Vendor Audit Questionnaire



Similar documents
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Introduction to Cyber Security / Information Security

Supplier Security Assessment Questionnaire

INCIDENT RESPONSE CHECKLIST

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Client Security Risk Assessment Questionnaire

Security Controls What Works. Southside Virginia Community College: Security Awareness

University of Pittsburgh Security Assessment Questionnaire (v1.5)

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Projectplace: A Secure Project Collaboration Solution

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

BMC s Security Strategy for ITSM in the SaaS Environment

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Office of Information Technology Hosted Services Service Level Agreement FY2009

Retention & Destruction

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

ISO COMPLIANCE WITH OBSERVEIT

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Data Management Policies. Sage ERP Online

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

Security Controls for the Autodesk 360 Managed Services

Altius IT Policy Collection Compliance and Standards Matrix

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Securing the Service Desk in the Cloud

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Security from a customer s perspective. Halogen s approach to security

Managed Security Services for Data

ELECTRONIC INFORMATION SECURITY A.R.

Attachment A. Identification of Risks/Cybersecurity Governance

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

How To Ensure The C.E.A.S.A

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance

Altus UC Security Overview

CLOUD SERVICES FOR EMS

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Clavister InSight TM. Protecting Values

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CHIS, Inc. Privacy General Guidelines

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

H.I.P.A.A. Compliance Made Easy Products and Services

Birst Security and Reliability

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

R345, Information Technology Resource Security 1

Music Recording Studio Security Program Security Assessment Version 1.1

Sample Third Party Management Policy. Establishment date, effective date, and revision procedure

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Validating Cloud. June 2012 Merry Danley

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

BKDconnect Security Overview

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Information Security: A Perspective for Higher Education

UCS Level 2 Report Issued to

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

Information Technology General Controls (ITGCs) 101

The Protection Mission a constant endeavor

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

SAS 70 Exams Of EBT Controls And Processors

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Supplier Information Security Addendum for GE Restricted Data

Instructions for Completing the Information Technology Examination Officer s Questionnaire

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Certified Information Systems Auditor (CISA)

Information security controls. Briefing for clients on Experian information security controls

OIT OPERATIONAL PROCEDURE

Information Security Program Management Standard

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Request for Information (RFI) for Managed Hosting Service

Information Technology Branch Access Control Technical Standard

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Helping You Piece IT Together. Best Practices for Log Monitoring

Alabama State Port Authority

CloudDesk - Security in the Cloud INFORMATION

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

COMPREHENSIVE SECURITY AUDIT COMMERCIAL TAXES DEPARTMENT, KARNATAKA. Ashish Kirtikar

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Information Security Policy Manual

DriveHQ Security Overview

Central Agency for Information Technology

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Transcription:

Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be sanitized to protect the security and privacy of the audited organization, but it must be noted as such. Completion of this in an honest accurate manner is more important than any single control, precaution, or procedure being in place. Not all controls are required; merely the knowledge of what is in place is required. Security Management Practices Security Policies Please provide copies of Corporate Security Policy and any other policies relating to information security: Acceptable Use Policy, Encryption Policy, Data Retention, Data Classification Policy, Certificate Policy, Audit Policy, Remote Access, etc. Security Organization Please provide a general outline of your security organization: number of dedicated full-time security professionals, number of shared resources, and reporting structure. Procedures Please provide a list of any documented procedures such as Certification Practice Statement, Standard Operating Procedures, Build Procedures, Incident Response Plan, Disaster Recovery Plan, etc. Business Continuity Management Availability Please describe your power capacity, planning, and design? Please describe technology used to provide high availability in your environment and how and when it is used? Include the use of hot standby, cold spare, clustering, RAID, etc. Disaster Recovery Please provide an explanation your DR plan, including, where applicable, hot-site and cold-site information, capacity, and timeframes. How frequently do you run DR tests? Data Retention Do you have a data retention policy? Please provide? What storage mechanisms do you use for archival? What methods do you use for destruction and spoliation? Access Control

