• No results found

Vendor Audit Questionnaire

N/A
N/A
Protected

Academic year: 2021

Share "Vendor Audit Questionnaire"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

Vendor Audit Questionnaire

The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be sanitized to protect the security and privacy of the audited organization, but it must be noted as such.

Completion of this in an honest accurate manner is more important than any single control, precaution, or procedure being in place. Not all controls are required; merely the knowledge of what is in place is required.

Security Management Practices

Security Policies

x Please provide copies of Corporate Security Policy and any other policies relating to information security: Acceptable Use Policy, Encryption Policy, Data Retention, Data Classification Policy, Certificate Policy, Audit Policy, Remote Access, etc.

Security Organization

x Please provide a general outline of your security organization: number of dedicated full-time security professionals, number of shared resources, and reporting structure.

Procedures

x Please provide a list of any documented procedures such as Certification Practice Statement, Standard Operating Procedures, Build Procedures, Incident Response Plan, Disaster Recovery Plan, etc.

Business Continuity Management

Availability

x Please describe your power capacity, planning, and design?

x Please describe technology used to provide high availability in your environment and how and when it is used? Include the use of hot standby, cold spare, clustering, RAID, etc.

Disaster Recovery

x Please provide an explanation your DR plan, including, where applicable, hot-site and cold-site information, capacity, and timeframes.

x How frequently do you run DR tests?

Data Retention

(2)

Access Control List

x Which devices do you employ ACLs on? x Please provide the ACLs for these devices: x Do you restrict physical access? How? x Do you restrict local / console access? How?

Firewall Technology and Rules

x What firewalls are used?

x How are these located within your network?

x What rule sets are you using? Please provide you rule base:

Authentication Mechanisms

x What authentication mechanisms do you use? Please provide a list of what types of authentication you use and when you use each type.

x How do you handle account management? How is this enforced?

Encryption: VPN, SSL, S/MIME

x On what communications do you employ encryption? x What algorithms do you employ and what key length? x What vendors do you use?

Physical and Environmental Security

x How if physical security controlled at your facility? Is this done with a third party, is so which one?

x Please list environmental controls including: Air handlers, Fire Suppression and detection systems, and Environmental Alerting systems.

Asset Classification and Control

Data Classifications and handling

x Do you have a defined data classification policy? Please describe. x Do you label and mark data with a sensitivity level? Please describe.

x Do you have different handling procedures for more sensitive data? Please describe

Data Storage and Co-location

x How is your data storage managed?

x Do you have separate storage for sensitive systems?

x Do multiple customers/clients share physical hardware? Logical Devices? Virtual Devices?

Privacy Related Data management

x Do you classify, identify and mark privacy related information?

x Do you have a specific handling procedure for privacy related material?

(3)

Asset Tracking

x Do you track physical assets? How do you identify these assets? x How do you maintain hardware inventory controls?

Incident Response and Management

Incident response plan

x Do you have a developed incident response plan? Please describe. x How often do you test this plan?

x Do you report incidents to any third-party locations CERT, FBI, Secret Service, etc.

x Do you maintain forensic investigators or forensic tools for in house investigations of incidents?

Intrusion Detection – Alerts, Monitoring, Configuration, Location

x Do you have in house Network Intrusion Detection, Host Intrusion Detection, if so please describe?

x Do you subscribe to any services for bug or vulnerability Notification? x Do you have documented incident response plan? Please attach. x Do you monitor logs, how often are logs checked?

x Are auditing logs maintained? How long? In what form/format? x Do you have a alerting system? Please describe?

x How are alerts transmitted? x Do you use SNMP?

Service Level Agreements

x What Service levels do you maintain, for outages, maintenance, and security related incidents? Please include times for notification, first contact response, and final resolution.

Antivirus

Procedures

x What is your procedure for antivirus, detection, response, and inoculations?

Locations

x On what devices do you employ antivirus? x Which vendor(s) do you use for these? x How do you manage definition files?

General Technology

Database

x Do you have a standardized Database Solution? x What is your Database platform?

x What is your RDMS?

(4)

Server OS

x Do you have a standardized Server OS? x What is that OS?

x How many systems do you maintain that are not standardized? x Do you have a standardized build and configuration baseline?

Server Hardware

x Do you use a standardized hardware platform?

x How many devices do you maintain that are not standardized?

x Do multiple customers / clients share physical, logical, or virtual hardware?

Network Hardware

x Do you have a standardized network hardware platform? x How many devices do you maintain that are not standardized?

x Do you monitor network uptime and health? What systems do use for this? x Do you have a centralized management system? What system do you use?

Web

x What web sever software do you use? x What about application server?

x Do you employ a multi-tier architecture, if so please provide a diagram? x Do you employ a reverse proxy?

x So you use SSL?

x Do you provide authenticated access? By what method?

x What is your standard development environment and what tools do use with it? x Do you have a standard web server build and configuration baseline?

Compliance, Law, and Investigation

x Do you maintain compliance with any of the following? How do you maintain compliance with this standard? Please provide the results of the last audit for this standard?

o ISO Compliance o CFR 21 part 11 o GLB o HIPAA o Sarbanes-Oxley o SB1316

Audit and Assessment

x Please provide any policies or methodologies used in the following audits? x Please provide the interval in which you audit the following areas?

x Please provide the results of your last audits of these types? x Do you use an independent 3rd

party auditor if, so who? o Privacy

(5)

o Physical Security o BCDR Audit

o Software Compliance

Third Party Agreements

References

Related documents

Document Destruction Policy Wolf's Information Security Policy includes sections on Data Classification and Retention, and File Security and Disposal... • Onsite versus offsite

The proposed indicators to assess the realisation of the government ’s action plan include cultivated area (under organic production), number or proportion of organic farms

Therefore, the objectives of this study were; (1) to determine factors associated with malnutrition among hospitalized geriatrics (2) to study the impacts of malnutrition

When the fields of the Form(s) for a step are defined, a default page template is generated by Bonita Open Solution and linked with an html file that directs how the Form is to be

• The implementation of the appropriate technical and operational controls to protect the services, technical platforms and communications infrastructure that transport

Internal Audit reviewed the Council’s Document Retention Policy, Data Quality Policy and ICT Security Policies to ensure that they are current.. Testing found that two of the

MUSC's Security Policies ➲ Computer Use Policy (updated) ➲ Information Security Policies (new) ●

Studies (HDS) and data on fair housing enforcement activities during the 1990s in the corresponding metro areas, we investigate whether 1989-2000 changes in the metropolitan