Security Questionnaire
Security Questionnaire
Welcome
0.0 General
1.0 Security Policy
2.0 Organization of Information Security
3.0 Asset Management
4.0 Human Resources Security
5.0 Physical and Environmental Security
6.0 Communications and Operations Management
7.0 Access Control
8.0 Information Systems Acquisition, Development and Maintenance
9.0 Information Security Incident Management
10.0 Business Continuity and Disaster Recovery
11.0 Privacy and Compliance
Summary
Welcome
0.0 General
1.0 Security Policy
2.0 Organization of Information Security
3.0 Asset Management
4.0 Human Resources Security
5.0 Physical and Environmental Security
6.0 Communications and Operations Management
7.0 Access Control
8.0 Information Systems Acquisition, Development and Maintenance
9.0 Information Security Incident Management
10.0 Business Continuity and Disaster Recovery
11.0 Privacy and Compliance
Summary
Welcome
0.0 General
1.0 Security Policy
2.0 Organization of Information Security
3.0 Asset Management
4.0 Human Resources Security
5.0 Physical and Environmental Security
6.0 Communications and Operations Management
7.0 Access Control
8.0 Information Systems Acquisition, Development and Maintenance
9.0 Information Security Incident Management
10.0 Business Continuity and Disaster Recovery
11.0 Privacy and Compliance
Summary
Welcome
1
0.0 General
2
1.0 Security Policy
3
2.0 Organization of Information Security
4
3.0 Asset Management
5
4.0 Human Resources Security
6
5.0 Physical and Environmental Security
7
6.0 Communications and Operations Management
8
7.0 Access Control
9
8.0 Information Systems Acquisition, Development and Maintenance
10
9.0 Information Security Incident Management
11
10.0 Business Continuity and Disaster Recovery
12
11.0 Privacy and Compliance
13
Summary
14
0.0 General
Vendor Name
Name of the individual completing this questionnaire
Title of the individual completing this questionnaire
Email of the individual completing this questionnaire
Phone of the individual completing this questionnaire
Name of the point of contact for future correspondence
Title of the point of contact for future correspondence
Email of the point of contact for future correspondence
Phone of the point of contact for future correspondence
Date of Submission
What is the production site physical address?
What is the backup site physical address?
Are there any additional location(s) of operations where target data is stored?
List Location
Briefly describe the applications and systems within the scope of this engagement
Will individual the Company users log into the application?
If yes, approximately how many unique the Company users will log into the application?
Does the vendor process sensitive the Company member or employee data (HIPAA ePHI, SSN/other tax ID, drivers license or other government ID)?
Describe
Does the vendor process other types of member or employee data?
Describe
Provide logical and physical diagrams that shows the flow of the Company private data from the Company to the vendor
Provide logical and physical diagrams that shows the flow of the Company private data from the vendor to the Company
Provide logical and physical diagrams that shows the places where the Company private data is stored in the vendor's systems
Provide logical and physical diagrams that shows any hardware/software that the vendor requires to be installed within the Company's network or systems
Save
1.0 Security Policy
Does the vendor have documented information security policies?
Does the vendor have a process to assign responsibility for creation, management, and approval of information security policies?
Describe
How often are information security policies reviewed?
Save
Welcome to the Security Questionnaire Application!
Click
"Start"
to continue.
Start
2.0 Organization of Information Security
How many individuals within the organization are assigned full-time to information security?
To which executive office do the information security staff report?
List any third parties (e.g. hosting facilities, processing, printing, archival) used to process or store the Company information
Does the vendor perform risk assessments on its third parties?
Describe
If yes, how often are risk assessments performed or updated?
Describe the framework and methodology used to perform 3rd party risk assessments
Save
3.0 Asset Management
Does the vendor maintain an inventory of hardware, software, application, and database assets?
Describe
Is the inventory updated as part of the system or application onboarding and offboarding process?
Describe
Does the vendor have a policy that establishes ownership for information assets?
Describe
How often do these owners review and approve access to their information assets?
Are rules documented for the acceptable use of information assets? Describe.
Does the vendor have a policy that describes information classification levels based on value, legal requirements, sensitivity, and/or criticality?
Describe
Do the classification guidelines include handling procedures for each information classification level?
Describe
Save
4.0 Human Resources Security
Does the vendor perform criminal background checks on its employees and contractors?
Are background checks for contractors the same as for employees?
Does the vendor perform credit checks on its employees?
