Client Security Risk Assessment Questionnaire



Similar documents
Small Business IT Risk Assessment

University of Pittsburgh Security Assessment Questionnaire (v1.5)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

HIPAA Privacy and Security Risk Assessment and Action Planning

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Miami University. Payment Card Data Security Policy

H.I.P.A.A. Compliance Made Easy Products and Services

INCIDENT RESPONSE CHECKLIST

Project Title slide Project: PCI. Are You At Risk?

Supplier Security Assessment Questionnaire

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Payment Card Industry Self-Assessment Questionnaire

BMC s Security Strategy for ITSM in the SaaS Environment

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

PCI Requirements Coverage Summary Table

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Network and Security Controls

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

HIPAA RISK ASSESSMENT

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Cybersecurity Health Check At A Glance

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

How To Protect Your Data From Being Stolen

PCI Requirements Coverage Summary Table

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Altius IT Policy Collection Compliance and Standards Matrix

Security Controls What Works. Southside Virginia Community College: Security Awareness

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Projectplace: A Secure Project Collaboration Solution

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Best Practices For Department Server and Enterprise System Checklist

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

NETWORK SECURITY GUIDELINES

Vendor Risk Assessment Questionnaire

The Education Fellowship Finance Centralisation IT Security Strategy

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

ACI ON DEMAND DELIVERS PEACE OF MIND

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Tenzing Security Services and Best Practices

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Central Agency for Information Technology

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

BKDconnect Security Overview

Policies and Procedures

Zurich Security And Privacy Protection Policy Application

2012 Risk Assessment Workshop

INNOVATE. MSP Services Overview SVEN RADEMACHER THROUGH MOTIVATION

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Introduction. PCI DSS Overview

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

U06 IT Infrastructure Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

HIPAA Security Alert

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Server Security Checklist (2009 Standard)

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

paypoint implementation guide

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

INFORMATION SECURITY PROGRAM

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Overcoming PCI Compliance Challenges

Security from a customer s perspective. Halogen s approach to security

System Security Plan University of Texas Health Science Center School of Public Health

Cyber Self Assessment

Fortinet Solutions for Compliance Requirements

CONTENTS. Security Policy

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Property of CampusGuard. Compliance With The PCI DSS

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Transcription:

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2 Is a background check required for all employees accessing and handling the organization's data? 3 Does the organization have written information security policies? 3.1 If yes, please provide copies when responding to this assessment 4 Does the organization have a written password policy that details the required structure of passwords? 4.1 How do you verify password strength? 5 Do all staff receive information security awareness training? Does the organization have a Data Access Policy and are they willing to comply with the policies as well as 6 the data protection guidelines? 7 Does the organization have a formal change control process for IT changes? 9 Will your company be processing credit cards? 9.1 If yes, is your company PCI DSS compliant? 10 Is antivirus software installed on data processing servers? 11 Is antivirus software installed on workstations? Organizational Information Security General Security 1 of 5

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 12 Are system and security patches applied to workstations on a routine bases? 13 Are system and security patches applied to servers on a routine bases? 13.1 Are system and security patches tested prior to implementation in the production environment? 14 Do employees have a unique log-in ID when accessing data? 15 Does the organization have security measures in place for data protection? 15.1 If yes, please describe in the comments section Is access restricted to systems that contain sensitive data? 16 (credit card numbers, social security numbers, HIPAA, & FERPA data sensitive) 16.1 If yes, what controls or are currently in place to restrict access? 17 Is physical access to data processing equipment (servers and network equipment) restricted? 17.1 If yes, what controls are currently in place? 18 Is there a process for secure disposal of both IT equipment and media? 18.1 If yes, please describe in the comments section 19 Are network boundaries protected by firewalls? 20 Is regular network vulnerability scanning performed? Organizational Information Security Network Security 2 of 5

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 21 Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your Organizational organization? Information Security 21.1 If yes, please describe in the comments section 22 Are employees required to use a VPN when accessing the organization's systems from all remote locations? 23 Is wireless access allowed in your organization? 23.1 If yes, please describe how it is protected in the comments section 24 Are computer systems (servers) backed up according to a regular schedule? 24.1 Has the back-up and recovery process been verified? 24.2 Does the organization store backups offsite? 24.3 Does the organization encrypt its backups? 25 Does the organization replicate data to locations outside of the United States? 26 Does the organization outsource its data storage? 26.1 If yes, to whom is the data outsourced? 27 Is there formal control of access to System Administrator privileges? 28 Are servers configured to capture who accessed a system and what changes were made? Systems Security 3 of 5

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 28.1 If no, in case of a security breach, how do you determine who accessed the system and Organizational what changes Information were Security made? 29 Does the organization have disaster recovery plans for data processing facilities? 29.1 What about Business Continuity Plans? 30 Are computer rooms protected against fire and flood? 31 Does the organization have a "Hot" recovery site? 32 If an information security beach involving senstive data occurred, what is the defined protocal? 32.1 If yes, how soon would the Institute be notified? 33 Does the organization have a formal Incident plan? 34 Has the organization experienced an information security breach in the past three to five years? 34.1 If so, please document what information was lost in the comments section? 34.2 If so, please document how the clients were notified and how quickly in the comments section? 35 Does the organization receive an SSAE-16 SOC Report? Business Continuity / Disaster Recovery Incident Auditing / Client Reporting 4 of 5

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 2 3 If so, please document which type of SOC report is being obtained in the comments section. Organizational Please provide a Information copy of Security 35.1 the latest SOC report. 35.2 If not, does the organization allow clients the right to audit their systems and controls? Additional Security Questions Specific to the Service Offering(s) Provided by the Vendor 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information