HC3 Draft Cloud Security Assessment

Similar documents
Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Client Security Risk Assessment Questionnaire

Security Overview Enterprise-Class Secure Mobile File Sharing

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

SNAP WEBHOST SECURITY POLICY

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

University of Pittsburgh Security Assessment Questionnaire (v1.5)

HIPAA Privacy & Security White Paper

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Intel Enhanced Data Security Assessment Form

Enterprise Architecture Review Checklist

Projectplace: A Secure Project Collaboration Solution

Small Business IT Risk Assessment

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Casper Suite. Security Overview

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

SaaS Security for the Confirmit CustomerSat Software

Mobile Admin Architecture

How to Grow and Transform your Security Program into the Cloud

Williamson County Technology Services Technology Project Questionnaire for Vendor (To be filled out withprospective solution provider)

Information Technology Security Procedures

HIPAA ephi Security Guidance for Researchers

Unlimited Server 24/7/365 Support

Comparing Online Enterprise Backup Systems. A reliable online backup system is essential for any business running workstations and

ProjectManager.com Security White Paper

Retention & Destruction

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cloud Services Overview

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Supplier Security Assessment Questionnaire

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Supplier Information Security Addendum for GE Restricted Data

Version: Page 1 of 5

BMC s Security Strategy for ITSM in the SaaS Environment

Research Information Security Guideline

Helping people make better decisions DATA SECURITY POLICY. Kiilakiventie 1, Oulu, Finland tel:

Alliance Key Manager Cloud HSM Frequently Asked Questions

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Securing the Service Desk in the Cloud

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

PII Compliance Guidelines

Secure Hosting Solutions For SAGE Energy Management

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CHIS, Inc. Privacy General Guidelines

custom hosting for how you do business

Vendor Questionnaire

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Backup Solution Testing on UCS for Small-Medium Range Customers (Disk to Tape) Acronis Advanced Backup Software

ANDREW HERTENSTEIN Manager Microsoft Modern Datacenter and Azure Solutions En Pointe Technologies Phone

System Security Plan University of Texas Health Science Center School of Public Health

CloudDesk - Security in the Cloud INFORMATION

SysAid Cloud Architecture Including Security and Disaster Recovery Plan

FormFire Application and IT Security. White Paper

Level I - Public. Technical Portfolio. Revised: July 2015

Security & Infrastructure White Paper

YubiCloud OTP Validation Service. Version 1.2

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

CONTENTS. Security Policy

VMware vcloud Air Security TECHNICAL WHITE PAPER

DRAFT Standard Statement Encryption

Information Blue Valley Schools FEBRUARY 2015

Tableau Online Security in the Cloud

MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data

Data In The Cloud: Who Owns It, and How Do You Get it Back?

SaaS Security for Confirmit Horizons

IBX Business Network Platform Information Security Controls Document Classification [Public]

319 MANAGED HOSTING TECHNICAL DETAILS

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

MANAGED SERVICES. Remote Monitoring. Contact US: millenniuminc.com

Altius IT Policy Collection Compliance and Standards Matrix

Building Energy Security Framework

UCS Level 2 Report Issued to

KeyLock Solutions Security and Privacy Protection Practices

Web-Based Data Backup Solutions

December P Xerox App Studio 3.0 Information Assurance Disclosure

CLOUD SERVICES FOR EMS

YubiCloud Validation Service. Version 1.1

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

ManageEngine Desktop Central Training

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Interact Intranet Version 7. Technical Requirements. August Interact

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

Cloud Hosting. Quick Guide 7/30/ EarthLink. Trademarks are property of their respective owners. All rights reserved.