Does the vendor have a policy that describes acceptable use of computing and network resources, commonly referred to as an "Acceptable Use Policy"?
Describe
Does the vendor have policies and procedures for sanctioning employees who violate security policies?
Describe
How are security policies and procedures ditributed to employees?
Do employees receive information security and privacy training at least annually?
Does the vendor have policies and procedures that describe how to terminate physical and logical access, as well as the return of vendor assets (laptop, cell phone, documentation, etc)?
Describe
Save
5.0 Physical and Environmental Security
Is a badge system used to control and monitor access to the corporate office?
How are doors and windows secured at the corporate office?
Is there a documented process for granting and monitoring visitor access at the corporate office?
Describe
Does the data center fire suppression system meet or exceed NFPA 75 (Standard for the Fire Protection of Information Technology Equipment) and NFPA 76 (Standard for the Fire Protection of Telecommunications Facilities)?
Describe
How are doors and windows secured in the data center?
Is a badge system used to control and monitor access to the datacenter facilities?
Is there a documented process for granting and monitoring visitor access to datacenter facilities?
How often are physical access logs reviewed?
How are video cameras deployed at the data center?
How are cameras monitored at the data center?
For how long is video surveillance retained?
Do security guards patrol the exterior perimeter at least once per hour?
Describe how power is distributed to individual racks within the data center.
Which backup power systems are implemented?
In the event of a power outage, how long will the backup power provide power to all of the systems necessary to maintain the Company services in the data center?
In the event of an extended power outage that exceeds the UPS capacity, how long will the generator provide power to all of the systems necessary to maintain the Company services in the data center without the need for refueling?
How often is the UPS system tested under load?
How often are the generators tested under load?
Are alerts sent to facility staff when the temperature reaches a preset threshold?
Does the data center have a dedicated HVAC system that is separate from the system used for the rest of the building?
How often is the HVAC system serviced?
Save
6.0 Communications and Operations Management
Are system administration and network management procedures documented?
How often are the procedures reviewed and updated?
How are system documentation and sensitive system procedures secured?
Are administrator duties separated so that no single person can both initiate and authorize an event (i.e. change request, access request, account creation)?
Does the vendor have policies and procedures for training new administrators prior to granting them access to production systems?
Describe
Does the vendor use documented standards, including security configuration specifications, to build and deploy new systems?
Describe
How often are these standards updated to reflect policy updates or changes in security concerns?
Does the vendor use a vulnerability management tool to periodically scan systems for vulnerabilities?
Does the vendor have a documented process for remediating identified vulnerabilities in a timely manner?
Describe
How frequently are systems scanned for vulnerabilities?
Does the vendor use a configuration monitoring tool to periodically scan systems for compliance with its documented standards?
Does the vendor have a documented process for resolving identified configuration compliance deviations in a timely manner?
How frequently are systems scanned for compliance with documented standards?
Has the vendor deployed firewalls and intrusion detection or prevention systems at all intersections of trusted and untrusted networks?
Does the vendor employ separate environments for development, testing, staging, production, etc?
Does the vendor implement separation of duties to ensure that development staff cannot deploy software directly to production systems?
Are formal acceptance criteria, including security requirements, established for new, modified, or upgraded systems?
What controls does the vendor employ to separate each of its customers' information and services from the vendor's other customers?
Does the vendor implement controls to prevent the installation and propagation of malicious software?
Is endpoint protection software installed on all servers and workstations on the vendor's networks?
How frequently are full endpoint protection scans run?
Are users prevented from modifying endpoint protection controls?
Describe
How are users prevented from accessing malicious websites?
Describe the permitted uses of instant messaging
Is file transfer permitted over instant messaging?
Does the vendor use automated applications to monitor the health and capacity of systems and networks?
Describe the backup mechanisms used to ensure that data could be recovered in the event of a disaster or loss of integrity
How often are online backups (snapshots, etc) captured?
How long are online backups retained?
How long are offline backups retained?
How often are recovery exercises performed using backup media to verify that backups are working as designed?
Does the vendor have policies and procedures that categorize electronic data according to its retention requirements?
Describe how offline backups are secured against natural disasters and theft
Does the vendor have policies and procedures that govern the security of wireless networks?
Does the vendor control access to wireless networks that transmit the Company data?
Describe how the vendor detects and remediates rogue wireless access points
How is administrative traffic encrypted for network devices?
Does the vendor have a policy and procedures for the management of removable media?
