Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be sanitized to protect the security and privacy of the audited organization, but it must be noted as such. Completion of this in an honest accurate manner is more important than any single control, precaution, or procedure being in place. Not all controls are required; merely the knowledge of what is in place is required. Security Management Practices Security Policies Please provide copies of Corporate Security Policy and any other policies relating to information security: Acceptable Use Policy, Encryption Policy, Data Retention, Data Classification Policy, Certificate Policy, Audit Policy, Remote Access, etc. Security Organization Please provide a general outline of your security organization: number of dedicated full-time security professionals, number of shared resources, and reporting structure. Procedures Please provide a list of any documented procedures such as Certification Practice Statement, Standard Operating Procedures, Build Procedures, Incident Response Plan, Disaster Recovery Plan, etc. Business Continuity Management Availability Please describe your power capacity, planning, and design? Please describe technology used to provide high availability in your environment and how and when it is used? Include the use of hot standby, cold spare, clustering, RAID, etc. Disaster Recovery Please provide an explanation your DR plan, including, where applicable, hot-site and cold-site information, capacity, and timeframes. How frequently do you run DR tests? Data Retention Do you have a data retention policy? Please provide? What storage mechanisms do you use for archival? What methods do you use for destruction and spoliation? Access Control
Access Control List Which devices do you employ ACLs on? Please provide the ACLs for these devices: Do you restrict physical access? How? Do you restrict local / console access? How? Firewall Technology and Rules What firewalls are used? How are these located within your network? What rule sets are you using? Please provide you rule base: Authentication Mechanisms What authentication mechanisms do you use? Please provide a list of what types of authentication you use and when you use each type. How do you handle account management? How is this enforced? Encryption: VPN, SSL, S/MIME On what communications do you employ encryption? What algorithms do you employ and what key length? What vendors do you use? Physical and Environmental Security How if physical security controlled at your facility? Is this done with a third party, is so which one? Please list environmental controls including: Air handlers, Fire Suppression and detection systems, and Environmental Alerting systems. Asset Classification and Control Data Classifications and handling Do you have a defined data classification policy? Please describe. Do you label and mark data with a sensitivity level? Please describe. Do you have different handling procedures for more sensitive data? Please describe Data Storage and Co-location How is your data storage managed? Do you have separate storage for sensitive systems? Do multiple customers/clients share physical hardware? Logical Devices? Virtual Devices? Privacy Related Data management Do you classify, identify and mark privacy related information? Do you have a specific handling procedure for privacy related material? Do you have a method for disclosure of security incident that might include systems with privacy related information on them?
Asset Tracking Do you track physical assets? How do you identify these assets? How do you maintain hardware inventory controls? Incident Response and Management Incident response plan Do you have a developed incident response plan? Please describe. How often do you test this plan? Do you report incidents to any third-party locations CERT, FBI, Secret Service, etc. Do you maintain forensic investigators or forensic tools for in house investigations of incidents? Intrusion Detection Alerts, Monitoring, Configuration, Location Do you have in house Network Intrusion Detection, Host Intrusion Detection, if so please describe? Do you subscribe to any services for bug or vulnerability Notification? Do you have documented incident response plan? Please attach. Do you monitor logs, how often are logs checked? Are auditing logs maintained? How long? In what form/format? Do you have a alerting system? Please describe? How are alerts transmitted? Do you use SNMP? Service Level Agreements What Service levels do you maintain, for outages, maintenance, and security related incidents? Please include times for notification, first contact response, and final resolution. Antivirus Procedures What is your procedure for antivirus, detection, response, and inoculations? Locations On what devices do you employ antivirus? Which vendor(s) do you use for these? How do you manage definition files? General Technology Database Do you have a standardized Database Solution? What is your Database platform? What is your RDMS? How many systems do you maintain that are not standardized? Do multiple customers / clients share databases?
Server OS Do you have a standardized Server OS? What is that OS? How many systems do you maintain that are not standardized? Do you have a standardized build and configuration baseline? Server Hardware Do you use a standardized hardware platform? How many devices do you maintain that are not standardized? Do multiple customers / clients share physical, logical, or virtual hardware? Network Hardware Do you have a standardized network hardware platform? How many devices do you maintain that are not standardized? Do you monitor network uptime and health? What systems do use for this? Do you have a centralized management system? What system do you use? Web What web sever software do you use? What about application server? Do you employ a multi-tier architecture, if so please provide a diagram? Do you employ a reverse proxy? So you use SSL? Do you provide authenticated access? By what method? What is your standard development environment and what tools do use with it? Do you have a standard web server build and configuration baseline? Compliance, Law, and Investigation Do you maintain compliance with any of the following? How do you maintain compliance with this standard? Please provide the results of the last audit for this standard? o ISO Compliance o CFR 21 part 11 o GLB o HIPAA o Sarbanes-Oxley o SB1316 Audit and Assessment Please provide any policies or methodologies used in the following audits? Please provide the interval in which you audit the following areas? Please provide the results of your last audits of these types? Do you use an independent 3 rd party auditor if, so who? o Privacy o Information Security
o o o Physical Security BCDR Audit Software Compliance Third Party Agreements Please list third party vendors, providers, and partners, please include major maintenance agreements, major equipment leases, property leases, service providers, security monitoring, and any outsourced business functions.