AgencyAgency
  • About Us
  • Contact
  • Managed Questionnaire Answering
  • Custom Security Portal
  • questions

  • Is there a risk assessment program that has been approved by management, communicated to constituents and an owner to maintain and review the program?
    approved risk management program
  • Is there a risk assessment program that has been approved by management? Does this program have an owner?
    approved risk management program
  • Prior to granting access to information processing systems, does your organization require all non-employees, Third Party Services Providers, and subcontractors to sign a confidentiality (non-disclosure) agreement?
    employee agreement
  • Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and has an owner to maintain and review the program?
    approved risk management program
  • Are Constituents required to sign employment agreements?
    employee agreement
  • Is there a documented information security risk assessment program that has been approved by management and communicated to appropriate constituents? Please provide a copy and elaborate.
    approved risk management program
  • Does your company require employees and contract workers to read and acknowledge applicable security and compliance policies and procedures on an annual basis?
    employee agreement
  • Formal termination/post-employment responsibilities (e.g., adhering to confidentiality agreements, security requirements, legal responsibilities) have been defined and are communicated to employees, contractors, and other third party resources.
    employee agreement
  • Does your company have a comprehensive risk management program, approved and overseen by management, which would examine and manage all risks to the confidentiality, integrity, availability and auditability of any data that is handled by your company?
    approved risk management program
  • Does your company require its employees to sign a Non-Disclosure Agreement?
    employee agreement
  • Do you require new employees to fill out agreements and review policies?
    employee agreement
  • Do you require that employment agreements are signed by newly hired or on-boarded workforce personnel prior to granting workforce personnel user access to corporate facilities, resources, and assets?
    employee agreement
  • Have policies, standards, and procedures for implementing the third party risk management program been reviewed and approved by senior management?
    approved risk management programchange authorization
  • Are IDS and/or IPS signatures updated automatically?
    intrusion detection
  • Are Network Intrusion Detection capabilities employed?
    intrusion detection
  • Do you have security tools, intrusion detection/prevention systems, and/or anomaly detection systems with alerting?
    intrusion detection
  • Are Intrusion Detection/Prevention Systems employed in all sensitive network zones and wherever firewalls are enabled?
    intrusion detection
  • Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
    intrusion detection
  • Do you use an intrusion detection and prevention system (IDPS)?
    single sign onintrusion detection
  • Do you provide network intrusion detection monitoring?
    intrusion detection
  • Does your network design include both an intrusion detection system and an intrusion prevention system, and the ability to mitigate advanced malware and advanced persistent threats?
    intrusion detection
  • What PHI will be stored within the Vendor's hosted site?
    protected health information
  • Can you describe the policies and procedures implemented to ensure that the use or disclosure of protected health information is limited to the minimum necessary?
    medical information protected health information
  • Are there documented policies and procedures to detect and report unauthorized acquisition, use, or disclosure of PHI client scoped data?
    protected health information
  • Does the application contain patient information (ePHI)?
    protected health information
  • Is there a requirement for the use of texting of PHI/PII/PI or confidential information?
    protected health information
  • Does this system or application process, store, or transmit PHI (Protected Health Information)?
    protected health informationmedical information
  • Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as Protected Health Information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act (HIPAA)?
    protected health informationmedical information
  • Does the application enforce timeouts of idle sessions?
    session timeout
  • Does your application automatically lock or log-out an account after a period of inactivity?
    session timeout
  • Does the application/system have a session lock after a period of inactivity that requires a user to reauthenticate?
    session timeout
  • Do you enforce automatic timeouts on idle privileged admin sessions?
    session timeout
  • Please provide the name of each subcontractor you use, and short description of the services they provide and how they process personal information.
    3rd party data processinglist of subcontractors
  • Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?
    production data leakage
  • Are scoped systems and data used in the test, development, or QA environments?
    production data leakage
  • Is production data used for development and/or testing?
    production data leakage
  • Prior to promoting applications to production, are test data (i.e. not personally identifiable), test accounts, usernames, and passwords, removed from production systems and validated?
    application nameproduction data leakage
  • Do you ensure that production data is not placed in lower/non-production environments?
    production data leakage
  • Does your company utilize a vulnerability scanning tool to identify vulnerabilities on external and/or internal hosts?
    internal vulnerability scanningexternal vulnerability scanning
  • Does your organization ensure that internal and external vulnerability scans are performed at least quarterly?
    internal vulnerability scanningexternal vulnerability scanning
  • Are internal vulnerability scans performed monthly and issues resolved in-line with defined SLA's?
    internal vulnerability scanningservice level agreement
  • Are vulnerability scans performed against internal networks and systems?
    internal vulnerability scanning
  • How frequently do you perform vulnerability scans for internal and external facing networks? Which tool is used to perform these scans?
    internal vulnerability scanningexternal vulnerability scanning
  • Are firewalls used to control access to all of your public facing information systems?
    dmz firewall rule
  • Is security approval required to connect a device on the company network to a non-company network (including the Internet) if it bypasses network security devices (e.g., firewall, IPS, content filter)?
    dmz firewall rule
