SlideShare a Scribd company logo

Supplier security assessment questionnaire

Priyanka Aash
Priyanka Aash

Supplier security assessment questionnaire

Technology
1 of 9
Download to read offline
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments. It is designed to be provided to the supplier (with minimal editing to enter company & supplier names) who completes it as a self-assessment questionnaire. The nature of this document means cannot be used as a replacement for a formal, on-site, security assessment by a qualified professional but it can be used to help allocate resources and prioritise site visits.
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 1 of 8 Supplier Security Assessment Questionnaire (SSAQ) This SSAQ has been issued by [Company Name] to [Supplier Name] to serve as a preliminary assessment of the security controls provided as part of the requested service. On completion [Company Name] will make a decision as to the level of physical audit required. Any deliberately false statements on this assessment will be treated as a breach of contract / disqualify [Supplier Name] from tendering services under this agreement [delete as applicable]. Instructions: Please provide a detailed response to each question. For questions that are not applicable to the services provided to [Company Name], please mark the question as “N/A” and provide an explanation. Part 1: Document Control Supplier Name & Address: Assessment Completed by: Date of assessment: Additional Documents Provided Relevant Network Diagram Relevant Security Diagram Relevant System Architecture Technical Interface Design Relevant 3rd Party Security Assessment(s) (e.g. SAS 70, Pentests, etc.) Part 2: Policy Compliance Control Area Control Question Supplier response Security Policies Does your organization have a documented information security policy? What is the time interval at which security policies are reviewed and updated? Who is responsible for security policy development, maintenance, and issuance? Are all security policies and standards readily available to all users (e.g., posted on company intranet)?
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 2 of 8 Control Area Control Question Supplier response Policy Coverage Select the security areas which are addressed within your information security policies and standards: Acceptable Use Data Privacy Remote Access / Wireless Access Control IT Security Incident Response Encryption Standards Data/System Classification Anti-Virus Third Party Connectivity Email / Instant Messaging Physical Security Personnel Security Network/Perimeter Security Clear Desk Other Details: Policy Provision Is a complete set of your organisation’s security policies available for review? Part 3: Detailed Security Control Assessment Control Area Control Question Supplier response Organizational Security Have security-related job responsibilities, including oversight and accountability, been clearly defined and documented? Have the security policies, standards, and procedures been reviewed and critiqued by a qualified third party? Has the security perimeter infrastructure been assessed and reviewed by a qualified third party? Do your third-party contracts contain language describing responsibilities regarding information protection requirements? Describe the process by which third- parties are granted privileged access to [Company Name] Data. Asset Classification and Control Do you maintain an inventory of all important information assets with asset owners clearly identified? Describe your information classification methods and labelling practices. Describe how user access is granted to different information classifications? What are your procedures with regards to the handling and storage of information assets?
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 3 of 8 Control Area Control Question Supplier response Personnel Security Do terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated employees and contractors? Describe the screening process for all users (employees, contractors, vendors, and other third-parties)? Do you conduct formal information security awareness training for all users, including upper management? Do you require additional training for system administrators, developers, and other users with privileged usage? Is there a formal procedure dictating actions that must be taken when a user has violated any information security policies? Are all users required to sign a confidentiality agreement? Physical and Environmental Security Describe the physical security mechanisms that prevent unauthorized access to your office space, user workstations, and server rooms/data centres? Are all critical information assets located in a physically secure area? How do you protect your systems from environmental hazards such as fire, smoke, water, vibration, electrical supply interfaces, and dust? What type of fire suppression systems are installed in the data centres (pre-action, mist, wet, clean agent, etc)? What physical access restrictions have you put in place? Please describe your badge access system. How is contractor access granted to secure locations? What exterior security is provided (i.e. gates, secure vehicle access, security cameras, etc.)?
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 4 of 8 Control Area Control Question Supplier response Is there a natural disaster risk? What means of business continuity and disaster recovery are employed to mitigate? Describe your facilities system maintenance process. Are the systems configured to record system faults? Do you have a formal media destruction policy? Do you employ automatic locking screen savers when users’ workstations remain idle after a set period of time? How is the removal of equipment from the premises authorized and controlled? Are logs maintained that record all changes to information systems? Communications and Operations Management Describe how you segregate duties to ensure a secure environment. Describe how changes are deployed into the production environment. Who manages/maintains your data centre? If you use a third-party contractor to maintain your systems, describe the vetting process by which that contractor was selected. How do you protect your systems against newly-discovered vulnerabilities and threats? How do you prevent end users from installing potentially malicious software (e.g., list of approved applications, locking down the desktop)? Do you scan traffic coming into your network for viruses? How do you protect the confidentiality and integrity of data between your company and [Company Name]?
