Instantly share code, notes, and snippets.
Created
September 6, 2022 22:07
-
Save opexxx/9e0dc5b41fbddc8a661894678ff736e9 to your computer and use it in GitHub Desktop.
Shared Assessments Standardized Information Gathering (SIG) questionnaire
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ques Num SIG Question Text Domain | |
| C.1 Are responsibilities for asset protection and for carrying out specific information security processes clearly identified and communicated to the relevant parties? Organizational Security | |
| C.1.7 Do the processes include residual risk acceptance responsibilities? Organizational Security | |
| C.2 Does the organization's executive leadership ensure information security policy is established and aligned with organizational strategy, and communicated to the entire organization? Organizational Security | |
| C.2.1 Does the organization's executive leadership communicate the mandate of information security awareness, compliance and effectiveness to the entire organization? Organizational Security | |
| C.2.2 Does the organization's board of directors or ownership ensure information security programs are funded sufficiently to meet the organization's objectives? Organizational Security | |
| C.2.3 Does the organization's board of directors or ownership require management to regularly demonstrate that the information security program meets its intended objectives? Organizational Security | |
| C.3 Has a qualified individual responsible been designated as a Chief Information Security Officer (CISO) to oversee and implement the organization's cybersecurity program and enforce its cybersecurity policy? Organizational Security | |
| C.3.1 Does the CISO issue a report at least annually on the organization's cybersecurity program and material cybersecurity risks to the organization's board of directors, equivalent body, or senior officer in charge of cybersecurity risk? Organizational Security | |
| C.4 Are information security personnel (internal or outsourced) responsible for information security processes? Organizational Security | |
| C.4.1 Are information security personnel responsible for the design of information technology systems, processes, and architecture required to meet information security requirements? Organizational Security | |
| C.4.2 Are information security personnel responsible for the creation, and review of information security policies? Organizational Security | |
| C.4.3 Do information security personnel review the effectiveness of information security policy implementation and manage instances of non-compliance with security policies across the entire organization? Organizational Security | |
| C.4.5 Are information security personnel responsible for the monitoring of significant changes in the exposure of information assets? Organizational Security | |
| C.4.6 Are information security personnel responsible for the review and/or monitoring information security incidents or events? Organizational Security | |
| C.5 Do information security personnel maintain contacts with information security special interest groups, specialist security forums or professional associations? Organizational Security | |
| C.5.1 Do Information security personnel participate in continuing education programs (e.g., online training, webinars, seminars, etc.)? Organizational Security | |
| C.5.2 Do information security personnel maintain professional security certifications? Organizational Security | |
| C.6 Do all projects involving Scoped Systems and Data go through some form of information security assessment? Organizational Security | |
| E.1 Are Human Resource policies approved by management, communicated to Constituents and an owner to maintain and review? Human Resource Security | |
| E.1.1 Do Human Resource policies include Constituent background screening criteria? Human Resource Security | |
| E.1.1.1 Does Constituent background screening criteria include Criminal screening? Human Resource Security | |
| E.1.1.2 Does Constituent background screening criteria include Credit checks? Human Resource Security | |
| E.1.1.4 Does Constituent background screening criteria include Reference verification? Human Resource Security | |
| E.1.1.5 Does Constituent background screening criteria include Resume or curriculum vitae verification? Human Resource Security | |
| E.2 Is electronic access to systems containing scoped data removed within 24 hours for terminated constituents? Human Resource Security | |
| F.1 Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review? Physical Security | |
| F.1.1 Does the physical security program include a clean desk policy? Physical Security | |
| F.1.2 Are there physical security controls for all secured facilities (e.g., data centers, office buildings)? Physical Security | |
| F.1.2.1 Do the physical security controls include electronic controlled access system (key card, token, fob, biometric reader, etc.)? Physical Security | |