Access Control List Which devices do you employ ACLs on? Please provide the ACLs for these devices: Do you restrict physical access? How? Do you restrict local / console access? How? Firewall Technology and Rules What firewalls are used? How are these located within your network? What rule sets are you using? Please provide you rule base: Authentication Mechanisms What authentication mechanisms do you use? Please provide a list of what types of authentication you use and when you use each type. How do you handle account management? How is this enforced? Encryption: VPN, SSL, S/MIME On what communications do you employ encryption? What algorithms do you employ and what key length? What vendors do you use? Physical and Environmental Security How if physical security controlled at your facility? Is this done with a third party, is so which one? Please list environmental controls including: Air handlers, Fire Suppression and detection systems, and Environmental Alerting systems. Asset Classification and Control Data Classifications and handling Do you have a defined data classification policy? Please describe. Do you label and mark data with a sensitivity level? Please describe. Do you have different handling procedures for more sensitive data? Please describe Data Storage and Co-location How is your data storage managed? Do you have separate storage for sensitive systems? Do multiple customers/clients share physical hardware? Logical Devices? Virtual Devices? Privacy Related Data management Do you classify, identify and mark privacy related information? Do you have a specific handling procedure for privacy related material? Do you have a method for disclosure of security incident that might include systems with privacy related information on them?

Asset Tracking Do you track physical assets? How do you identify these assets? How do you maintain hardware inventory controls? Incident Response and Management Incident response plan Do you have a developed incident response plan? Please describe. How often do you test this plan? Do you report incidents to any third-party locations CERT, FBI, Secret Service, etc. Do you maintain forensic investigators or forensic tools for in house investigations of incidents? Intrusion Detection Alerts, Monitoring, Configuration, Location Do you have in house Network Intrusion Detection, Host Intrusion Detection, if so please describe? Do you subscribe to any services for bug or vulnerability Notification? Do you have documented incident response plan? Please attach. Do you monitor logs, how often are logs checked? Are auditing logs maintained? How long? In what form/format? Do you have a alerting system? Please describe? How are alerts transmitted? Do you use SNMP? Service Level Agreements What Service levels do you maintain, for outages, maintenance, and security related incidents? Please include times for notification, first contact response, and final resolution. Antivirus Procedures What is your procedure for antivirus, detection, response, and inoculations? Locations On what devices do you employ antivirus? Which vendor(s) do you use for these? How do you manage definition files? General Technology Database Do you have a standardized Database Solution? What is your Database platform? What is your RDMS? How many systems do you maintain that are not standardized? Do multiple customers / clients share databases?

Server OS Do you have a standardized Server OS? What is that OS? How many systems do you maintain that are not standardized? Do you have a standardized build and configuration baseline? Server Hardware Do you use a standardized hardware platform? How many devices do you maintain that are not standardized? Do multiple customers / clients share physical, logical, or virtual hardware? Network Hardware Do you have a standardized network hardware platform? How many devices do you maintain that are not standardized? Do you monitor network uptime and health? What systems do use for this? Do you have a centralized management system? What system do you use? Web What web sever software do you use? What about application server? Do you employ a multi-tier architecture, if so please provide a diagram? Do you employ a reverse proxy? So you use SSL? Do you provide authenticated access? By what method? What is your standard development environment and what tools do use with it? Do you have a standard web server build and configuration baseline? Compliance, Law, and Investigation Do you maintain compliance with any of the following? How do you maintain compliance with this standard? Please provide the results of the last audit for this standard? o ISO Compliance o CFR 21 part 11 o GLB o HIPAA o Sarbanes-Oxley o SB1316 Audit and Assessment Please provide any policies or methodologies used in the following audits? Please provide the interval in which you audit the following areas? Please provide the results of your last audits of these types? Do you use an independent 3 rd party auditor if, so who? o Privacy o Information Security

o o o Physical Security BCDR Audit Software Compliance Third Party Agreements Please list third party vendors, providers, and partners, please include major maintenance agreements, major equipment leases, property leases, service providers, security monitoring, and any outsourced business functions.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information