Hello Carine,
Thank you so much for your response. Here are the questions that needs to be fulfilled:
- Do you have any Information Security certificate (e.g. ISO 27001, PCI DSS, SOC) or IT security related accreditation?
- Do you have Information Security policies, to govern the Information Security function and protect your information assets?
- Do you have documented Information Security roles and responsibilities, and staff to perform these responsibilities?
- Do you have documented business continuity and disaster recovery policies, processes and plans?
- Do you have Information Security Risk Management processes that address assessment, mitigation and monitoring of information risk?
- Do you have documented policies and processes defined and implemented to ensure compliance with information security or privacy legal and regulatory requirements including regular reviews of compliance?
- Do you have Information Security Incident Management processes that include coordination with customer’s Information Security Incident Management processes?
- Do you have policies and processes defined and implemented for HR Information Security Management that clearly defines the roles and responsibilities of staff to protect information assets?
- Do you perform background verification checks for all staff in accordance with legal and regulatory requirements?
- Do you have Information Security training and awareness program in place for all employees (new, existing, permanent, or contractual staff)?
- Do you have a documented Access Control policy and processes for provisioning, revocation, revalidation, access reviews and remote access?
- Do you have documented policies and processes to monitor the actions of users with privileged access to systems?
- Do you have Secure Application / System Development policies and processes that address information security requirements for the development and implementation of application/systems?
- Do you follow any secure coding guidelines while developing applications/systems?
- Do you have documented policies and processes to ensure that application information security events are logged and the events are monitored?
- Do you have documented policies and processes to ensure that no actual customer data is used in testing or that such data is sanitized prior to use for testing purposes?
- Do you have Network Security policies and processes that address network segregation, network access control, network device administration, security configuration, and remote device management?
- Do you have a secure network architecture that addresses network segmentation and protection between the internal network and public networks and the segmentation of internal network to provide appropriate security zones?
- Do you have configuration standards for network devices that address secure configuration of these devices?
- Do you perform Vulnerability Assessment and/or Penetration Testing at periodic intervals and address issues identified in this testing in a timely manner?
- Are intrusion detection prevention (IDS/IPS) tools deployed in your network and configured to detect and/or prevent malicious attempts to compromise networks, systems or information and are these systems appropriately monitored and managed?
- Do you have processes to provide secure remote access to network devices for administrators that address business requirements, access controls, logging and review of access?
- Do you have Physical and Environmental Information Security policies and processes to physically protect information assets?
- Do you have policies, processes and tools to to facilitate the following:
- Log monitoring and review
- Monitoring and regular testing of backups
- Centralized Access Management
- Incident and Change Management
- Workstation Security Management
- Data Loss Prevention tools to monitor for data leakage
- Will this vendor process personal or sensitive information? Please provide approximation.
Hoping for your response.
Thank you so much!