| F.1.2.2 Do the physical security controls include cipher locks (electronic or mechanical) to control access within or to the Facility? Physical Security | |
| F.1.2.3 Do the physical security controls include security guards that provide onsite security services? Physical Security | |
| F.1.2.4 Do the physical security controls include perimeter physical barrier (such as fence or walls)? Physical Security | |
| F.1.2.5 Do the physical security controls include entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards? Physical Security | |
| F.1.2.6 Do the physical security controls include a mechanism to prevent Tailgating/Piggybacking? Physical Security | |
| F.1.2.9 Do the physical security controls include exterior doors with external hinge pins? Physical Security | |
| F.1.2.10 Do the physical security controls include windows with contact or break alarms on all windows? Physical Security | |
| F.1.2.11 Do the physical security controls include digital CCTV with video stored at least 90 days? Physical Security | |
| F.1.2.14 Are there physical access controls that include restricted access and logs kept of all access? Physical Security | |
| F.1.2.14.1 Do physical access controls include collection of access equipment (badges, keys, change pin numbers, etc.) upon termination or status change? Physical Security | |
| F.1.2.14.2 Are physical access control procedures documented? Physical Security | |
| F.1.2.14.3 Do physical access controls include segregation of duties for issuing and approving access? Physical Security | |
| F.1.2.14.4 Do physical access controls include access reviews at least every six months? Physical Security | |
| F.1.2.14.5 Do physical access controls require reporting of lost or stolen access cards/keys? Physical Security | |
| F.1.3 Are there environmental controls (e.g., Fire detection and suppression) in secured facilities to protect computers and other physical assets? Physical Security | |
| F.1.3.1 Is there a process to ensure equipment supporting critical computer systems is correctly maintained? Physical Security | |
| F.1.3.2 Is there a process to ensure equipment supporting critical systems is not taken offline or off-site without prior authorization? Physical Security | |
| F.1.3.3 Is signage required to identify environmental controls within the data center? Physical Security | |
| F.1.3.4 Do environmental controls include fluid sensors? Physical Security | |
| F.1.3.5 Do environmental controls include HVAC and humidity controls? Physical Security | |
| F.1.3.6 Do environmental controls include heat detectors? Physical Security | |
| F.1.3.7 Do environmental controls include smoke detectors? Physical Security | |
| F.1.3.8 Do environmental controls include fire suppression? Physical Security | |
| F.2 Are visitors permitted in the facility? Physical Security | |
| F.2.1 Are visitors required to sign in and out? Physical Security | |
| F.2.2 Are visitors required to provide a government issued ID? Physical Security | |
| F.2.3 Are visitors required to be escorted through secure areas? Physical Security | |
| F.2.4 Are visitors required to wear badge distinguishing them from employees? Physical Security | |
| F.2.5 Are visitors logs maintained for at least 90 days? Physical Security | |
| F.3 Is there a loading dock at the facility? Physical Security | |
| F.4 Is there a battery/UPS room in offices and/or facility? Physical Security | |
| F.5 Is there a generator or generator area in offices and/or facility? Physical Security | |
| F.7 Is there a media library to store Scoped Data? Physical Security | |
| F.8 Is there a telecom equipment room? Physical Security | |
| F.9 Are your devices located in a locked server cabinet within the data center? Physical Security | |
| F.9.1 Do server cabinets include restricted access and are logs kept of all access? Physical Security | |
| F.9.2 Do server cabinets include Digital CCTV and video stored at least 90 days? Physical Security | |
| F.10 Do the Scoped Systems and Data reside in a data center? Physical Security | |
| F.10.1 Do other tenants use the data center? Physical Security | |
| F.10.2 Are locking screensavers on unattended system displays or locks on consoles required within the data center? Physical Security | |
| F.10.3 Is there a procedure for equipment removal from the data center? Physical Security | |
| F.10.4 Are maintenance contracts maintained for critical equipment? Physical Security | |
| F.10.5 Are tests conducted for any building systems? Physical Security | |
| F.10.5.1 Are UPS systems tested at least annually? Physical Security | |
| F.10.5.2 Are all security alarm systems tested at least annually? Physical Security | |
| F.10.5.3 Are all fire alarms tested at least annually? Physical Security | |
| F.10.5.4 Are all fire suppression systems tested at least annually? Physical Security | |
| F.10.5.5 Are all generators tested at least monthly? Physical Security | |
| F.10.5.6 Are all generators full-load tested at least monthly? Physical Security | |