Does the the Company have policies and procedures for the secure disposal of media (i.e. hard drive, tape, USB drives, etc.) containing sensitive information, including printers, copiers, and fax machines that may have nonvolatile storage?
Does the vendor use a data loss prevention (DLP) product to detect and prevent attempts to move the Company data in unauthorized ways?
How is email containing sensitive information secured?
How does the vendor authenticate to the Company to perform online transactions or exchange the Company private information over the Internet?
Are data integrity protections used to ensure that the Company data is not modified, either in transit or while in storage?
Are all servers, storage, applications, databases, network, and security devices configured to capture an audit log?
Do audit logs for operating systems, applications, databases, and network devices record all of the following events: successful authentication, failed authentication, configuration modification, audit log modification or deletion, service stop/start, user or role creation/deletion/modification, and software update?
Are all audit logs sent to a central security incident and event management (SIEM) tool that creates timely human alerts when certain events are detected?
Does the vendor have a documented process for triaging and resolving security incidents identified by the SIEM?
How often are audit logs reviewed manually outside of any SIEM solution?
Are audit logs protected against unauthorized access or tampering?
Do all systems and devices attached to the network use clock synchronization?
Save
7.0 Access Control
Does the vendor have policies and procedures that describe how it controls access to sensitive data? Describe or provide the policy.
Does the vendor have policies and procedures governing the provisioning and de-provisioning of user access? Describe or provide the policy.
Is each provisioned user assigned a unique identifer for system access?
Are shared or group accounts used to access any systems? If so, describe how accountability is maintained for these accounts.
Does the vendor employ role-based access control to assign privileges and rights to roles, which are then assigned to users?
Describe
Does the vendor have a policy for system passwords that includes length, complexity, failed login attempts, history/re-use, and security?
Attach File
How are passwords for non-identifiable accounts stored, managed, protected, and changed? Examples include service accounts and any other group or shared credentials
Are passwords for non-identifiable accounts changed after each use?
Does the vendor send credentials over any protocols that would cause them to be transmitted in the clear, such as FTP, HTTP, or Telnet? Describe any such uses.
Are the password requirements for administrator level accounts different than for general user accounts? If so, describe how they are different.
Are non-identifiable account passwords changed when an administrator is terminated?
How often are user access privileges reviewed?
What period of inactivity causes user computer screens to lock, requiring at least a password to unlock?
Describe the ways that remote users can connect to the the Company's networks
How are remote users authenticated?
Does the vendor have documented procedures for employees to request remote access?
Describe
Do users have remote access to the Company data from devices that the vendor does not own and manage?
Do remote user devics undergo a posture check (updated patches, anti-virus, etc) prior to being granted access to internal networks?
Do 3rd-party vendors have remote access to vendor networks, such as for remote diagnosis and troubleshooting? Describe the types of permitted remote connections
If 3rd-party vendors have user accounts, describe the rights and privileges assigned to those accounts
Are vendor networks segmented according to types of services, data classification, users, or customer environments?
Are industry standard products, algorithms, and key lengths used for data in transit between the Company and the vendor?
Describe
For vendor internal transmissions?
Between vendor facilities?
For data stored at rest?
For backup media?
Does the vendor employ mechanisms to protect the Company private data from unauthorized modification while in transit?
Describe
While in storage?
Are industry standard authentication mechanisms used to access the Company information while in storage at the vendor?
Describe
Does the vendor have a policy that describes the minimum security controls required to secure data stored on or accessed by mobile devices, including laptop computers?
Does the vendor support Federated Single Sign-On using SAML, WS-Federation, or other methods?
Is whole disk encryption deployed for all laptops and other mobile devices that might store, transmit, or process the Company data?
Is encryption forced on all removable media devices (USB drives, etc) that might store the Company data?
Save
8.0 Information Systems Acquisition, Development and Maintenance
Are security controls routinely included in the business requirements for new systems?
Is input data validated (checked for out-of-range values, invalid characters, incomplete data, etc.)?
Describe
Is output data validated?
Describe
Does the vendor have a cryptography policy specifying when cryptography should be used, algorithms, key lengths, and key management?
Attach File
Does the vendor have documented processes for rollback in the event that a software update fails?
Describe
Is production data de-identified prior to use in non-production environments? If production data is not used in non-production environments, select 'yes'
Is access to source code restricted based on need to know?
Briefly describe change control processes and procedures
Describe any tools used for configuration and source code management
Describe how the vendor uses outsourced application developers?