  • Is your company’s network design a 3-tier architecture with firewall-separated tiers, including a presentation tier within a DMZ utilizing both internal and external hardware firewalls?
    dmz firewall rule
  • Is every connection to an external network terminated at a firewall (e.g., the Internet, partner networks)?
    dmz firewall rule
  • Is there a firewall at each Internet connection and between any demilitarized zone (DMZ) and internal network zone?
    dmz firewall rule
  • Are backups stored in a secure location?
    backup media security
  • Are backups containing scoped data stored in an environment where the security controls protecting them are equivalent to production environment security controls?
    backup media security
  • Is the backup data, along with the procedure to restore the backup, stored securely and offsite in a location that would be considered safe in the event of natural disaster?
    backup media security
  • Do you have a backup retention policy that ensures backup is restored securely to an official backup location?
    backup media security
  • Is backup media stored in a trusted, secured location?
    backup media security
  • Are backup image snapshots containing scoped data stored in an environment where the security controls protecting them are commensurate with the production environment?
    backup media security
  • Do you have anti-virus/malware programs installed on all systems which support your cloud service offerings?
    malware policy
  • Do you have a policy that requires BYOD users to use anti-malware software?
    malware policy
  • Does your anti-malware policy or program include defined operating systems that require antivirus?
    malware policy
  • Do you have anti-malware programs that support your cloud service offerings?
    malware policy
  • Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components?
    malware policy
  • Is there an anti-malware policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
    malware policy
  • Do you maintain a complete inventory of all of your critical assets which includes ownership of the asset?
    asset inventory
  • Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership?
    asset inventory
  • Do you have a centralized inventory of hardware, software, information, and physical assets documented, maintained, and approved by management?
    asset inventory
  • Does the risk assessment process identity and monitor qualitative risk?
    monitoring internal risk
  • Do you have an enterprise risk management (ERM) program in place to actively monitor and report on risks?
    monitoring internal risk
  • Do you maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information?
    asset inventory
  • Do you provide multi-failure disaster recovery capability?
    disaster recovery
  • Do asset inventory and management processes include all physical objects with network connectivity (IoT Devices)?
    asset inventory
  • Is an automated asset inventory discovery tool used to inventory devices on the network?
    asset inventory
  • Do you provide a disaster recovery capability?
    disaster recovery
  • Is the asset inventory updated on a periodic basis as new system assets are connected to the network?
    asset inventory
  • Does the organization have a defined computer security incident response process in place that has been successfully tested within the past 12 months?
    recent incident disclosures
  • Has there been a security incident in the past 24 months?
    recent incident disclosures
  • Have any of your third party vendors suffered a data loss or security breach within the last 3 years?
    recent incident disclosures
  • Has your company suffered a data loss or security breach within the last 3 years?
    recent incident disclosures
  • Is there a process to monitor all identified risks on a continual basis?
    monitoring internal risk
  • Please describe a typical disaster recovery plan and business continuity plan.
    disaster recoverybusiness continuity
  • Do you have a Diaster Recovery Plan?
    disaster recovery
  • Is there a formal, documented information technology disaster recovery exercise and testing program in place?
    disaster recovery
  • Describe or provide a reference to how your disaster recovery plan is tested? (i.e. scope of DR tests, end-to-end testing, etc.)
    disaster recovery
  • Do Disaster Recovery tests include production transaction processing?
    disaster recovery
  • Do disaster recovery plans included documented tests and results?
    disaster recovery
  • Do you have an asset tracking management process and system?
    asset inventory
  • Do Disaster Recovery tests include data center failover testing?
    disaster recovery
  • Does your organization have an inventory of all hardware and software assets?
    asset inventory
  • Is access to production source code libraries appropriately logged and restricted?
    source code access
  • Does your risk management program include measures for defining, monitoring, and reporting risk metrics?
    monitoring internal risk
  • In which country or countries is data stored and/or processed?
    data storage locations
  • Do you have a well-defined and documented procedure for assessing information security risks and opportunities for improvement?
    monitoring internal risk
  • Do you currently have a policy which defines levels of severity/risk for various types of vulnerabilities and required remediation time frames?
    monitoring internal risk
  • Does the time stamp for audit log entries synchronize with other applications and systems using NTP/SNTP ?
    time sync
  • Do you have a physical security program?
    physical security controls
  • Do you allow tenants to define acceptable geographical locations for data storage, routing or resource instantiation?
    data storage locations
  • Does your organization have physical security controls and policies in place?
    physical security controls
  • Does your equipment resist NTP attacks?
    time sync
  • Does you have policies and procedures for the physical and environmental security?
    physical security controls
  • Are network and server platform clocks synchronized daily to an authorized network time protocol (NTP) server?
    time sync
  • Do you have physical security and environmental controls in the data center and office buildings?
    physical security controls
  • Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed and stored and transmitted?
    data storage locations
  • Are the time stamps for log entries coming from a system clock that synchronizes with an approved NTP / SNTP source?
    time sync

What is SecureDawn? How Can We Help?

SecureDawn helps you respond to vendor security questionnaires faster and more consistently. Choose to use our product self-serve or as a managed service supported by domestic security pros that send you completed questionnaires within 2 business days.

Contact Us