| I.1 Are applications used to transmit, process or store Scoped Data? Application Security | |
| I.1.1 Is there an individual or group responsible for Application Security? Application Security | |
| I.1.2 Is there formal software security training for developers? Application Security | |
| I.1.2.1 Do application security experts work with developers for every application? Application Security | |
| I.1.2.2 Are outside development resources utilized? Application Security | |
| I.1.2.2.1 Do all outside development resources comply with the SDLC (Software Development Life Cycle)? Application Security | |
| I.1.2.2.2 Is there a process to require supervision and monitoring of the activity of outsourced system development? Application Security | |
| I.1.3 Do changes to applications or application code go through a risk assessment? Application Security | |
| I.1.3.1 Is a security architecture risk analysis performed when new applications are designed? Application Security | |
| I.1.3.2 Do security architecture risk analyses of applications include a security feature review i.e., authentication, access controls, use of cryptography, etc.? Application Security | |
| I.1.3.3 Do security architecture risk analyses of applications include a security architecture design review for high risk applications? Application Security | |
| I.1.3.4 Do security architecture risk analyses of applications include threat Modeling into the business requirements/design process of the SDLC? Application Security | |
| I.1.3.5 Are security architecture risk analyses of applications reviewed when major changes are introduced into applications? Application Security | |
| I.1.3.6 Do security architecture risk analyses assign applications risk ratings that reflect the types of data accessed (e.g., high, medium, low)? Application Security | |
| I.1.4 Are the risks from internal and external sources clearly understood based on risk exposure? Application Security | |
| I.1.10 Do audit log failures generate an alert? Application Security | |
| I.1.11 Do applications provide granular and comprehensive logging? Application Security | |
| I.1.12 Are application sessions set to time out within 15 minutes or less? Application Security | |
| I.1.13 Are system, vendor, or service accounts disallowed for normal operations and monitored for usage? Application Security | |
| I.1.14 Are web applications configured to follow best practices or security guidelines (e.g., OWASP)? Application Security | |
| I.1.15 Is data input into applications validated? Application Security | |
| I.1.16 Are development, test, and staging environment separate from the production environment? Application Security | |
| I.1.16.1 Are development, test, and staging environment separated from the production environment logically? Application Security | |
| I.1.16.2 Are development, test, and staging environment separated from the production environment physically? Application Security | |
| I.1.17 Do applications have separate source code repositories for production and non-production environments? Application Security | |
| I.1.18 Do IT support personnel have access to application source libraries? Application Security | |
| I.1.19 Is all access to application source libraries logged? Application Security | |
| I.1.19.1 Are audit logs maintained and reviewed for all application source library updates? Application Security | |
| I.1.20 Are developers permitted to access production environments, including read only access? Application Security | |
| I.1.20.1 Are developers permitted to access systems and applications based on established profiles that define responsibilities or job functions? Application Security | |
| I.1.20.2 Are developers required to request or obtain access outside an established role (emergency access)? Application Security | |
| I.1.21 Are Scoped Systems and Data used in the test, development, or QA environments? Application Security | |
| I.1.21.1 Is authorization required when production data is copied to the test environment? Application Security | |
| I.1.21.2 Is test data destroyed following the testing phase? Application Security | |
| I.1.21.3 Is test data masked or obfuscated during the testing phase? Application Security | |
| I.1.21.4 Is copying to the test environment logged? Application Security | |
| I.1.21.5 Are access control procedures the same for both the test and production environment? Application Security | |
| I.2.1 Is there a formal Software Development Life Cycle (SDLC) process? Application Security | |
| I.2.1.1 Does the SDLC process include integration testing, and acceptance testing? Application Security | |
| I.2.1.2 Does the SDLC process include peer code review? Application Security | |
| I.2.2 Is there a secure software development lifecycle policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Application Security | |
| I.2.3 Is there a documented change management/change control process for applications with Scoped Data? Application Security | |
