Vendor Risk Assessment Questionnaire



Similar documents
Client Security Risk Assessment Questionnaire

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

74% 96 Action Items. Compliance

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Central Agency for Information Technology

INCIDENT RESPONSE CHECKLIST

Small Business IT Risk Assessment

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Security aspects of e-tailing. Chapter 7

Supplier Information Security Addendum for GE Restricted Data

Secondary DMZ: DMZ (2)

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Payment Card Industry Self-Assessment Questionnaire

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Print4 Solutions fully comply with all HIPAA regulations

Retention & Destruction

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

IT - General Controls Questionnaire

PCI Data Security Standards

ADM:49 DPS POLICY MANUAL Page 1 of 5

Autodesk PLM 360 Security Whitepaper

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Payment Card Industry Data Security Standard

Remote Network Access Procedure

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Vendor Questionnaire

Critical Controls for Cyber Security.

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

PCI DSS Requirements - Security Controls and Processes

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Best Practices for PCI DSS V3.0 Network Security Compliance

Network Security Guidelines. e-governance

8 Steps for Network Security Protection

8 Steps For Network Security Protection

University of Sunderland Business Assurance PCI Security Policy

Supplier Security Assessment Questionnaire

Security Policy for External Customers

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

FormFire Application and IT Security. White Paper

PII Compliance Guidelines

Information security controls. Briefing for clients on Experian information security controls

SUPPLIER SECURITY STANDARD

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Chapter 1 The Principles of Auditing 1

ABB s approach concerning IS Security for Automation Systems

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

GE Measurement & Control. Cyber Security for NEI 08-09

A Rackspace White Paper Spring 2010

Did you know your security solution can help with PCI compliance too?

How To Manage Security On A Networked Computer System

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Internet Banking Internal Control Questionnaire

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

SonicWALL PCI 1.1 Implementation Guide

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Best Practices For Department Server and Enterprise System Checklist

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

System Security Plan University of Texas Health Science Center School of Public Health

H.I.P.A.A. Compliance Made Easy Products and Services

Enterprise Security and Risk Management Office Risk Management Services. Risk Assessment Questionnaire. March 22, 2011 Revision 1.

KeyLock Solutions Security and Privacy Protection Practices

Secure, Scalable and Reliable Cloud Analytics from FusionOps

CONTENTS. Security Policy

Information Security Basic Concepts

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Data Security and Healthcare

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Certified Information Systems Auditor (CISA)

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Birst Security and Reliability

Security Controls for the Autodesk 360 Managed Services

Global Partner Management Notice

Achieving PCI-Compliance through Cyberoam

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

How To Secure Your Store Data With Fortinet

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Requirements Coverage Summary Table

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Network Security Policy

Managing internet security

Network Security: A Practical Approach. Jan L. Harrington

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

CONTENTS. PCI DSS Compliance Guide

Policies and Procedures

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Technical breakout session

LogRhythm and PCI Compliance

Transcription:

Vendor Risk Assessment Questionnaire VENDOR INFORMATION: Vendor Name: Vendor Address: Vendor Contact Name: Vendor Contact Phone No: Vendor Contact Email: DATA SENSITIVITY What is the nature of data that vendor will have access to? (Mark all that apply) No Risk: No data exchanged, no security impact Low Risk: Only demographic information and projected financial information Medium Risk: Only names, addresses and phone numbers High Risk: Non public private information (NPI), for example SSN, medical, financial, proprietary, and private information about real individuals Questionnaire Instructions: Please complete the following questionnaire. Where details or descriptions are requested, please describe in Comments (or Additional Information and Comments section at end of questionnaire), or attach documentation with the requested details. Use N/A for Not Applicable where needed (enter under Comments). Risk Assessment Categories Yes No Comments Policies and Procedures Has a security policy document(s) been published and enforced in your organization? Do you have policies and procedures covering the following: HR practices? Authorized/acceptable use of networked services? Use of corporate email, intranet, and Internet Password management?

