets Mitigate This Risk 16.3.4 The Vendor has a written Disaster Recovery Plan that offers a viable approach to restoring operations following an emergency situation. 16.3.4a The Vendor site has adequate, redundant physical and/or logical network connectivity to ensure continued operations following a network failure.

Details on How Vendor Meets 16.3.4b The Vendor performs system/application database backups on a schedule that is consistent with the importance of the application. 16.3.4b 16.3.4c 16.3.4d Backup media are treated with a level of security commensurate with the classification level of the data they contain. Vendor servers are closely monitored for both performance and availability. The Vendor is willing to sign a Service level Agreement (SLA) that is consistent with the importance of the application to the. 16.3.5 The Vendor has a formal, written Security, and is willing to provide a copy of this policy to the on request.

16.3.5a If users access the application directly on the Vendor server, user authentication involves more than a simple User ID/password combination, such as one-time password technology. Details on How Vendor Meets 16.3.5b Once granted access, Users are limited to authorized activities only; i.e., customers are prevented from accessing either applications or data that belong to other customers. 16.3.5c Vendor network connectivity is protected by firewalls, intrusion detection/ prevention systems, etc. designed to protect against attack. 16.3.5d 16.3.5d The equipment hosting the Department s application is located in a physically secure facility that employs access control measures, such as badges, card key access, or keypad entry systems. Vendor servers are kept in locked areas/cages that limit access to authorized personnel.

16.3.5e Vendor staff is bonded, and/or have been subjected to background checks. Details on How Vendor Meets 16.3.5f 16.3.5f Vendor servers are hardened against attack and operating system and security-related software patches are applied regularly. Commercially available antivirus software is used on the servers, and is maintained in a current state with all updates. 16.3.5g Vendor servers are monitored on a continuous basis, and logs are kept of all activity. 16.3.5g, 16.3.5h, 16.3.5i The Vendor is willing to report security breaches and/or security issues to the. 16.3.5h The Vendor conducts regular vulnerability assessments, using viable third-party organizations, designed to assess both the Vendor s network infrastructure and the individual servers that host

16.3.5h applications. The Vendor implements fixes to correct vulnerabilities discovered during security audits. Details on How Vendor Meets Measures That 16.3.5i The Vendor has a formal, written Incident Response Plan. (Desirable) The network infrastructure hosting the Department application is airgapped from any other network or customer that the Vendor may have. This means that in an ideal situation, the application environment used by the uses a separate, dedicated server and a separate network infrastructure. Identify the APIs that may be part of the solution, and indicate industry standards or best practices employed to ensure security of the data and the integration (e.g., web services, directory services, XML, scripting, etc.) What application security standards, if any, are followed? (e.g., OASIS, WC3, etc.).

Ref. # Details on How Vendor Meets If the application processes credit card information, has the application been certified as PCI compliant? Include information on the level of compliance (e.g., Merchant Level 2) and how the application has been certified. 13.0, Encryption Data in motion, including user authentication information and credentials, are encrypted. 13.0, Encryption Data at rest (stored on the application server), including user authentication information and credentials, are encrypted. 13.0, Encryption Encryption or hashing algorithms utilized by the Vendor application infrastructure use standard algorithms that have been published and evaluated by the general cryptographic community. The Vendor is willing to permit on-site visits by staff in order to

evaluate security measures in place. Details on How Vendor Meets If the Vendor will be connecting to the via a private connection (such as a dedicated T1 circuit), the Vendor agrees that the circuit will terminate on the s extranet, and operation of the circuit will fall within the policies related to network connections from non- entities. If access to the application uses the Internet, data traffic between the and the Vendor is protected through the implementation of SSL- VPN or equivalent technology. CIO s Office Approval:

Title: Date:

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information