| I.2.3.1 Are applications released to production on a fixed schedule? Identify the schedule (e.g., Daily, Weekly, Monthly, Ad-hoc) in the Additional Information field: Application Security | |
| I.2.3.2 Does the application change management/change control process include change control procedures required for all changes to the production environment? Application Security | |
| I.2.3.3 Does the application change management/change control process include testing prior to deployment? Application Security | |
| I.2.3.4 Does the application change management/change control process include management approval prior to deployment? Application Security | |
| I.2.3.5 Does the application change management/change control process include establishment of restart points? Application Security | |
| I.2.3.6 Does the application change management/change control process include management approval for changes? Application Security | |
| I.2.3.7 Does the application change management/change control process include review of code changes by information security? Application Security | |
| I.2.3.8 Does the application change management/change control process include stakeholder communication and/or approvals? Application Security | |
| I.2.3.9 Does the application change management/change control process include a list of individuals authorized to approve changes? Application Security | |
| I.2.3.10 Does the application change management/change control process include an impact assessment to review all affected systems and applications? Application Security | |
| I.2.3.11 Does the application change management/change control process include documentation for all system changes? Application Security | |
| I.2.3.12 Does the application change management/change control process include version control for all software? Application Security | |
| I.2.3.13 Does the application change management/change control process include logging of all Change Requests? Application Security | |
| I.2.3.14 Does the application change management/change control process include changes only take place during specified and agreed upon times (green zone)? Application Security | |
| I.2.3.15 Does the application change management/change control process include modifications and changes to software are strictly controlled? Application Security | |
| I.2.4 Are applications evaluated from a security perspective prior to promotion to production? Application Security | |
| I.2.4.1 Do pre-production application security reviews include testing procedures to determine whether security features are effective? Application Security | |
| I.2.4.1.1 Are pre-production application security reviews derived by obtaining a list of security features by the architecture group? Application Security | |
| I.2.4.2 Do pre-production application security reviews include abuse case test scripts? Application Security | |
| I.2.5 Is code obtained from external sources reviewed for security flaws and backdoors prior to use in production? Application Security | |
| I.2.5.1 Is code obtained from external sources identified in application documentation as external code? Application Security | |
| I.2.5.2 Is code obtained from external sources reviewed for new versions at least every 6 months? Application Security | |
| I.2.5.3 Is any code obtained from external sources open source? Application Security | |
| I.2.5.3.1 Is open source software or libraries used to transmit, process or store Scoped Data? Application Security | |
| I.2.5.3.1.1 Are information security reviews conducted and approved for the use or installation of open source software (e.g., Linux, Apache, etc.)? Application Security | |
| I.2.5.3.1.2 Do you cover the legal liability for the use of open source software or libraries in providing the scoped services? Application Security | |
| I.2.6 Is a Secure Code Review performed regularly? Application Security | |
| I.2.6.1 Is there a full secure code review for each release? If no, please explain the secure code review schedule and scope in the 'Additional Information' field. Application Security | |
| I.2.6.2 Are secure code reviews performed against the entire code base in the development phase? If not, please explain in the 'Additional Information' field. Application Security | |
| I.2.6.3 Do secure code reviews include validation checks for the most critical web application security flaws including Cross Site Scripting, SQL injection (e.g., OWASP Top 10 vulnerabilities)? Application Security | |
| I.2.6.4 Do secure code reviews include regular analysis of vulnerability to recent attacks? Application Security | |
| I.2.6.5 Do secure code reviews include edge/boundary value condition testing? Application Security | |
| I.2.6.6 Do secure code reviews include dynamic scanning against web based applications while in the Q/A phase? Application Security | |
| I.2.6.7 Do secure code reviews include testing against common code vulnerabilities? Application Security | |
| I.2.6.8 Are secure code reviews performed by individuals qualified to identify and correct code security flaws? Application Security | |