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 5 of 8 Control Area Control Question Supplier response How do you dispose of computer media when they are no longer of use? Do you keep logs of media disposal activity? How is system documentation (network diagrams, run books, configuration guides, etc.) secured from unauthorized access? Are backup procedures documented and monitored to ensure they are properly followed? Describe how you protect information media (e.g., back-up tapes) that is shipped offsite. Describe the process by which software malfunctions are reported and handled. Describe your hiring process and how a new employee is granted access to network resources. Describe the process by which a non- employee (e.g., contractor, vendor, and customer) is granted access to network resources. How many users will have privileged access to systems containing [Company Name] Data? What processes and standards do you follow for incident management, problem management, change management, and configuration management? Please describe the technical platform that supports the monitoring, maintenance and support processes (both hardware and software platforms). Access Control Please describe your Access Control Policy. Describe your account and password restrictions for internally facing applications. Describe your account and password restrictions for externally facing applications.
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 6 of 8 Control Area Control Question Supplier response Describe your authentication methods used to authenticate users and or third parties via external connections. Do you conduct periodic checks on users’ accesses to ensure their access matches their responsibilities? Describe how you segment your network (i.e. security zones, DMZs, etc). Do you enable any remote administration capabilities on your servers and network devices? If so, which protocol(s) do you use? Describe any controls which are used to monitor and record system and application access. Do workstations or production servers currently utilize any type of Host Intrusion Prevention or Detection software? To what extent are user’s system use logged and monitored? Are failed login attempts recorded and reviewed on a regular basis? Development & Maintenance What tools and technologies do you utilize to effectively manage the development lifecycle? Do you use data sets containing personal information from actual people when testing an application? If so, what measures do you take to protect that information? Are your test systems secured in the same manner as your production systems? Describe how you protect your application source libraries Do security specialists conduct technical reviews of application designs? Are security professionals involved in the testing phase of an application? Describe how you protect your applications from covert channels and Trojan code.
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 7 of 8 Control Area Control Question Supplier response During the course of a software development project, when do you typically start to discuss the security design requirements? Have your developers been trained in secure coding techniques? Describe your techniques to handle input and output validation when designing a software application. Do you assess the risks around messaging to determine if message authentication is required? Information Security Incident Management Has a dedicated Information Security Response Team been established? Has the Incident Response Team been trained in evidence gathering and handling? Are incident reports issued to appropriate management? After an incident, are policies and procedures reviewed to determine if modifications need to be implemented? Business Continuity Management Has an organizational disaster recovery plan coordinator been named and a mission statement identifying scope and responsibilities been published? Has a "worst-case" scenario to recover normal operations within a prescribed timeframe been implemented and tested? Has a listing of current emergency telephone numbers for police, fire department, medical aid and company officials been strategically located throughout all facilities and at off-site locations?
Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 8 of 8 Control Area Control Question Supplier response Is the backup site remote from hazards that endanger the main data centre? Have contracts for outsourced activities been amended to include service providers' responsibilities for Disaster Recovery Planning? Have lead times for communication lines and equipment, specialized devices, power connectors, construction, firewalls and computer configurations have been factored into the Disaster Recovery Plan? Is at least one copy of the Disaster Recovery Plan stored at the backup site and updated regularly? Are automatic restart and recovery procedures are in place to restore data files in the event of a processing failure? Are contingency arrangements in place for hardware, software, communications and staff? Compliance Are the security policies and procedures routinely tested? Are exceptions to security policies and procedures justified and documented? Are audit logs or other reporting mechanisms in place on all platforms? When an employee is found to be in non-compliance with the security policies, has appropriate disciplinary action been taken? Are audits performed on a regular basis? Are unscheduled/surprise audits performed? Has someone been identified as responsible for managing audit results?

