SlideShare une entreprise Scribd logo
1  sur  9
Télécharger pour lire hors ligne
HALKYN CONSULTING LTD
Supplier Security
Assessment
Questionnaire
Security Self-Assessment and Reporting
This questionnaire is provided to assist organisations in conducting supplier security assessments. It
is designed to be provided to the supplier (with minimal editing to enter company & supplier names)
who completes it as a self-assessment questionnaire. The nature of this document means cannot be
used as a replacement for a formal, on-site, security assessment by a qualified professional but it can
be used to help allocate resources and prioritise site visits.
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 1 of 8
Supplier Security Assessment Questionnaire
(SSAQ)
This SSAQ has been issued by [Company Name] to [Supplier Name] to serve as a preliminary
assessment of the security controls provided as part of the requested service. On completion
[Company Name] will make a decision as to the level of physical audit required. Any deliberately
false statements on this assessment will be treated as a breach of contract / disqualify [Supplier
Name] from tendering services under this agreement [delete as applicable].
Instructions: Please provide a detailed response to each question. For questions that are not
applicable to the services provided to [Company Name], please mark the question as “N/A” and
provide an explanation.
Part 1: Document Control
Supplier Name &
Address:
Assessment Completed
by:
Date of assessment:
Additional Documents
Provided
Relevant Network Diagram
Relevant Security Diagram
Relevant System Architecture
Technical Interface Design
Relevant 3rd
Party Security Assessment(s) (e.g. SAS 70, Pentests, etc.)
Part 2: Policy Compliance
Control Area Control Question Supplier response
Security
Policies
Does your organization have a
documented information security
policy?
What is the time interval at which
security policies are reviewed and
updated?
Who is responsible for security policy
development, maintenance, and
issuance?
Are all security policies and standards
readily available to all users (e.g.,
posted on company intranet)?
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 2 of 8
Control Area Control Question Supplier response
Policy
Coverage
Select the security areas which are addressed within your information security
policies and standards:
Acceptable Use Data Privacy
Remote Access / Wireless Access Control
IT Security Incident Response Encryption Standards
Data/System Classification Anti-Virus
Third Party Connectivity Email / Instant Messaging
Physical Security Personnel Security
Network/Perimeter Security Clear Desk
Other
Details:
Policy
Provision
Is a complete set of your
organisation’s security policies
available for review?
Part 3: Detailed Security Control Assessment
Control Area Control Question Supplier response
Organizational
Security
Have security-related job
responsibilities, including oversight
and accountability, been clearly
defined and documented?
Have the security policies, standards,
and procedures been reviewed and
critiqued by a qualified third party?
Has the security perimeter
infrastructure been assessed and
reviewed by a qualified third party?
Do your third-party contracts contain
language describing responsibilities
regarding information protection
requirements?
Describe the process by which third-
parties are granted privileged access
to [Company Name] Data.
Asset
Classification
and Control
Do you maintain an inventory of all
important information assets with
asset owners clearly identified?
Describe your information
classification methods and labelling
practices.
Describe how user access is granted
to different information
classifications?
What are your procedures with
regards to the handling and storage
of information assets?
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 3 of 8
Control Area Control Question Supplier response
Personnel
Security
Do terms and conditions of
employment clearly define
information security requirements,
including non-disclosure provisions
for separated employees and
contractors?
Describe the screening process for all
users (employees, contractors,
vendors, and other third-parties)?
Do you conduct formal information
security awareness training for all
users, including upper management?
Do you require additional training for
system administrators, developers,
and other users with privileged
usage?
Is there a formal procedure dictating
actions that must be taken when a
user has violated any information
security policies?
Are all users required to sign a
confidentiality agreement?
Physical and
Environmental
Security
Describe the physical security
mechanisms that prevent
unauthorized access to your office
space, user workstations, and server
rooms/data centres?
Are all critical information assets
located in a physically secure area?
How do you protect your systems
from environmental hazards such as
fire, smoke, water, vibration,
electrical supply interfaces, and dust?
What type of fire suppression
systems are installed in the data
centres (pre-action, mist, wet, clean
agent, etc)?
What physical access restrictions
have you put in place? Please
describe your badge access system.
How is contractor access granted to
secure locations?
What exterior security is provided
(i.e. gates, secure vehicle access,
security cameras, etc.)?
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 4 of 8
Control Area Control Question Supplier response
Is there a natural disaster risk? What
means of business continuity and
disaster recovery are employed to
mitigate?
Describe your facilities system
maintenance process.
Are the systems configured to record
system faults?
Do you have a formal media
destruction policy?
Do you employ automatic locking
screen savers when users’
workstations remain idle after a set
period of time?
How is the removal of equipment
from the premises authorized and
controlled?
Are logs maintained that record all
changes to information systems?
Communications
and Operations
Management
Describe how you segregate duties to
ensure a secure environment.
Describe how changes are deployed
into the production environment.