| I.2.6.9 Is source code security reviewed manually? If yes, identify the frequency (e.g., Daily, Weekly, Monthly, Ad-Hoc) in the additional information field. Application Security | |
| I.2.6.10 Is an automated secure source code review conducted? Application Security | |
| I.2.6.10.1 Do automated secure source code tools include Static Application Security Testing (SAST)? Application Security | |
| I.2.6.10.2 Do automated secure source code tools include Dynamic Application Security Testing (DAST)? Application Security | |
| I.2.6.10.3 Do automated secure source code tools include Interactive Application Security Testing (IAST)? Application Security | |
| I.2.6.10.4 Do automated secure source code tools include the ability to crawl and test Rich Internet Applications (RIA) (e.g., JavaScript, Ajax frameworks)? Application Security | |
| I.2.6.11 Do secure code reviews include Fuzz testing (e.g., small numbers, large numbers, negative values, binary sequences, command line inputs, random values, etc.)? Application Security | |
| I.2.7 Are identified security vulnerabilities remediated prior to promotion to production? Application Security | |
| I.2.7.1 Does the SDLC process include Remediation of Penetration Test issues relevant to the application under review? Application Security | |
| I.2.7.2 Does the SDLC process include communicating discovered vulnerabilities to developers? Application Security | |
| I.2.7.3 Does the SDLC process include communicating known un-remediated vulnerabilities to the Security Monitoring and Response group for awareness and monitoring? Application Security | |
| I.2.7.4 Does the SDLC process include tracking vulnerabilities identified in production through the same mechanisms used to track and remediate results from Penetration Tests? Application Security | |
| I.2.7.5 Does the SDLC process include metrics on security flaws and release incidents? Application Security | |
| I.3 Is a web site supported, hosted or maintained that has access to Scoped Systems and Data? Application Security | |
| I.3.1 Do you have logical or Physical segregation between web, application and database components? i.e., Internet, DMZ, Database? Application Security | |
| I.3.2 Are Web Servers used for transmitting, processing or storing Scoped Data? Application Security | |
| I.3.2.1 Are security configuration standards documented for web server software? Application Security | |
| I.3.2.2 Are web server software security configuration standards reviewed and/or updated at least annually to account for any changes in environment, available security features and/or leading practices? Application Security | |
| I.3.2.3 Are reviews performed to validate compliance with documented web server software security standards? Application Security | |
| I.3.2.4 Is HTTPS enabled for all web pages? Application Security | |
| I.3.2.4.1 Are either TLS 1.2 or 1.3 used for Encrypting all web pages used? Application Security | |
| I.3.2.4.2 Are web server certificates centrally managed and kept current? Application Security | |
| I.3.2.5 Are all unnecessary/unused services in web server software uninstalled or disabled? Application Security | |
| I.3.2.6 Do administrative and file sharing interfaces for web server software run on non-standard ports (e.g., Not 21, 80 and 443)? Application Security | |
| I.3.2.7 Are all remote administration and file sharing services on web server software configured to require authentication and encryption? Application Security | |
| I.3.2.8 Is a dedicated virtual directory structure used for each website? Application Security | |
| I.3.2.9 Are sample applications and scripts removed from web servers? Application Security | |
| I.3.2.10 Are all web server software files maintained separate from the Operating System? Application Security | |
| I.3.2.11 Are available high-risk web server software security patches applied and verified at least monthly? Application Security | |
| I.3.2.12 Are all web server software patching exceptions documented and approved by information security or senior management? Application Security | |
| I.3.2.12.1 Are web server software patches, service packs, and hot fixes tested prior to installation? Application Security | |
| I.3.2.12.2 Are web server software vulnerabilities evaluated and prioritized? Application Security | |
| I.3.2.12.3 Are web server software patch successes and failures logged? Application Security | |
| I.3.2.12.4 Are third party alert services used to keep up to date with the latest web server software vulnerabilities? Application Security | |
| I.3.2.12.5 Are web server software versions that no longer have security patches released prohibited? Application Security | |
| I.3.2.13 Are web server software configuration options restricted to authorized users? Application Security | |
| I.3.2.14 Is sufficient detail contained in Web Server and application logs to support incident investigation, including successful and failed login attempts and changes to sensitive configuration settings and files? Application Security | |