Recommended

Audit & Investigation Presentation Module 1.pptx
Audit & Investigation Presentation Module 1.pptxAudit & Investigation Presentation Module 1.pptx
Audit & Investigation Presentation Module 1.pptxMudugPrimaryandsecon
 
Computer aided audit techniques (CAAT) sourav mathur
Computer aided audit techniques (CAAT) sourav mathurComputer aided audit techniques (CAAT) sourav mathur
Computer aided audit techniques (CAAT) sourav mathursourav mathur
 
Auditing and assurance standards
Auditing and assurance standardsAuditing and assurance standards
Auditing and assurance standardsSri Ramakrishna College of Arts and Science
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Audit working papers
Audit working papersAudit working papers
Audit working papersstudent
 
04 Audit documentation
04 Audit documentation 04 Audit documentation
04 Audit documentation CA. (Dr.) Rajkumar Adukia
 
AUDIT PROGRAMME - PPT.pptx
AUDIT PROGRAMME - PPT.pptxAUDIT PROGRAMME - PPT.pptx
AUDIT PROGRAMME - PPT.pptxHeldaMaryA
 
Extraordinary general meeting
Extraordinary general meetingExtraordinary general meeting
Extraordinary general meetingDevesh Dhruw
 

Recommended

Audit & Investigation Presentation Module 1.pptx
Audit & Investigation Presentation Module 1.pptxAudit & Investigation Presentation Module 1.pptx
Audit & Investigation Presentation Module 1.pptxMudugPrimaryandsecon
 
Computer aided audit techniques (CAAT) sourav mathur
Computer aided audit techniques (CAAT) sourav mathurComputer aided audit techniques (CAAT) sourav mathur
Computer aided audit techniques (CAAT) sourav mathursourav mathur
 
Auditing and assurance standards
Auditing and assurance standardsAuditing and assurance standards
Auditing and assurance standardsSri Ramakrishna College of Arts and Science
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Audit working papers
Audit working papersAudit working papers
Audit working papersstudent
 
04 Audit documentation
04 Audit documentation 04 Audit documentation
04 Audit documentation CA. (Dr.) Rajkumar Adukia
 
AUDIT PROGRAMME - PPT.pptx
AUDIT PROGRAMME - PPT.pptxAUDIT PROGRAMME - PPT.pptx
AUDIT PROGRAMME - PPT.pptxHeldaMaryA
 
Extraordinary general meeting
Extraordinary general meetingExtraordinary general meeting
Extraordinary general meetingDevesh Dhruw
 
CHAPTER 3 AUDIT IN FINANCIAL STATEMENT
CHAPTER 3 AUDIT IN FINANCIAL STATEMENTCHAPTER 3 AUDIT IN FINANCIAL STATEMENT
CHAPTER 3 AUDIT IN FINANCIAL STATEMENTFaziraAkmar
 
Caat
CaatCaat
CaatDhruv Seth
 
The nature and purpose of auditing
The nature and purpose of auditingThe nature and purpose of auditing
The nature and purpose of auditingSyed Ali Gohar Shah Shah
 
Audit Technique
Audit TechniqueAudit Technique
Audit TechniqueMonzure Mahbub
 
Audit & Assurance
Audit & AssuranceAudit & Assurance
Audit & AssuranceAhmad Tariq Bhatti
 
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptxAUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptxHeldaMaryA
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Legal framework of doing business in india
Legal framework of doing business in indiaLegal framework of doing business in india
Legal framework of doing business in indiaPrabhjeet Gill
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Chapter 4-Internal Control, Internal Check and Internal Audit.pptx
Chapter 4-Internal Control, Internal Check and Internal Audit.pptxChapter 4-Internal Control, Internal Check and Internal Audit.pptx
Chapter 4-Internal Control, Internal Check and Internal Audit.pptxAbrarAhmed932553
 
Auditing And Assurance Standards
Auditing And Assurance StandardsAuditing And Assurance Standards
Auditing And Assurance StandardsAugustin Bangalore
 
Audit.planning
Audit.planningAudit.planning
Audit.planningKhalid Aziz
 
Assertions in the Audit of Financial Statements (Audit)
Assertions in the Audit of Financial Statements (Audit)Assertions in the Audit of Financial Statements (Audit)
Assertions in the Audit of Financial Statements (Audit)Artless Shakhawat
 