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Data Storage for Research. Michael Pinch

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Software as a Service (SaaS) Requirements

How To Get A Cloud Security System To Work For You

Security Controls What Works. Southside Virginia Community College: Security Awareness

Transcription:

HC3 Draft Cloud Security Assessment Respondent Contact Information First Name: Grant Company: Ostendio Email: gelliott@ostendio.com Last Name: Elliott Company Address: Ostendio Date: 01/27/2015 Information about your solution 2.1) How do users access your solution? Website Mobile Web Mobile Application (iphone/ipad/android) Text Messaging (SMS) Interactive Voice Response (IVR) Other 2.2) Does your solution support Single Sign On (SSO)? 2.3) What type of Single Sign On (SSO) does your solution support? Microsoft (Active Directory) Auth0 Kerberos Redhat Other

2.4) Does your application allow login from, Google, Facebook, or any other social media serving site? 2.5) What third party social media is login supported from? Facebook Google LinkedIn Other 2.6) Does your solution allow access using third party API's? 2.7) Please provide information for all locations (including backup locations) that may store or have access to sensitive data. Owned operated data center (On site operated data center) A) Is the facility located within the US? B) Please list the country where the facility is located. C) Does your facility undertake an annual SSAE 16 audit? If so, you may be asked to provide a copy of the most current SSAE 16 report. D) Which type? SSAE 16 Type I SSAE 16 Type II

E) Are you willing to allow us to physically inspect this Data Center? F) Does this data center have electronic key access that can be restricted realtime? G) Are you able to review access logs to the data center? H) How long are logs retrievable for? < 30 days < 90 Days < 180 days < 1 year > 1 year I) Do you have emergency access procedures in place for vendors, staff, and consultants needing access to physical equipment? J) Do you have video cameras or CCTV throughout the data center? K) Does your data center have redundant power such as an Uninterruptible Power Supply in case of primary power failure? L) Does your data center have redundant cooling in case of AC malfunctions? M) Does your data center have multiple ingress\egress points to the internet?

N) Are your servers located within locked cabinets inside the data center? O) Are the server face plate covers attached and locked on every server? P) Is the BIOS or lights out management password protected? Q) Are peripheral devices such as USB, DVD and serial ports disabled? R) Is your data center alarmed for unauthorized access? Colocation provided by Third Party Data Center provider (Colocation provided by third party data center provider) A) Who is your co location data center provider? Century Link Equinix Latasys LexisNexis Sunguard Verizon Terramark B) Does this facility undertake an annual SSAE 16 audit?

If so, you may be asked to provide a copy of the most current SSAE 16 report. C) Which type? SSAE 16 Type I SSAE 16 Type II D) Are you willing to allow us to physically inspect this Data Center? E) Does your colocation provider have access to your physical equipment? F) Please select the best description of the nature of your provider's access. Full Equipment access includes partial and access to the Operating System G) Does your provider have access to sensitive data i.e. Personal information, credit data? H) Has your provider signed an n disclosure Agreement (NDA) with you? I) Has your provider signed a Business Associate Agreement (BAA) with you? J) Were you able to customize your Business Associate Agreement (BAA) with your provider?

K) Is your equipment in a private cage or locked on an open floor? Private Cage Open floor locked cabinet Private cage with locked cabinets private cage or locked cabinets L) Does this data center have electronic key access that can be restricted realtime? M) Are you able to review access logs to the data center? N) How long are logs retrievable for? < 30 days < 90 Days < 180 days < 1 year > 1 year O) Do you have emergency access procedures in place for vendors, staff, and consultants needing access to physical equipment? P) Does this data center have video cameras or CCTV throughout? Q) Does your data center have redundant power such as an Uninterruptible Power Supply in case of primary power failure? R) Does your data center have redundant cooling in case of AC malfunctions?

S) Does your data center have multiple ingress\egress points to the internet? T) Are the server face plate covers attached and locked on the server? U) Is the BIOS or lights out management password protected? V) Are peripheral devices such as USB, DVD and serial ports disabled? W) Is this data center alarmed for unauthorized access? Cloud Service provided by Third Party Cloud Provider (Cloud Service provided by third party cloud provider) A) Which Service Provider do you use? Amazon Web Services (AWS) Akamai Apple BMC Software Citrix Dimension Data Dropbox Google HP IBM

Microsoft Netsuite Oracle Rackspace Salesforce SAP AG Saavis Terremark/Verizon VMWare Other B) Does this facility undertake an annual SSAE 16 (formerly SAS 70) audit? If so, you may be asked to provide a copy of the most current SSAE 16 report. C) Which type? SSAE 16 Type I SSAE 16 Type II D) What services are you using as part of your service offering (i.e. platform, computer, storage, etc.)? Infrastructure Web Services Storage Database Backup Desktops E) Will you be storing sensitive data on your cloud environment? F) Describe the nature and type of sensitive data stored (i.e. PHI, SSN, PCI, etc.).