Software/hardware acquisition Change Management? Encryption policy and standards? Security related incident response/handling? Data handling policy (to include data use, storage and destruction of sensitive data)? Third party access and remote access? Do you outsource any security management functionality? Are policies and procedures updated frequently? Is a senior corporate official directly responsible for the implementation of your organizational security policy? Are procedures employed to ensure compliance with privacy laws/regulation requirements related to maintaining security, confidentiality, and protection of customer data? Do you have information security staff dedicated to the following? Security awareness? Policy enforcement? Risk evaluation? Risk mitigation? Regulatory compliance? Are the consequences of non compliance to the policies clearly documented? Patch Management Yes No Comments Do you apply security patches on a regular basis? Do you have an automated patch management solution deployed? Do you have vendor agreements in place for timely availability and application of software updates? Physical Security Yes No Comments What kind of perimeter control(s) are applied to data center location(s)? Access tokens/cards? Key pad controls? Man trap? Biometric controls? Guards? Do you monitor/log all access to data center(s)? Do you have redundant public utility connections? Do you employ UPS (Uninterrupted Power Supply), battery banks, generators, etc.?

Do you employ fire/flood detection and suppression systems? Do you monitor and escort visitors through critical parts of your company? Do you maintain visitor logs for more than 30 days? Information Security Administration Yes No Comments Can you provide a recent SAS70/SSAE 16 report or other industry recognized audit report? Do you limit administrator level access on network and systems infrastructure? Is your information security staff professionally certified (i.e ISC2, SANS)? What is the average tenure of your information 1 3 years security staff? 3 5 years 5+ years Is access to security logs strictly controlled (firewall logs, IDS logs, etc.) Do you employ version management, build & deploy processes? Network Infrastructure Yes No Comments Do you maintain up to date network infrastructure and administration procedures? Do you have perimeter scanning/monitoring agreements with managed network services providers? Are all your routers configured with access control lists to allow only specific traffic to pass through? Do you allow access to your routers via console port only? Are all networking devices at the latest patch level? Do you have a procedure to keep track of announcement of vulnerability patches for your networking devices? Do you ensure default passwords are changed on networking devices? Do you control the change frequency and distribution of administrative access to network infrastructure? Do you use 802.1x or similar security controls for your wireless network? Do you employ the following intrusion detection/protection system(s): HIDS? NIDS? Honey Pots? Rogue device and services detection?

Remote Access and VPN Yes No Comments Are there any remote access/remote control methods available to access your network, as follows: Call backs? PKI? RADIUS/TACACS? User ID/Password? Token based access control? Other? If yes, please describe. Do you allow supervisory/administrative functions to be performed over unencrypted external links? Do you collect/review audit log data on remote access? Firewall and Intrusion Detection/Prevention Yes No Comments Do you have a security team that keeps track of all known vulnerabilities? Do you have an Intrusion Detection System (IDS) implemented? Do you have an incident response team? Do you employ firewalls to protect your network? Are your firewall operating systems/software at the latest patch level? Have you scanned and verified all allowable services provided by your firewall? Do you use firewall reporting tools to analyze your firewall log(s)? Do you have your security policy on your firewall documented and verified? Do you protect your internal IP address range(s) (e.g., use NAT/RFC1918)? Do you restrict both inbound and outbound traffic to only that which is necessary? Malware Controls Yes No Comments Do you scan all emails for viruses? Is there an explicit policy requiring anti virus software on networked computers? Do you have centralized administration of virus controls, such as distribution of signature updates, reporting, and policy enforcement? Are rules established for scanning outside software and media? Does your anti virus software run in the background with established frequency of scanning? Are end users prevented from disabling anti virus software on personal computers?

Do you allow installation of personal and noncorporate approved software on network computers? Disaster Recovery and Business Continuity Yes No Comments Are backup/recovery procedures regularly tested? Are backup/restore procedures documented? Can you meet recovery time objective(s) (RTO) and recovery point objective(s) (RPO) for all products and services contracted for? Is there a business continuity plan (BCP)? Monitoring Yes No Comments Do you monitor the security/policy violations and application/networked services availability? Do you log successes and failures to access? Account Management and Access Control Yes No Comments How will our data be secured at your site? Will our data be accessible from the Internet? Who will have access to our data? How do you prevent other clients from accessing our data? How and where are user IDs and Passwords stored? How are they secured? Will access credentials be encrypted when passing through public networks? Do you employ any mechanisms that facilitate secure data exchange? E Commerce (applicable if vendor conducts business Yes No Comments online) Are the following maintained in e commerce systems: Confidentiality? Authorization? Non Repudiation? Transaction Integrity? Access code encryption in storage and transmission? ADDITIONAL INFORMATION AND COMMENTS:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information