HC3 Draft Cloud Security Assessment
Respondent Contact Information
First Name: Company: Email: Grant Ostendio [email protected] Last Name: Company Address: Date: Elliott Ostendio 01/27/2015Information about your solution
2.1) How do users access your solution? Website Mobile Web Mobile Application (iPhone/iPad/Android) Text Messaging (SMS) Interactive Voice Response (IVR) Other 2.2) Does your solution support Single Sign On (SSO)? Yes No 2.3) What type of Single Sign On (SSO) does your solution support? Microsoft (Active Directory) Auth0 Kerberos Redhat Other SAMPLE TEXT * * *2.4) Does your application allow login from, Google, Facebook, or any other social media serving site? Yes No 2.5) What third party social media is login supported from? Facebook Google LinkedIn Other SAMPLE TEXT 2.6) Does your solution allow access using third party API's? Yes No 2.7) Please provide information for all locations (including backup locations) that may store or have access to sensitive data. * * * *
Owned operated data center (Onsite operated data center)
A) Is the facility located within the US? Yes No B) Please list the country where the facility is located. SAMPLE TEXT C) Does your facility undertake an annual SSAE 16 audit? If so, you may be asked to provide a copy of the most current SSAE 16 report. Yes No D) Which type? SSAE 16 Type I SSAE 16 Type II * * * *E) Are you willing to allow us to physically inspect this Data Center? Yes No F) Does this data center have electronic key access that can be restricted realtime? Yes No G) Are you able to review access logs to the data center? Yes No H) How long are logs retrievable for? < 30 days < 90 Days < 180 days < 1 year > 1 year I) Do you have emergency access procedures in place for vendors, staff, and consultants needing access to physical equipment? Yes No J) Do you have video cameras or CCTV throughout the data center? Yes No K) Does your data center have redundant power such as an Uninterruptible Power Supply in case of primary power failure? Yes No L) Does your data center have redundant cooling in case of AC malfunctions? Yes No M) Does your data center have multiple ingress\egress points to the internet? * * * * * * * * *
Yes No N) Are your servers located within locked cabinets inside the data center? Yes No O) Are the server face plate covers attached and locked on every server? Yes No P) Is the BIOS or lightsout management password protected? Yes No Q) Are peripheral devices such as USB, DVD and serial ports disabled? Yes No R) Is your data center alarmed for unauthorized access? Yes No * * * * *
Colocation provided by Third Party Data Center provider (Colocation provided by third party data center provider)
A) Who is your colocation data center provider? Century Link Equinix Latasys LexisNexis Sunguard Verizon Terramark Other: SAMPLE TEXT B) Does this facility undertake an annual SSAE 16 audit? * *If so, you may be asked to provide a copy of the most current SSAE 16 report. Yes No C) Which type? SSAE 16 Type I SSAE 16 Type II D) Are you willing to allow us to physically inspect this Data Center? Yes No E) Does your colocation provider have access to your physical equipment? Yes No F) Please select the best description of the nature of your provider's access. Full Equipment access includes partial and access to the Operating System G) Does your provider have access to sensitive data i.e. Personal information, credit data? Yes No H) Has your provider signed an Nondisclosure Agreement (NDA) with you? Yes No I) Has your provider signed a Business Associate Agreement (BAA) with you? Yes No J) Were you able to customize your Business Associate Agreement (BAA) with your provider? Yes No * * * * * * * *
K) Is your equipment in a private cage or locked on an open floor? Private Cage Open floor locked cabinet Private cage with locked cabinets No private cage or locked cabinets L) Does this data center have electronic key access that can be restricted realtime? Yes No M) Are you able to review access logs to the data center? Yes No N) How long are logs retrievable for? < 30 days < 90 Days < 180 days < 1 year > 1 year O) Do you have emergency access procedures in place for vendors, staff, and consultants needing access to physical equipment? Yes No P) Does this data center have video cameras or CCTV throughout? Yes No Q) Does your data center have redundant power such as an Uninterruptible Power Supply in case of primary power failure? Yes No R) Does your data center have redundant cooling in case of AC malfunctions? Yes * * * * * * * *
No S) Does your data center have multiple ingress\egress points to the internet? Yes No T) Are the server face plate covers attached and locked on the server? Yes No U) Is the BIOS or lightsout management password protected? Yes No V) Are peripheral devices such as USB, DVD and serial ports disabled? Yes No W) Is this data center alarmed for unauthorized access? Yes No * * * * *
Cloud Service provided by Third Party Cloud Provider (Cloud Service provided by third party cloud provider)
