They don’t need a copy of your entire internal IT policy but I think they may be after something similar to this – someone definitely needs to get you enough information about the contract to determine how much detail you need to provide, and about what. Tho I agree with Joseph – if they need the information for legal/compliance reasons, there needs to be legal input.
Background Information
1) Are any of your employees located outside of the US?
2) Does your company have formalized and documented information security policies in place?
3) Is the handling and classification of information and data covered by your information security policies?
4) Are there any outstanding regulatory issues that you are currently addressing in the state(s) you operate in?
If yes, please explain.
General Security
1) Do you have an information security awareness training program for employees and contractors?
2) Which of the following methods for authenticating and authorizing access to your systems and applications do you currently use:
- Performed by operating system
- Performed by commercial product
- Single sign-on
- Client-side digital certificates
- Other two-factor authentication
- Home grown
- No authentication mechanism in place
3) Who authorizes access for employees, contractors, temps, vendors, and business partners?
4) Do you allow your employees (including contractors, temps, vendors, etc.) to have
remote access to your networks?
5) Do you have an information security incident response plan?
If no, how are information security incidents handled?
6) Do you have a policy that addresses the handling of internal or confidential information in e-mail messages to outside your company?
7) Do you review your information security policies and standards at least annually?
8) What methods and physical controls are in place to prevent unauthorized access to your company’s secure areas?
- Network servers in locked rooms
- Physical access to servers limited by security identification (access cards, biometrics, etc.)
- Video monitoring
- Sign-in logs and procedures
- Security badges or ID cards visible at all times in secure areas
- Security guards
- None
- Other, Please provide additional details
9) Please describe your password policy for all environments? I.e.. Length, strength and aging
10) Do you have a disaster recovery (DR) plan?
If yes, how often do you test it?
11) Do you have a Business Continuity (BC) plan?
If yes, how often do you test it?
12) Will you provide us a copy of your tests results (BC and DR) if requested?
Architecture and system review
1) Will [The Company]’s data and/or applications be stored and/or processed on a dedicated or shared server?
2) If on a shared server, how will [The Company]’s data be segmented from other companies’ data?
3) What type(s) of company-to-company connectivity will be provided?
- Internet
- Private/Leased line (e.g., T1)
- Dial-up
- VPN (Virtual Private Network)
- Terminal Service
- None
- Other, Please provide additional details
4) Will this network connectivity be encrypted?
If yes, what method(s) of encryption will be used?
5) Is there any client-side code (including ActiveX or Java code) required in order to utilize the solution?
If yes, please describe.
6) Do you have a firewall(s) to control external network access to your web server(s).
If no, where is this server(s) located?
7) Does your network include a DMZ for Internet access to applications?
If no, where are these applications located?
8) Does your organization take steps to ensure against Denial-of-Service outages?
Please describe these steps
9) Do you perform any of the following information security reviews/tests
- Internal system/network scans
- Internally managed self assessments and/or due diligence reviews
- Internal code reviews/peer reviews
- External 3rd party penetration tests/studies
- Other, Please provide details
How frequently are these tests performed?
10) Which of the following information security practices are being actively used within your organization
- Access control lists
- Digital certificates – Server Side
- Digital certificates – Client Side
- Digital signatures
- Network based intrusion detection/prevention
- Host Based intrusion detection/prevention
- Scheduled updates to intrusion detection/prevention signature files
- Intrusion monitoring 24×7
- Continuous virus scanning
- Scheduled updates to virus signature files
- Penetration studies and/or tests
- None
11) Do you have standards for hardening or securing your operating systems?
12) Do you have a schedule for applying updates and hot fixes to your operating systems?
If no, please tell us how you determine what and when to apply patches and critical updates
13) To provide protection from a power or network failure, do you maintain fully redundant systems for your key transactional systems?
Web Server (if applicable)
1) What is the URL that will be used to access the application/data?
2) What operating system(s) is the web server (s)? (Please provide OS name, version and service pack or patch level.)
3) What is the web server software?
Application Server (if applicable)
1) What operating system(s) is the application server (s)? (Please provide OS name, version and service pack or patch level.)
2) What is the application server software?
3) Are you using role based access control?
If yes, how are the access levels assigned to roles?
4) How do you ensure that appropriate authorization and segregation
of duties are in place?
5) Does your application employ multi-level user access / security?
If yes, please provide details.
6) Are activities in your application monitored by a third party system or service?
If yes please provide us with the company and service name and what information is being monitored
Database Server (if applicable)
1) What operating system(s) is the database server (s)? (Please provide OS name, version and service pack or patch level.)
2) Which databases server software is being utilized?
3) Is the DB replicated?
4) Is the DB server part of a cluster?
5) What is done (if anything) to isolate [The Company]’s data from other companies?
6) Will [The Company]’s data, when stored on disk, be encrypted?
If yes, please describe encryption method
7) How is source data captured?
8) How are data integrity errors handled?
Auditing and Logging
1) Do you log customer access on:
- The web server?
- The application server?
- The database server?
2) Are the logs reviewed?
If yes, please explain the process and how often are they reviewed?
3) Do you provide systems and resources to maintain and monitor audit logs and transaction logs?
If yes, what logs do you retain and how long do you store them?
4) Will you allow [The Company] to review your system logs as they pertain to our company?
Privacy
1) What are the processes and procedures used to declassify/delete/discard [The Company]’s data when no longer needed?
2) Have you at any time erroneously or accidentally disclosed customer information?
If yes, what corrective measures have you implemented since?
3) Do contractors (non-employees) have access to sensitive or confidential information?
If yes, have they signed a non-disclosure agreement?
4) Do you have vendors that are authorized to access and maintain your networks, systems, or applications?
If yes, are these vendors under written contracts providing for confidentiality, background checks, and insurance/indemnification against loss?
5) How is your data classified and secured?
Operations
1) What is the frequency and level of your back-ups?
2) What is the onsite retention period of back-ups?
3) What format are your backups stored in?
4) Do you store backups at an off-site location?
If yes, what is the retention period?
5) Do you encrypt your data backups?
6) How do you ensure that only valid production programs are executed?