Protected Health Information Social Security Numbers Payment Card Information Banking Personally identifiable Information G) How will you track the sensitive data's location and access? Spreadsheet Email tification Using a ticketing systems 3rd Party application H) Has your provider signed an n disclosure Agreement (NDA) with you? I) Has your provider signed a Business Associate Agreement (BAA) with you? J) Were you able to customize your Business Associate Agreement (BAA) with your provider? K) Do you use a third party service to manage the configuration and security of this cloud service? L) Does your third party service provider have access to sensitive data? M) Has this third party signed a Business Associate Agreement (BAA) with you and the provider?

with me, not with the cloud provider with me and the cloud provider with me, with the Cloud Provider to both me and the cloud provider N) Does your cloud provider give you a single management console for administration of all services? O) How do you access the cloud based services? Point to Point VPN Tunnel Client Access VPN Tunnel Remote Desktop SecureShell Web authentication P) Are you using multi form authentication methods to access your cloud services? VPN access with UserID\ Certificate AWS MFA Radius Q) Is your cloud environment connected to your internal network or colocation environment? R) Are you using API s to communicate with your cloud environment? For backups offsite Authentication purposes Retrieval of data Upload data

t using API's S) Will your customer be required to use API calls to communicate with your service? T) Are you using any third party API's to deliver your service? U) What types of security measures have been put in place to secure API usage? Basic Authentication with TLS OAuth1.0 OAuth2 V) Do you have access to the Hypervisor logs?, direct access, but requests from provider W) What type of firewall are you using to secure the perimeter network? ne Cisco Open Source Embedded Windows Server Firewall Embedded Linux Server Firewall Access Control List X) Are your guests on private virtual resources or shared resources? Private

Shared Y) If using cloud storage do you do the following encrypt the virtual drives? provide your own encryption keys take snapshots of the storage area replicate the storage area to another location? log access to storage directories Don't Use cloud storage Z) How do you access your storage area? HTTP HTTPS Third Party API Internally provided API Server Connected API Don't Use Cloud Storage AA) How does your provider handle the deletion of virtual guests, storage, and/or web services? Delete data immediately and overwrite Delete data immediately using FIPS\DOD methods AB) How does your cloud environment notify you of updates and vulnerabilities within the hosted environment? tify you via email Create a service ticket Broadcast a message on its website, blogs, support sites AC) How does your cloud environment handle incidents, updates, and vulnerabilities within the hosted environment? Provide a minimum of 48 hours before applying updates Provide you with workarounds if necessary Patch straightaway if a critical vulnerability arises

AD) Does your cloud provider allow vulnerability scans on your servers? AE) Are any of your services being replicated to international locations? AF) Does the Service Level Agreement have clearly defined terms, definitions and performance parameters? AG) Are there penalties for missing predefined SLA's? AH) If using the cloud, how does their notification rule coincide with your notification rule? Operating Systems 3.1) Are you using open source applications to support your solution? 3.2) Which open source applications are currently deployed in your environment? Linux

Apache Tomcat Mysql Postgress SQL ActiveMQ OpenVPN PHP Java Pfsense Vyatta 3.3) Are you using virtualization to provide your solution, if so which? Vmware Xenserver Microsoft t using virtualization 3.4) Which Desktop operating systems are being used in your environment? Microsoft 7 or 8 MacOS Linux 3.5) Do you have the ability to monitor portable devices? 3.6) Which antivirus\antimalware software are you using to protect your servers? Symantec McAfee ForeFront ne

3.7) Which antivirus\antimalware software are you using to protect your workstations? Symantec McAfee ForeFront ne 3.8) Are you able to remote scan the software in use inside your environment (including workstations)? 3.9) Which applications are you using to manage your code revisions? Git Subversion Team viewer ne 3.10) Are you using any of these cloud based code revision providers? GitHub Bitbucket Atlassian ne 3.11) Which are you using to manage patches across your environment? Centralized Patch Management Individual Patch Management Combination of both Encryption