A) Which Service Provider do you use? Amazon Web Services (AWS) Akamai Apple BMC Software Citrix Dimension Data Dropbox Google HP IBM *Microsoft Netsuite Oracle Rackspace Salesforce SAP AG Saavis Terremark/Verizon VMWare Other B) Does this facility undertake an annual SSAE 16 (formerly SAS 70) audit? If so, you may be asked to provide a copy of the most current SSAE 16 report. Yes No C) Which type? SSAE 16 Type I SSAE 16 Type II D) What services are you using as part of your service offering (i.e. platform, computer, storage, etc.)? Infrastructure Web Services Storage Database Backup Desktops Other: SAMPLE TEXT E) Will you be storing sensitive data on your cloud environment? Yes No F) Describe the nature and type of sensitive data stored (i.e. PHI, SSN, PCI, etc.). * * * * *
Protected Health Information Social Security Numbers Payment Card Information Banking Personally identifiable Information Other: SAMPLE TEXT G) How will you track the sensitive data's location and access? Spreadsheet Email Notification Using a ticketing systems 3rd Party application Other: SAMPLE TEXT H) Has your provider signed an Nondisclosure Agreement (NDA) with you? Yes No I) Has your provider signed a Business Associate Agreement (BAA) with you? Yes No J) Were you able to customize your Business Associate Agreement (BAA) with your provider? Yes No K) Do you use a third party service to manage the configuration and security of this cloud service? Yes No L) Does your third party service provider have access to sensitive data? Yes No M) Has this third party signed a Business Associate Agreement (BAA) with you and the provider? * * * * * * *
Yes with me, not with the cloud provider Yes with me and the cloud provider No with me, Yes with the Cloud Provider No to both me and the cloud provider N) Does your cloud provider give you a single management console for administration of all services? Yes No O) How do you access the cloud based services? Point to Point VPN Tunnel Client Access VPN Tunnel Remote Desktop SecureShell Web authentication Other: SAMPLE TEXT P) Are you using multiform authentication methods to access your cloud services? Yes No VPN access with UserID\ Certificate AWS MFA Radius Other: SAMPLE TEXT Q) Is your cloud environment connected to your internal network or colocation environment? Yes No R) Are you using API’s to communicate with your cloud environment? For backups offsite Authentication purposes Retrieval of data Upload data * * * * *
Not using API's Other: SAMPLE TEXT S) Will your customer be required to use API calls to communicate with your service? Yes No T) Are you using any thirdparty API's to deliver your service? Yes No U) What types of security measures have been put in place to secure API usage? Basic Authentication with TLS OAuth1.0 OAuth2 Other: SAMPLE TEXT V) Do you have access to the Hypervisor logs? Yes, direct access Yes, but requests from provider No Other: SAMPLE TEXT W) What type of firewall are you using to secure the perimeter network? None Cisco Open Source Embedded Windows Server Firewall Embedded Linux Server Firewall Access Control List Other: SAMPLE TEXT X) Are your guests on private virtual resources or shared resources? Private * * * * * *
Shared Y) If using cloud storage do you do the following encrypt the virtual drives? provide your own encryption keys take snapshots of the storage area replicate the storage area to another location? log access to storage directories Don't Use cloud storage Z) How do you access your storage area? HTTP HTTPS Third Party API Internally provided API Server Connected API Don't Use Cloud Storage Other: SAMPLE TEXT AA) How does your provider handle the deletion of virtual guests, storage, and/or web services? Delete data immediately and overwrite Delete data immediately using FIPS\DOD methods Other: SAMPLE TEXT AB) How does your cloud environment notify you of updates and vulnerabilities within the hosted environment? Notify you via email Create a service ticket Broadcast a message on its website, blogs, support sites Other: SAMPLE TEXT AC) How does your cloud environment handle incidents, updates, and vulnerabilities within the hosted environment? Provide a minimum of 48 hours before applying updates Provide you with workarounds if necessary Patch straightaway if a critical vulnerability arises * * * * *
Other: SAMPLE TEXT AD) Does your cloud provider allow vulnerability scans on your servers? Yes No AE) Are any of your services being replicated to international locations? Yes No AF) Does the Service Level Agreement have clearly defined terms, definitions and performance parameters? Yes No AG) Are there penalties for missing predefined SLA's? Yes No AH) If using the cloud, how does their notification rule coincide with your notification rule? SAMPLE TEXT * * * * *
Operating Systems
3.1) Are you using open source applications to support your solution? Yes No 3.2) Which open source applications are currently deployed in your environment? Linux * *Apache Tomcat Mysql Postgress SQL ActiveMQ OpenVPN PHP Java Pfsense Vyatta Other: SAMPLE TEXT 3.3) Are you using virtualization to provide your solution, if so which? Vmware Xenserver Microsoft Not using virtualization Other: SAMPLE TEXT 3.4) Which Desktop operating systems are being used in your environment? Microsoft 7 or 8 MacOS Linux Other: SAMPLE TEXT 3.5) Do you have the ability to monitor portable devices? Yes No 3.6) Which antivirus\antimalware software are you using to protect your servers? Symantec McAfee ForeFront None * * * *