Who manages/maintains your data
centre? If you use a third-party
contractor to maintain your systems,
describe the vetting process by which
that contractor was selected.
How do you protect your systems
against newly-discovered
vulnerabilities and threats?
How do you prevent end users from
installing potentially malicious
software (e.g., list of approved
applications, locking down the
desktop)?
Do you scan traffic coming into your
network for viruses?
How do you protect the
confidentiality and integrity of data
between your company and
[Company Name]?
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 5 of 8
Control Area Control Question Supplier response
How do you dispose of computer
media when they are no longer of
use?
Do you keep logs of media disposal
activity?
How is system documentation
(network diagrams, run books,
configuration guides, etc.) secured
from unauthorized access?
Are backup procedures documented
and monitored to ensure they are
properly followed?
Describe how you protect
information media (e.g., back-up
tapes) that is shipped offsite.
Describe the process by which
software malfunctions are reported
and handled.
Describe your hiring process and how
a new employee is granted access to
network resources.
Describe the process by which a non-
employee (e.g., contractor, vendor,
and customer) is granted access to
network resources.
How many users will have privileged
access to systems containing
[Company Name] Data?
What processes and standards do
you follow for incident management,
problem management, change
management, and configuration
management?
Please describe the technical
platform that supports the
monitoring, maintenance and
support processes (both hardware
and software platforms).
Access Control Please describe your Access Control
Policy.
Describe your account and password
restrictions for internally facing
applications.
Describe your account and password
restrictions for externally facing
applications.
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 6 of 8
Control Area Control Question Supplier response
Describe your authentication
methods used to authenticate users
and or third parties via external
connections.
Do you conduct periodic checks on
users’ accesses to ensure their access
matches their responsibilities?
Describe how you segment your
network (i.e. security zones, DMZs,
etc).
Do you enable any remote
administration capabilities on your
servers and network devices? If so,
which protocol(s) do you use?
Describe any controls which are used
to monitor and record system and
application access.
Do workstations or production
servers currently utilize any type of
Host Intrusion Prevention or
Detection software?
To what extent are user’s system use
logged and monitored?
Are failed login attempts recorded
and reviewed on a regular basis?
Development &
Maintenance
What tools and technologies do you
utilize to effectively manage the
development lifecycle?
Do you use data sets containing
personal information from actual
people when testing an application?
If so, what measures do you take to
protect that information?
Are your test systems secured in the
same manner as your production
systems?
Describe how you protect your
application source libraries
Do security specialists conduct
technical reviews of application
designs?
Are security professionals involved in
the testing phase of an application?
Describe how you protect your
applications from covert channels
and Trojan code.
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 7 of 8
Control Area Control Question Supplier response
During the course of a software
development project, when do you
typically start to discuss the security
design requirements?
Have your developers been trained in
secure coding techniques?
Describe your techniques to handle
input and output validation when
designing a software application.
Do you assess the risks around
messaging to determine if message
authentication is required?
Information
Security Incident
Management
Has a dedicated Information Security
Response Team been established?
Has the Incident Response Team
been trained in evidence gathering
and handling?
Are incident reports issued to
appropriate management?
After an incident, are policies and
procedures reviewed to determine if
modifications need to be
implemented?
Business
Continuity
Management
Has an organizational disaster
recovery plan coordinator been
named and a mission statement
identifying scope and responsibilities
been published?
Has a "worst-case" scenario to
recover normal operations within a
prescribed timeframe been
implemented and tested?
Has a listing of current emergency
telephone numbers for police, fire
department, medical aid and
company officials been strategically
located throughout all facilities and
at off-site locations?
Halkyn Security Consulting www.halkynconsulting.co.uk
[Company Name] Supplier Security Assessment Questionnaire Page 8 of 8
Control Area Control Question Supplier response
Is the backup site remote from
hazards that endanger the main data
centre?
Have contracts for outsourced
activities been amended to include
service providers' responsibilities for
Disaster Recovery Planning?
Have lead times for communication
lines and equipment, specialized
devices, power connectors,
construction, firewalls and computer
configurations have been factored
into the Disaster Recovery Plan?
Is at least one copy of the Disaster
Recovery Plan stored at the backup
site and updated regularly?
Are automatic restart and recovery
procedures are in place to restore
data files in the event of a processing
failure?
Are contingency arrangements in
place for hardware, software,
communications and staff?
Compliance Are the security policies and
procedures routinely tested?
Are exceptions to security policies
and procedures justified and
documented?
Are audit logs or other reporting
mechanisms in place on all
platforms?
When an employee is found to be in
non-compliance with the security
policies, has appropriate disciplinary
action been taken?
Are audits performed on a regular
basis?
Are unscheduled/surprise audits
performed?
Has someone been identified as
responsible for managing audit
results?