Unit 1 Introduction to Auditing
Unit 1 Introduction to AuditingUnit 1 Introduction to Auditing
Unit 1 Introduction to AuditingRadhika Gohel
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
Audit Report
Audit ReportAudit Report
Audit ReportRafidah Yusuf
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
International Professional Practices Framework Mandatory Guidance
International Professional Practices Framework Mandatory GuidanceInternational Professional Practices Framework Mandatory Guidance
International Professional Practices Framework Mandatory GuidanceAziz Fataliyev, Internal Audit Practitioner
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit FrameworkAhmad Tariq Bhatti
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 

More Related Content

What's hot

CHAPTER 3 AUDIT IN FINANCIAL STATEMENT
CHAPTER 3 AUDIT IN FINANCIAL STATEMENTCHAPTER 3 AUDIT IN FINANCIAL STATEMENT
CHAPTER 3 AUDIT IN FINANCIAL STATEMENTFaziraAkmar
 
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptxAUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptxHeldaMaryA
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Legal framework of doing business in india
Legal framework of doing business in indiaLegal framework of doing business in india
Legal framework of doing business in indiaPrabhjeet Gill
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Chapter 4-Internal Control, Internal Check and Internal Audit.pptx
Chapter 4-Internal Control, Internal Check and Internal Audit.pptxChapter 4-Internal Control, Internal Check and Internal Audit.pptx
Chapter 4-Internal Control, Internal Check and Internal Audit.pptxAbrarAhmed932553
 
Auditing And Assurance Standards
Auditing And Assurance StandardsAuditing And Assurance Standards
Auditing And Assurance StandardsAugustin Bangalore
 
Assertions in the Audit of Financial Statements (Audit)
Assertions in the Audit of Financial Statements (Audit)Assertions in the Audit of Financial Statements (Audit)
Assertions in the Audit of Financial Statements (Audit)Artless Shakhawat
 
Unit 1 Introduction to Auditing
Unit 1 Introduction to AuditingUnit 1 Introduction to Auditing
Unit 1 Introduction to AuditingRadhika Gohel
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 

What's hot (20)

CHAPTER 3 AUDIT IN FINANCIAL STATEMENT
CHAPTER 3 AUDIT IN FINANCIAL STATEMENTCHAPTER 3 AUDIT IN FINANCIAL STATEMENT
CHAPTER 3 AUDIT IN FINANCIAL STATEMENT
 
Caat
CaatCaat
Caat
 
The nature and purpose of auditing
The nature and purpose of auditingThe nature and purpose of auditing
The nature and purpose of auditing
 
Audit Technique
Audit TechniqueAudit Technique
Audit Technique
 
Audit & Assurance
Audit & AssuranceAudit & Assurance
Audit & Assurance
 
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptxAUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
AUDIT WORKING PAPERS-CUSTODY OF OWNERSHIP.pptx
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Legal framework of doing business in india
Legal framework of doing business in indiaLegal framework of doing business in india
Legal framework of doing business in india
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Chapter 4-Internal Control, Internal Check and Internal Audit.pptx
Chapter 4-Internal Control, Internal Check and Internal Audit.pptxChapter 4-Internal Control, Internal Check and Internal Audit.pptx
Chapter 4-Internal Control, Internal Check and Internal Audit.pptx
 
Auditing And Assurance Standards
Auditing And Assurance StandardsAuditing And Assurance Standards
Auditing And Assurance Standards
 
Audit.planning
Audit.planningAudit.planning
Audit.planning
 
Assertions in the Audit of Financial Statements (Audit)
Assertions in the Audit of Financial Statements (Audit)Assertions in the Audit of Financial Statements (Audit)
Assertions in the Audit of Financial Statements (Audit)
 
Unit 1 Introduction to Auditing
Unit 1 Introduction to AuditingUnit 1 Introduction to Auditing
Unit 1 Introduction to Auditing
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
 
Audit Report
Audit ReportAudit Report
Audit Report
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
International Professional Practices Framework Mandatory Guidance
International Professional Practices Framework Mandatory GuidanceInternational Professional Practices Framework Mandatory Guidance
International Professional Practices Framework Mandatory Guidance
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 

Similar to Supplier security assessment questionnaire

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
QI Security Framework_v2007_7
QI Security Framework_v2007_7QI Security Framework_v2007_7
QI Security Framework_v2007_7Hong Sin Kwek
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docxDarkKnight367793
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Lillian Ekwosi-Egbulem
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docxoswald1horne84988
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityNexlar Security
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechsMordecai Kraushar
 

Similar to Supplier security assessment questionnaire (20)