| I.3.2.14.1 Are web server software events relevant to supporting incident investigation retained for a minimum of one year? Application Security | |
| I.3.2.14.2 Are system notifications generated in the event the system fails to write a web server software event to an audit log? Application Security | |
| I.3.2.14.3 Are events relevant to supporting incident investigation stored on alternate systems? Application Security | |
| I.3.2.14.4 Are Web Server and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access? Application Security | |
| I.3.3 Are compilers, editors or other development tools present in production web server environments? Application Security | |
| I.3.4 Is Runtime Application Self Protection (RASP) enabled on web servers? Application Security | |
| I.3.5 Is a Web Application Firewall (WAF) enabled on web servers? Application Security | |
| I.3.6 Is an API available to clients? Application Security | |
| I.3.6.1 Is there a formal security program established to include API security reviews? Application Security | |
| I.3.6.1.1 Do application security reviews include a security review of API design? Application Security | |
| I.3.6.1.2 Is manual code security testing on APIs performed by qualified personnel with expertise in both development and code security? Application Security | |
| I.3.6.1.3 Do application security reviews include an API Permission model review? Application Security | |
| I.3.6.2 Are APIs tested for security weaknesses? Application Security | |
| I.3.6.2.1 Does API security testing include Data scoping? Application Security | |
| I.3.6.2.2 Does API security testing include XSS? Application Security | |
| I.3.6.2.3 Does API security testing include SQL injection? Application Security | |
| I.3.6.2.4 Does API security testing include Session abuse? Application Security | |
| I.3.6.2.5 Does API security testing include Replay attack? Application Security | |
| I.3.6.2.6 Does API security testing include DoS? Application Security | |
| I.3.6.2.7 Does API security testing include Data Leakage? Application Security | |
| I.3.6.2.8 Does API security testing include OWASP top 10 or CWE Top 25 security issues? Application Security | |
| I.3.6.3 Can a client manage access to the APIs? Application Security | |
| I.3.6.4 Is there a self-service kill switch available to clients to disable an API in the event of a security incident (e.g., DoS)? Application Security | |
| I.3.6.5 Is Scoped Data encrypted in transit within the API for both request and response? Application Security | |
| I.3.6.6 Is there an option for the API request and response calls to be digitally signed? Application Security | |
| I.4 Are mobile applications that access Scoped Systems and Data developed? Application Security | |
| I.4.1 Are any actions performed by the mobile application to access, process, transmit or locally store scoped systems and data? Application Security | |
| I.4.2 Is Dynamic code analysis performed on mobile applications (including fuzzing)? Application Security | |
| K.1 Is there an established business resiliency program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program? Business Resilience | |
| K.1.1 Does the business resiliency program include an individual program owner? Business Resilience | |
| K.1.2 Have appropriate actions been taken to ensure that person(s) working under the Business Resiliency program have or acquire the desired competencies? Business Resilience | |
| K.1.3 Does the business resiliency program include a formal annual (or more frequent) executive management review of business continuity key performance indicators, accomplishments, and issues? Business Resilience | |
| K.1.3.1 Does the Business resiliency program's annual review include adequacy of resources including people, technology, facilities, and funding? Business Resilience | |
| K.1.3.2 Does the Business resiliency program's annual review include reporting of key program activity and value metrics? Business Resilience | |
| K.1.3.3 Does the Business resiliency program's annual review include results of Business Continuity Program audits and reviews, including those of key suppliers and partners where appropriate? Business Resilience | |
| K.1.3.4 Does the Business resiliency program's annual review include results of exercising and testing? Business Resilience | |
| K.1.3.5 Does the Business resiliency program's annual review include lessons learned and actions arising from disruptive incidents? Business Resilience | |
| K.1.4 Has formal documentation and reference information relevant to the Business Resiliency program and procedures been created? Business Resilience | |
| K.1.4.1 Does Business Resiliency documentation include controls to ensure its availability when and where it is needed? Business Resilience | |
| K.1.4.2 Is version and change control managed for Business Resiliency documentation? Business Resilience | |