Contenu connexe

Tendances

Administering Organization Filing Centres (Registries)
Administering Organization Filing Centres (Registries)Administering Organization Filing Centres (Registries)
Administering Organization Filing Centres (Registries)SOLOMON M KAMINDA
 
Note on ‘Mapping’ CAAT Audit technique with 3 practical examples
Note on ‘Mapping’  CAAT Audit technique with  3 practical examplesNote on ‘Mapping’  CAAT Audit technique with  3 practical examples
Note on ‘Mapping’ CAAT Audit technique with 3 practical examplesAnmolDhale2
 
Management information system
Management information systemManagement information system
Management information systemKalpana B
 
Financial Information Systems
Financial Information SystemsFinancial Information Systems
Financial Information Systemscatch_ashutosh
 
Accounting information system presentation
Accounting information system presentationAccounting information system presentation
Accounting information system presentationS M Maruf Siddiqe
 
Transaction processing system
Transaction processing systemTransaction processing system
Transaction processing systemVidhu Arora
 
MIS enterprise system for collaboration
MIS enterprise system for collaborationMIS enterprise system for collaboration
MIS enterprise system for collaborationSabana Maharjan
 
Applications of MIS in HRM
Applications of MIS in HRMApplications of MIS in HRM
Applications of MIS in HRMAnujith KR
 
Sole proprietorship
Sole proprietorshipSole proprietorship
Sole proprietorshipmhdrafi01
 
What is e-commerce- Traditional Commerce Vs. E-Commerce
What is e-commerce- Traditional Commerce Vs. E-CommerceWhat is e-commerce- Traditional Commerce Vs. E-Commerce
What is e-commerce- Traditional Commerce Vs. E-CommerceJustine Therese Zamora
 
Management information system with relevance to Nepal
Management information system with relevance to NepalManagement information system with relevance to Nepal
Management information system with relevance to NepalDarshan Bhattarai
 
Types of Information Systems
Types of Information SystemsTypes of Information Systems
Types of Information Systemsjencai302
 
Transaction processing system
Transaction processing systemTransaction processing system
Transaction processing systemJayson Jueco
 
نظام اودو من دياموند فيجن
نظام اودو من دياموند فيجننظام اودو من دياموند فيجن
نظام اودو من دياموند فيجنDiamondVision
 