4.1) Are you using encryption for data at rest and in transit within your environment? 4.2) Which items do you encrypt? Portable devices, thumb drives, CD, and DVD's File shares Databases Websites Email File Transfers PC's and tablets Connections to internal resources ne 4.3) Does your cloud provider have access to your encryption keys? 4.4) Please provide details. Backup & Recovery 5.1) What type of backup solutions have you deployed? Tape Back Ups Disk to Disk Snapshots

Real time replication 5.2) Do you backup to an offsite location? 5.3) Is your offsite backup to the cloud? 5.4) How often do you test the restore capabilities of your backup? Other 5.5) Do you have a failover site in case of a loss of services from your primary data center? 5.6) What type of location is your failover site? Fully real time replicated environment 5.7) Do you run test failover scenarios of the production environment? Information Security 6.1) Does your company have an active Information Security program in place? Governance

6.2) Does your company have a single person responsible for Information Security? 6.3) Does your company have a single person responsible for Data Privacy? 6.4) Does your company conduct any type of formal risk analysis on a regular basis? 6.5) How often are these Risk Assessments performed? Other 6.6) Provide the date of the last risk analysis/assessment conducted 27 Jan, 2015 6.7) Does your company perform regular Information Security audits? 6.8) How are these audits performed? External Industry accredited / certified Audit Internal Industry accredited / certified Audit Informal internal audit Other 6.9) What standards are used for these audits? ISO/IEC 2700120005 Standard of Good Practice NIST SP 00 53

ISO 15408 RFC 2196 ISA/IEC 62443 (formerly ISA 99) ISA Security Compliance Institute IASME HIPAA/HITECH OCR Audit Protocols COBIT 4.1 GAPP Other 6.10) How often are these audits performed? Other 6.11) Provide the date of the last external Information Security audit conducted 27 Jan, 2015 6.12) Do you perform vulnerability scans regularly? 6.13) How often do you perform a vulnerability assessment? Other 6.14) Are any of these assessments conducted by third party providers? 6.15) Will off shore consultants have access to your cloud environment?

6.16) Will your off shore consultants have access to sensitive data? 6.17) Please list the countries where these staff are located. 6.18) Do you have a Key Management Policy and Procedure in place for your encryption keys? 6.19) Do you have a Data Classification policy where data is classified by sensitivity? 6.20) Do you have an encyption policy and procedure that details how you encrypt sensitive data? 6.21) Do you have Policy and Procedure outlining backup and disaster recovery procedures? 6.22) Do you have practice recovery procedures as part of business continuity planning? 6.23) Have you identified critical assets in your environment?

6.24) Have you completed a business impact assessment on critical systems? 6.25) Do you know where all sensitive data such as PHI resides in your environment? 6.26) Do you conduct regular access audits to ensure you know who is accessing sensitive data and how they are using it? 6.27) Does your organization have a data retention policy? 6.28) Does your organization have a secure data disposal and destruction policy? 6.29) Do you perform DR gaming or Business Continuity tabletop exercises for your critical systems? 6.30) How often do you conduct tabletop exercises? Other 6.31) Have you established a Critical Incident Response Team (CIRT)? 6.32) How often does your CIRT meet? Weekly Bi Weekly

Monthly Bi Monthly Quarterly Other 6.33) Do you have a formal remediation process when issues are discovered during testing? 6.34) Do you have a formal policy and procedure for the procurement/use of software within your organization? 6.35) Do you have in place a policy and procedure for the deployment of software patches? 6.36) Are you using a centralized tool to facilitate patch management? What tool are you using? 6.37) Do you have a policy or procedure for defining and reporting incidents?

6.38) Have you had any critical incidents reported in the last 3 years? 6.39) Did any of these incidents result in a breach of sensitive data? How was the incident handled and what remediation steps were taken to fix it? 6.40) Do you have a policy or procedure for reporting unauthorized access to sensitive data? Breach tification 6.42) Do you have a Breach tification policy? 6.43) Have you reported any Breaches in the past 3 years? Please provide details.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information