| K.1.5 Do the products and/or services specified in the scope of this assessment fall within the scope of the Business Resiliency program? Business Resilience | |
| K.1.5.1 Are specific recovery objectives/requirements defined for those products and/or services specified in the scope of this assessment? Business Resilience | |
| K.2 Has a Business Impact Analysis been conducted? Business Resilience | |
| K.2.1 Does the Business Impact Analysis include validation and/or refresh at least annually? Business Resilience | |
| K.2.2 Does the Business Impact Analysis include Business Activity or business process Criticality (high, medium, low or numerical rating) that distinguishes the relative importance of each activity or process? Business Resilience | |
| K.2.3 Does the Business Impact Analysis include identification of applications, data, equipment, facilities, personnel, supplies and paper documents necessary for recovery? Business Resilience | |
| K.2.4 Does the Business Impact Analysis include maximum Acceptable Outage / Maximum Tolerable Period of Disruption for each Business Activity or Business Process? Business Resilience | |
| K.2.5 Does the Business Impact Analysis include recovery Time Objectives for all essential application systems, network service, and other resources? Business Resilience | |
| K.2.6 Does the Business Impact Analysis include recovery Point Objective for all essential application systems? Business Resilience | |
| K.2.7 Does the Business Impact Analysis include impact to clients/customers? Business Resilience | |
| K.2.8 Does the Business Impact Analysis include capacity to address needs/expectations of all clients/customers? Business Resilience | |
| K.2.9 Does the Business Impact Analysis include identification of the recovery requirements for information security and the continuity of information security management? Business Resilience | |
| K.3 Is there a formal process focused on identifying and addressing risks of disruptive incidents to business operations? Business Resilience | |
| K.3.1 Do Operational Risk Assessments include identifying risks associated with disruptions to systems, information, people, third parties, and facilities? Business Resilience | |
| K.3.2 Do Operational Risk Assessments include analysis of risks identified and determination of those requiring treatments? Business Resilience | |
| K.3.3 Do Operational Risk Assessments include taking action on approved treatments? Business Resilience | |
| K.4 Are specific response and recovery strategies defined for the prioritized business activities? Business Resilience | |
| K.4.1 Are specific response and recovery strategies defined for critical loss or unavailability of personnel (40% or more)? Business Resilience | |
| K.4.2 Are specific response and recovery strategies defined for critical loss or unavailability of information and data? Business Resilience | |
| K.4.3 Are specific response and recovery strategies defined for critical loss or unavailability of information and communication technology? Business Resilience | |
| K.4.4 Are specific response and recovery strategies defined for critical loss or unavailability of work places/buildings? Business Resilience | |
| K.4.5 Are specific response and recovery strategies defined for critical loss or unavailability of third party services (e.g., partners and suppliers)? Business Resilience | |
| K.5 Are formal business continuity procedures developed and documented? Business Resilience | |
| K.5.1 Do formal business continuity procedures include specific actions to be taken in response to a disruptive event? Business Resilience | |
| K.5.2 Do formal business continuity procedures include the continuity of Information security activities and processes (e.g., intrusion detection, vulnerability management, log collection)? Business Resilience | |
| K.5.3 Do formal business continuity procedures include the continuity of IT operations activities and processes (e.g., network operations, data center operations, help desk)? Business Resilience | |
| K.6 Has senior management assigned the responsibility for the overall management of critical response and recovery efforts? Business Resilience | |
| K.6.1 Does the overall management of critical response and recovery include a virtual or physical command center where management can meet, organize, and manage emergency operations in a secure setting? Business Resilience | |
| K.6.2 Does the overall management of critical response and recovery include conditions for activating the plan(s), and the associated roles and responsibilities? Business Resilience | |
| K.6.3 Does the overall management of critical response and recovery include roles and responsibilities for those who invoke and execute the plan? Business Resilience | |
| K.6.4 Does the overall management of critical response and recovery include alternate and diverse means of communications in the event standard communication channels are unavailable? Business Resilience | |