13099838 management-information-system-unit1-part2
13099838 management-information-system-unit1-part213099838 management-information-system-unit1-part2
13099838 management-information-system-unit1-part2Ngaire Taylor
 
Aa basic accounting
Aa basic accountingAa basic accounting
Aa basic accountingmrsamba8855
 

Tendances (20)

Administering Organization Filing Centres (Registries)
Administering Organization Filing Centres (Registries)Administering Organization Filing Centres (Registries)
Administering Organization Filing Centres (Registries)
 
Note on ‘Mapping’ CAAT Audit technique with 3 practical examples
Note on ‘Mapping’  CAAT Audit technique with  3 practical examplesNote on ‘Mapping’  CAAT Audit technique with  3 practical examples
Note on ‘Mapping’ CAAT Audit technique with 3 practical examples
 
Management information system
Management information systemManagement information system
Management information system
 
Transaction Processing System
Transaction Processing SystemTransaction Processing System
Transaction Processing System
 
Computerized accounting.
Computerized accounting.Computerized accounting.
Computerized accounting.
 
Financial Information Systems
Financial Information SystemsFinancial Information Systems
Financial Information Systems
 
Accounting information system presentation
Accounting information system presentationAccounting information system presentation
Accounting information system presentation
 
Transaction processing system
Transaction processing systemTransaction processing system
Transaction processing system
 
MIS enterprise system for collaboration
MIS enterprise system for collaborationMIS enterprise system for collaboration
MIS enterprise system for collaboration
 
Applications of MIS in HRM
Applications of MIS in HRMApplications of MIS in HRM
Applications of MIS in HRM
 
revenue models
revenue modelsrevenue models
revenue models
 
Sole proprietorship
Sole proprietorshipSole proprietorship
Sole proprietorship
 
What is e-commerce- Traditional Commerce Vs. E-Commerce
What is e-commerce- Traditional Commerce Vs. E-CommerceWhat is e-commerce- Traditional Commerce Vs. E-Commerce
What is e-commerce- Traditional Commerce Vs. E-Commerce
 
Management information system with relevance to Nepal
Management information system with relevance to NepalManagement information system with relevance to Nepal
Management information system with relevance to Nepal
 
Types of Information Systems
Types of Information SystemsTypes of Information Systems
Types of Information Systems
 
Transaction processing system
Transaction processing systemTransaction processing system
Transaction processing system
 
نظام اودو من دياموند فيجن
نظام اودو من دياموند فيجننظام اودو من دياموند فيجن
نظام اودو من دياموند فيجن
 
13099838 management-information-system-unit1-part2
13099838 management-information-system-unit1-part213099838 management-information-system-unit1-part2
13099838 management-information-system-unit1-part2
 
Aa basic accounting
Aa basic accountingAa basic accounting
Aa basic accounting
 
Portal
PortalPortal
Portal
 

Similaire à Supplier security assessment questionnaire

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
QI Security Framework_v2007_7
QI Security Framework_v2007_7QI Security Framework_v2007_7
QI Security Framework_v2007_7Hong Sin Kwek
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docxDarkKnight367793
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Lillian Ekwosi-Egbulem
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docxoswald1horne84988
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechsMordecai Kraushar
 
Access Control System Essay
Access Control System EssayAccess Control System Essay
Access Control System EssayCarla Bennington
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 

Similaire à Supplier security assessment questionnaire (20)

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
QI Security Framework_v2007_7
QI Security Framework_v2007_7QI Security Framework_v2007_7
QI Security Framework_v2007_7
 
Information Security
Information SecurityInformation Security
Information Security
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docx
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
Access Control System Essay
Access Control System EssayAccess Control System Essay
Access Control System Essay
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 