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
QI Security Framework_v2007_7
QI Security Framework_v2007_7QI Security Framework_v2007_7
QI Security Framework_v2007_7
 
Information Security
Information SecurityInformation Security
Information Security
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docx
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization Security
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Supplier security assessment questionnaire

  • 1. HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments. It is designed to be provided to the supplier (with minimal editing to enter company & supplier names) who completes it as a self-assessment questionnaire. The nature of this document means cannot be used as a replacement for a formal, on-site, security assessment by a qualified professional but it can be used to help allocate resources and prioritise site visits.
  • 2. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 1 of 8 Supplier Security Assessment Questionnaire (SSAQ) This SSAQ has been issued by [Company Name] to [Supplier Name] to serve as a preliminary assessment of the security controls provided as part of the requested service. On completion [Company Name] will make a decision as to the level of physical audit required. Any deliberately false statements on this assessment will be treated as a breach of contract / disqualify [Supplier Name] from tendering services under this agreement [delete as applicable]. Instructions: Please provide a detailed response to each question. For questions that are not applicable to the services provided to [Company Name], please mark the question as “N/A” and provide an explanation. Part 1: Document Control Supplier Name & Address: Assessment Completed by: Date of assessment: Additional Documents Provided Relevant Network Diagram Relevant Security Diagram Relevant System Architecture Technical Interface Design Relevant 3rd Party Security Assessment(s) (e.g. SAS 70, Pentests, etc.) Part 2: Policy Compliance Control Area Control Question Supplier response Security Policies Does your organization have a documented information security policy? What is the time interval at which security policies are reviewed and updated? Who is responsible for security policy development, maintenance, and issuance? Are all security policies and standards readily available to all users (e.g., posted on company intranet)?
  • 3. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 2 of 8 Control Area Control Question Supplier response Policy Coverage Select the security areas which are addressed within your information security policies and standards: Acceptable Use Data Privacy Remote Access / Wireless Access Control IT Security Incident Response Encryption Standards Data/System Classification Anti-Virus Third Party Connectivity Email / Instant Messaging Physical Security Personnel Security Network/Perimeter Security Clear Desk Other Details: Policy Provision Is a complete set of your organisation’s security policies available for review? Part 3: Detailed Security Control Assessment Control Area Control Question Supplier response Organizational Security Have security-related job responsibilities, including oversight and accountability, been clearly defined and documented? Have the security policies, standards, and procedures been reviewed and critiqued by a qualified third party? Has the security perimeter infrastructure been assessed and reviewed by a qualified third party? Do your third-party contracts contain language describing responsibilities regarding information protection requirements? Describe the process by which third- parties are granted privileged access to [Company Name] Data. Asset Classification and Control Do you maintain an inventory of all important information assets with asset owners clearly identified? Describe your information classification methods and labelling practices. Describe how user access is granted to different information classifications? What are your procedures with regards to the handling and storage of information assets?
  • 4. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 3 of 8 Control Area Control Question Supplier response Personnel Security Do terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated employees and contractors? Describe the screening process for all users (employees, contractors, vendors, and other third-parties)? Do you conduct formal information security awareness training for all users, including upper management? Do you require additional training for system administrators, developers, and other users with privileged usage? Is there a formal procedure dictating actions that must be taken when a user has violated any information security policies? Are all users required to sign a confidentiality agreement? Physical and Environmental Security Describe the physical security mechanisms that prevent unauthorized access to your office space, user workstations, and server rooms/data centres? Are all critical information assets located in a physically secure area? How do you protect your systems from environmental hazards such as fire, smoke, water, vibration, electrical supply interfaces, and dust? What type of fire suppression systems are installed in the data centres (pre-action, mist, wet, clean agent, etc)? What physical access restrictions have you put in place? Please describe your badge access system. How is contractor access granted to secure locations? What exterior security is provided (i.e. gates, secure vehicle access, security cameras, etc.)?
  • 5. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 4 of 8 Control Area Control Question Supplier response Is there a natural disaster risk? What means of business continuity and disaster recovery are employed to mitigate? Describe your facilities system maintenance process. Are the systems configured to record system faults? Do you have a formal media destruction policy? Do you employ automatic locking screen savers when users’ workstations remain idle after a set period of time? How is the removal of equipment from the premises authorized and controlled? Are logs maintained that record all changes to information systems? Communications and Operations Management Describe how you segregate duties to ensure a secure environment. Describe how changes are deployed into the production environment. Who manages/maintains your data centre? If you use a third-party contractor to maintain your systems, describe the vetting process by which that contractor was selected. How do you protect your systems against newly-discovered vulnerabilities and threats? How do you prevent end users from installing potentially malicious software (e.g., list of approved applications, locking down the desktop)? Do you scan traffic coming into your network for viruses? How do you protect the confidentiality and integrity of data between your company and [Company Name]?