Other: SAMPLE TEXT 3.7) Which antivirus\antimalware software are you using to protect your workstations? Symantec McAfee ForeFront None Other: SAMPLE TEXT 3.8) Are you able to remote scan the software in use inside your environment (including workstations)? Yes No 3.9) Which applications are you using to manage your code revisions? Git Subversion Team viewer None Other: SAMPLE TEXT 3.10) Are you using any of these cloudbased code revision providers? GitHub Bitbucket Atlassian None Other: SAMPLE TEXT 3.11) Which are you using to manage patches across your environment? Centralized Patch Management Individual Patch Management Combination of both Other: SAMPLE TEXT * * * * *
Encryption
4.1) Are you using encryption for data at rest and in transit within your environment? Yes No 4.2) Which items do you encrypt? Portable devices, thumb drives, CD, and DVD's File shares Databases Websites Email File Transfers PC's and tablets Connections to internal resources None Other: SAMPLE TEXT 4.3) Does your cloud provider have access to your encryption keys? Yes No 4.4) Please provide details. SAMPLE TEXT * * * *
Backup & Recovery
5.1) What type of backup solutions have you deployed? Tape Back Ups Disk to Disk Snapshots *Realtime replication Other: SAMPLE TEXT 5.2) Do you backup to an offsite location? Yes No 5.3) Is your offsite backup to the cloud? Yes No 5.4) How often do you test the restore capabilities of your backup? Other SAMPLE TEXT 5.5) Do you have a failover site in case of a loss of services from your primary data center? Yes No 5.6) What type of location is your failover site? Fully realtime replicated environment 5.7) Do you run test failover scenarios of the production environment? Yes No * * * * * *
Information Security
Governance
6.1) Does your company have an active Information Security program in place? Yes No *6.2) Does your company have a single person responsible for Information Security? Yes No 6.3) Does your company have a single person responsible for Data Privacy? Yes No 6.4) Does your company conduct any type of formal risk analysis on a regular basis? Yes No 6.5) How often are these Risk Assessments performed? Other SAMPLE TEXT 6.6) Provide the date of the last risk analysis/assessment conducted
27 Jan, 2015
6.7) Does your company perform regular Information Security audits? Yes No 6.8) How are these audits performed? External Industry accredited / certified Audit Internal Industry accredited / certified Audit Informal internal audit Other SAMPLE TEXT 6.9) What standards are used for these audits? ISO/IEC 2700120005 Standard of Good Practice NIST SP 0053 * * * * * * * *ISO 15408 RFC 2196 ISA/IEC62443 (formerly ISA99) ISA Security Compliance Institute IASME HIPAA/HITECH OCR Audit Protocols COBIT 4.1 GAPP Other SAMPLE TEXT 6.10) How often are these audits performed? Other SAMPLE TEXT 6.11) Provide the date of the last external Information Security audit conducted
27 Jan, 2015
6.12) Do you perform vulnerability scans regularly? Yes No 6.13) How often do you perform a vulnerability assessment? Other SAMPLE TEXT 6.14) Are any of these assessments conducted by thirdparty providers? Yes No 6.15) Will offshore consultants have access to your cloud environment? Yes No * * * * * *6.16) Will your offshore consultants have access to sensitive data? Yes No 6.17) Please list the countries where these staff are located. SAMPLE TEXT 6.18) Do you have a Key Management Policy and Procedure in place for your encryption keys? Yes No 6.19) Do you have a Data Classification policy where data is classified by sensitivity? Yes No 6.20) Do you have an encyption policy and procedure that details how you encrypt sensitive data? Yes No 6.21) Do you have Policy and Procedure outlining backup and disaster recovery procedures? Yes No 6.22) Do you have practice recovery procedures as part of business continuity planning? Yes No 6.23) Have you identified critical assets in your environment? Yes No * * * * * * * *
6.24) Have you completed a business impact assessment on critical systems? Yes No 6.25) Do you know where all sensitive data such as PHI resides in your environment? Yes No 6.26) Do you conduct regular access audits to ensure you know who is accessing sensitive data and how they are using it? Yes No 6.27) Does your organization have a data retention policy? Yes No 6.28) Does your organization have a secure data disposal and destruction policy? Yes No 6.29) Do you perform DR gaming or Business Continuity tabletop exercises for your critical systems? Yes No 6.30) How often do you conduct tabletop exercises? Other SAMPLE TEXT 6.31) Have you established a Critical Incident Response Team (CIRT)? Yes No 6.32) How often does your CIRT meet? Weekly BiWeekly * * * * * * * * *
Monthly BiMonthly Quarterly Other SAMPLE TEXT 6.33) Do you have a formal remediation process when issues are discovered during testing? Yes No 6.34) Do you have a formal policy and procedure for the procurement/use of software within your organization? Yes No 6.35) Do you have in place a policy and procedure for the deployment of software patches? Yes No 6.36) Are you using a centralized tool to facilitate patch management? Yes No What tool are you using? SAMPLE TEXT 6.37) Do you have a policy or procedure for defining and reporting incidents? * * * * * *
Yes No 6.38) Have you had any critical incidents reported in the last 3 years? Yes No 6.39) Did any of these incidents result in a breach of sensitive data? Yes No How was the incident handled and what remediation steps were taken to fix it? SAMPLE TEXT 6.40) Do you have a policy or procedure for reporting unauthorized access to sensitive data? Yes No