Plus de Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 

Dernier (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 

Supplier security assessment questionnaire

  • 1. HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments. It is designed to be provided to the supplier (with minimal editing to enter company & supplier names) who completes it as a self-assessment questionnaire. The nature of this document means cannot be used as a replacement for a formal, on-site, security assessment by a qualified professional but it can be used to help allocate resources and prioritise site visits.
  • 2. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 1 of 8 Supplier Security Assessment Questionnaire (SSAQ) This SSAQ has been issued by [Company Name] to [Supplier Name] to serve as a preliminary assessment of the security controls provided as part of the requested service. On completion [Company Name] will make a decision as to the level of physical audit required. Any deliberately false statements on this assessment will be treated as a breach of contract / disqualify [Supplier Name] from tendering services under this agreement [delete as applicable]. Instructions: Please provide a detailed response to each question. For questions that are not applicable to the services provided to [Company Name], please mark the question as “N/A” and provide an explanation. Part 1: Document Control Supplier Name & Address: Assessment Completed by: Date of assessment: Additional Documents Provided Relevant Network Diagram Relevant Security Diagram Relevant System Architecture Technical Interface Design Relevant 3rd Party Security Assessment(s) (e.g. SAS 70, Pentests, etc.) Part 2: Policy Compliance Control Area Control Question Supplier response Security Policies Does your organization have a documented information security policy? What is the time interval at which security policies are reviewed and updated? Who is responsible for security policy development, maintenance, and issuance? Are all security policies and standards readily available to all users (e.g., posted on company intranet)?
  • 3. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 2 of 8 Control Area Control Question Supplier response Policy Coverage Select the security areas which are addressed within your information security policies and standards: Acceptable Use Data Privacy Remote Access / Wireless Access Control IT Security Incident Response Encryption Standards Data/System Classification Anti-Virus Third Party Connectivity Email / Instant Messaging Physical Security Personnel Security Network/Perimeter Security Clear Desk Other Details: Policy Provision Is a complete set of your organisation’s security policies available for review? Part 3: Detailed Security Control Assessment Control Area Control Question Supplier response Organizational Security Have security-related job responsibilities, including oversight and accountability, been clearly defined and documented? Have the security policies, standards, and procedures been reviewed and critiqued by a qualified third party? Has the security perimeter infrastructure been assessed and reviewed by a qualified third party? Do your third-party contracts contain language describing responsibilities regarding information protection requirements? Describe the process by which third- parties are granted privileged access to [Company Name] Data. Asset Classification and Control Do you maintain an inventory of all important information assets with asset owners clearly identified? Describe your information classification methods and labelling practices. Describe how user access is granted to different information classifications? What are your procedures with regards to the handling and storage of information assets?
  • 4. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 3 of 8 Control Area Control Question Supplier response Personnel Security Do terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated employees and contractors? Describe the screening process for all users (employees, contractors, vendors, and other third-parties)? Do you conduct formal information security awareness training for all users, including upper management? Do you require additional training for system administrators, developers, and other users with privileged usage? Is there a formal procedure dictating actions that must be taken when a user has violated any information security policies? Are all users required to sign a confidentiality agreement? Physical and Environmental Security Describe the physical security mechanisms that prevent unauthorized access to your office space, user workstations, and server rooms/data centres? Are all critical information assets located in a physically secure area? How do you protect your systems from environmental hazards such as fire, smoke, water, vibration, electrical supply interfaces, and dust? What type of fire suppression systems are installed in the data centres (pre-action, mist, wet, clean agent, etc)? What physical access restrictions have you put in place? Please describe your badge access system. How is contractor access granted to secure locations? What exterior security is provided (i.e. gates, secure vehicle access, security cameras, etc.)?
  • 5. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 4 of 8 Control Area Control Question Supplier response Is there a natural disaster risk? What means of business continuity and disaster recovery are employed to mitigate? Describe your facilities system maintenance process. Are the systems configured to record system faults? Do you have a formal media destruction policy? Do you employ automatic locking screen savers when users’ workstations remain idle after a set period of time? How is the removal of equipment from the premises authorized and controlled? Are logs maintained that record all changes to information systems? Communications and Operations Management Describe how you segregate duties to ensure a secure environment. Describe how changes are deployed into the production environment. Who manages/maintains your data centre? If you use a third-party contractor to maintain your systems, describe the vetting process by which that contractor was selected. How do you protect your systems against newly-discovered vulnerabilities and threats? How do you prevent end users from installing potentially malicious software (e.g., list of approved applications, locking down the desktop)? Do you scan traffic coming into your network for viruses? How do you protect the confidentiality and integrity of data between your company and [Company Name]?