Does the vendor have documented processes for patching systems and applications
Does the vendor have documented processes for testing and validating patches prior to deployment?
How often are patches applied to application, web, and database servers?
Does the vendor have a process for identifying and replacing systems that become obsolete or out of support?
Does a documented process exist by which commercial off-the-shelf (COTS) software vulnerabilities are periodically reviewed, prioritized, and acted upon?
Do technical controls prevent users from installing non-approved software onto vendor systems?
Describe how the vendor utilizes penetration testing to confirm the effectiveness of security controls
Save
9.0 Information Security Incident Management
Does the vendor instruct employees in procedures for spotting and/or responding to security incidents or technical malfunctions?
How often are these procedures reviewed and/or updated?
Does the vendor have procedures for cooperating with investigations?
Does the vendor have collection of evidence policies and procedures?
Does the vendor have policies and procedures for tracking security incidents?
Does the vendor have a process to determine whether or not a security incident constitutes a reportable breach?
In the event that a security incident is determined to be a breach, does the vendor have a notification and remediation process?
Save
10.0 Business Continuity and Disaster Recovery
Has the vendor performed a business impact analysis to determine the role and criticality of each system to business objectives and processes?
Do the services provided to the Company include a service level agreement (SLA) that includes recovery time objectives (RTO), recovery point objectitves (RPO), uptime commitments, performance commitments, service response time, incident response time, and how the Company will be compensated for failure to reach SLA targets?
Describe
Does the vendor have a comprehensive business continuity plan (BCP) for business process continuity, recovery and restoration?
Attach File
Does the vendor have an internal or 3rd party site prepared in the event that the primary site is impacted by a disaster? Describe, including the names of any 3rd party vendors.
Does the vendor have a comprehensive disaster recovery plan for information technology continuity, recovery and restoration?
Attach File
Has the vendor identified recovery teams, procedures, records, documentation and resources required to restore key technology functions and processes?
Describe
How often are backup and restoration procedures reviewed for completeness and adequacy?
Have detailed emergency response procedures been documented?
How often are exercises conducted that fully test disaster recovery and business continuity processes and procedures?
Are any of the the Company services being outsourced in full or in part?
Describe
Are any of the the Company services being outsourced in full or in part to staff outside the United States?
Describe
Save
11.0 Privacy and Compliance
Has the vendor designated a security official whose job description includes oversight of the information security program? If yes, please describe that individual's name and contact information
Does the vendor have a documented privacy policy (or policies)?
Describe
Has the vendor designated a privacy official whose job description includes oversight of the privacy program?
Is the privacy policy (or policies) reviewed and updated at least annually?
Does the vendor have a documented process to notify the Company in the event that there is a privacy incident or breach?
Are employees and contractors provided with formal privacy awareness training at least annually?
Is any the Company data collected, stored, processed, transmitted, and/or destroyed outside of the United States?
Describe
Does the vendor have a documented and regularly reviewed plan for responding to privacy incidents?
Is there a document retention program that isolates protected subsets of sensitive or confidential information for special handling?
Are there standard processes in place to ensure the proper disposal of sensitive the Company data?
Does the vendor have contractual controls to ensure that personal information shared with other third parties is appropriately protected by the third party?
Is there a remediation plan to address other third-party misuse and/or breach of personal information?
Does the vendor information security function regularly communicate and collaborate with the privacy function (if the two functions are separate)?
Is there a process for ensuring the accuracy and currency of personal information at the direction of the client?
Does the vendor carry insurance coverage for privacy breaches?
Is there a process to ensure that the personal information provided by an individual is limited for the purposes described in the organization's privacy notice?
Is there a processes to limit or prevent the sharing of the Company data with vendor affiliates unless authorized by the Company?
Does the vendor regularly monitor employees and contractors, and partners for privacy compliance?
Are appropriate sanctions applied to employees, contractors, and partners who violate privacy policies?
Is there a process for employees, contractors, and partners to notify privacy compliance personnel of an actual or suspected privacy breach?
Save
Submit
0.0 General
1.0 Security Policy
Welcome
2.0 Organization of Information Security
3.0 Asset Management
4.0 Human Resources Security
5.0 Physical and Environmental Security
6.0 Communications and Operations Management
7.0 Access Control
8.0 Information Systems Acquisition, Development and Maintenance
9.0 Information Security Incident Management
10.0 Business Continuity and Disaster Recovery
11.0 Privacy and Compliance
Summary
×
Stripe Connector Payment
__label__
Credit or debit card