  • 6. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 5 of 8 Control Area Control Question Supplier response How do you dispose of computer media when they are no longer of use? Do you keep logs of media disposal activity? How is system documentation (network diagrams, run books, configuration guides, etc.) secured from unauthorized access? Are backup procedures documented and monitored to ensure they are properly followed? Describe how you protect information media (e.g., back-up tapes) that is shipped offsite. Describe the process by which software malfunctions are reported and handled. Describe your hiring process and how a new employee is granted access to network resources. Describe the process by which a non- employee (e.g., contractor, vendor, and customer) is granted access to network resources. How many users will have privileged access to systems containing [Company Name] Data? What processes and standards do you follow for incident management, problem management, change management, and configuration management? Please describe the technical platform that supports the monitoring, maintenance and support processes (both hardware and software platforms). Access Control Please describe your Access Control Policy. Describe your account and password restrictions for internally facing applications. Describe your account and password restrictions for externally facing applications.
  • 7. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 6 of 8 Control Area Control Question Supplier response Describe your authentication methods used to authenticate users and or third parties via external connections. Do you conduct periodic checks on users’ accesses to ensure their access matches their responsibilities? Describe how you segment your network (i.e. security zones, DMZs, etc). Do you enable any remote administration capabilities on your servers and network devices? If so, which protocol(s) do you use? Describe any controls which are used to monitor and record system and application access. Do workstations or production servers currently utilize any type of Host Intrusion Prevention or Detection software? To what extent are user’s system use logged and monitored? Are failed login attempts recorded and reviewed on a regular basis? Development & Maintenance What tools and technologies do you utilize to effectively manage the development lifecycle? Do you use data sets containing personal information from actual people when testing an application? If so, what measures do you take to protect that information? Are your test systems secured in the same manner as your production systems? Describe how you protect your application source libraries Do security specialists conduct technical reviews of application designs? Are security professionals involved in the testing phase of an application? Describe how you protect your applications from covert channels and Trojan code.
  • 8. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 7 of 8 Control Area Control Question Supplier response During the course of a software development project, when do you typically start to discuss the security design requirements? Have your developers been trained in secure coding techniques? Describe your techniques to handle input and output validation when designing a software application. Do you assess the risks around messaging to determine if message authentication is required? Information Security Incident Management Has a dedicated Information Security Response Team been established? Has the Incident Response Team been trained in evidence gathering and handling? Are incident reports issued to appropriate management? After an incident, are policies and procedures reviewed to determine if modifications need to be implemented? Business Continuity Management Has an organizational disaster recovery plan coordinator been named and a mission statement identifying scope and responsibilities been published? Has a "worst-case" scenario to recover normal operations within a prescribed timeframe been implemented and tested? Has a listing of current emergency telephone numbers for police, fire department, medical aid and company officials been strategically located throughout all facilities and at off-site locations?
  • 9. Halkyn Security Consulting www.halkynconsulting.co.uk [Company Name] Supplier Security Assessment Questionnaire Page 8 of 8 Control Area Control Question Supplier response Is the backup site remote from hazards that endanger the main data centre? Have contracts for outsourced activities been amended to include service providers' responsibilities for Disaster Recovery Planning? Have lead times for communication lines and equipment, specialized devices, power connectors, construction, firewalls and computer configurations have been factored into the Disaster Recovery Plan? Is at least one copy of the Disaster Recovery Plan stored at the backup site and updated regularly? Are automatic restart and recovery procedures are in place to restore data files in the event of a processing failure? Are contingency arrangements in place for hardware, software, communications and staff? Compliance Are the security policies and procedures routinely tested? Are exceptions to security policies and procedures justified and documented? Are audit logs or other reporting mechanisms in place on all platforms? When an employee is found to be in non-compliance with the security policies, has appropriate disciplinary action been taken? Are audits performed on a regular basis? Are unscheduled/surprise audits performed? Has someone been identified as responsible for managing audit results?