  • 6. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 5 of 8 Control Area Control Question Supplier response How do you dispose of computer media when they are no longer of use? Do you keep logs of media disposal activity? How is system documentation (network diagrams, run books, configuration guides, etc.) secured from unauthorized access? Are backup procedures documented and monitored to ensure they are properly followed? Describe how you protect information media (e.g., back-up tapes) that is shipped offsite. Describe the process by which software malfunctions are reported and handled. Describe your hiring process and how a new employee is granted access to network resources. Describe the process by which a non- employee (e.g., contractor, vendor, and customer) is granted access to network resources. How many users will have privileged access to systems containing [Company Name] Data? What processes and standards do you follow for incident management, problem management, change management, and configuration management? Please describe the technical platform that supports the monitoring, maintenance and support processes (both hardware and software platforms). Access Control Please describe your Access Control Policy. Describe your account and password restrictions for internally facing applications. Describe your account and password restrictions for externally facing applications.
  • 7. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 6 of 8 Control Area Control Question Supplier response Describe your authentication methods used to authenticate users and or third parties via external connections. Do you conduct periodic checks on users’ accesses to ensure their access matches their responsibilities? Describe how you segment your network (i.e. security zones, DMZs, etc). Do you enable any remote administration capabilities on your servers and network devices? If so, which protocol(s) do you use? Describe any controls which are used to monitor and record system and application access. Do workstations or production servers currently utilize any type of Host Intrusion Prevention or Detection software? To what extent are user’s system use logged and monitored? Are failed login attempts recorded and reviewed on a regular basis? Development & Maintenance What tools and technologies do you utilize to effectively manage the development lifecycle? Do you use data sets containing personal information from actual people when testing an application? If so, what measures do you take to protect that information? Are your test systems secured in the same manner as your production systems? Describe how you protect your application source libraries Do security specialists conduct technical reviews of application designs? Are security professionals involved in the testing phase of an application? Describe how you protect your applications from covert channels and Trojan code.
  • 8. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 7 of 8 Control Area Control Question Supplier response During the course of a software development project, when do you typically start to discuss the security design requirements? Have your developers been trained in secure coding techniques? Describe your techniques to handle input and output validation when designing a software application. Do you assess the risks around messaging to determine if message authentication is required? Information Security Incident Management Has a dedicated Information Security Response Team been established? Has the Incident Response Team been trained in evidence gathering and handling? Are incident reports issued to appropriate management? After an incident, are policies and procedures reviewed to determine if modifications need to be implemented? Business Continuity Management Has an organizational disaster recovery plan coordinator been named and a mission statement identifying scope and responsibilities been published? Has a "worst-case" scenario to recover normal operations within a prescribed timeframe been implemented and tested? Has a listing of current emergency telephone numbers for police, fire department, medical aid and company officials been strategically located throughout all facilities and at off-site locations?
  • 9. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 8 of 8 Control Area Control Question Supplier response Is the backup site remote from hazards that endanger the main data centre? Have contracts for outsourced activities been amended to include service providers' responsibilities for Disaster Recovery Planning? Have lead times for communication lines and equipment, specialized devices, power connectors, construction, firewalls and computer configurations have been factored into the Disaster Recovery Plan? Is at least one copy of the Disaster Recovery Plan stored at the backup site and updated regularly? Are automatic restart and recovery procedures are in place to restore data files in the event of a processing failure? Are contingency arrangements in place for hardware, software, communications and staff? Compliance Are the security policies and procedures routinely tested? Are exceptions to security policies and procedures justified and documented? Are audit logs or other reporting mechanisms in place on all platforms? When an employee is found to be in non-compliance with the security policies, has appropriate disciplinary action been taken? Are audits performed on a regular basis? Are unscheduled/surprise audits performed? Has someone been identified as responsible for managing audit results?