| K.6.5 Does the overall management of critical response and recovery include notification and escalation to customers/clients? Business Resilience | |
| K.7 Is there a periodic (at least annual) review of your Business Resiliency procedures? Business Resilience | |
| K.7.1 Does periodic review of Business Resiliency procedures include updates to the procedures as necessary after the review? Business Resilience | |
| K.7.2 Does periodic review of Business Resiliency procedures include changes in business activities, dependencies and related recovery objectives? Business Resilience | |
| K.7.3 Does periodic review of Business Resiliency procedures include changes in organizational structure and personnel changes? Business Resilience | |
| K.7.4 Does periodic review of Business Resiliency procedures include emerging threats and identified new risks? Business Resilience | |
| K.7.5 Does periodic review of Business Resiliency procedures include warning and communication procedures and capabilities? Business Resilience | |
| K.7.6 Does periodic review of Business Resiliency procedures include updates from the inventory of IT and telecom assets? Business Resilience | |
| K.8 Are there any dependencies on critical third party service providers? Business Resilience | |
| K.8.1 Has contact information for key service provider personnel been documented? Business Resilience | |
| K.8.1.1 Is the contact information for key service provider personnel reviewed and updated at least annually? Business Resilience | |
| K.8.2 Have the notification and escalation protocols for key service provider personnel been established? Business Resilience | |
| K.8.3 Is communication in the event of a disruption that impacts the delivery of key service provider products and services required? Business Resilience | |
| K.8.4 Have processes been implemented to notify key service provider personnel when their business resiliency procedures are modified? Business Resilience | |
| K.9 Is there a formal, documented Information Technology Disaster Recovery exercise and testing program in place? Business Resilience | |
| K.9.1 Does Information Technology Disaster Recovery testing include specific exercises and tests that address the unavailability of specific IT resources? Business Resilience | |
| K.9.1.1 Does Information Technology Disaster Recovery testing include production data center(s)? Business Resilience | |
| K.9.1.2 Does Information Technology Disaster Recovery testing include Data stores? Business Resilience | |
| K.9.1.3 Does Information Technology Disaster Recovery testing include recovery supporting critical loss or unavailability of personnel (40% or more)? Business Resilience | |
| K.9.1.4 Does Information Technology Disaster Recovery testing include recovery of critical network infrastructure? Business Resilience | |
| K.9.2 Does Information Technology Disaster Recovery testing include specific business activity exercises and tests that address the unavailability of specific resources i.e., realistic scenarios? Business Resilience | |
| K.9.2.1 Do Information Technology Disaster Recovery testing scenarios include loss of critical information and communication technology? Business Resilience | |
| K.9.2.2 Do Information Technology Disaster Recovery testing scenarios include loss of service due to dedicated denial of service / cyber attacks? Business Resilience | |
| K.9.2.3 Do Information Technology Disaster Recovery testing scenarios include loss of critical work places/buildings? Business Resilience | |
| K.9.2.4 Do Information Technology Disaster Recovery testing scenarios include loss of critical personnel? Business Resilience | |
| K.9.2.5 Do Information Technology Disaster Recovery testing scenarios include loss of critical third party services (e.g., partners and suppliers)? Business Resilience | |
| K.9.2.6 Do Information Technology Disaster Recovery testing scenarios include reconstructing material financial transactions sufficient to support normal operations and obligations? Business Resilience | |
| K.9.3 Are measurable recovery objectives defined for each exercise and test? Business Resilience | |
| K.9.3.1 Do measurable recovery objectives include Recovery Time Objectives for all essential application systems, network services and other resources? Business Resilience | |
| K.9.3.2 Do measurable recovery objectives include Recovery Point Objectives for all essential application systems? Business Resilience | |
| K.9.4 Are the recovery objective attainment results and the issues identified evaluated with improvement actions identified and acted upon? Business Resilience | |
| K.9.5 Is there an annual schedule of planned Disaster Recovery and other Business Resiliency exercises and tests? Business Resilience | |
| K.9.5.1 Do Business Resiliency exercises include evacuation drills? Business Resilience | |
| K.9.5.2 Do Disaster Recovery tests include notification procedure and mechanism tests? Business Resilience | |
| K.9.5.3 Do Disaster Recovery tests include application recovery tests? Business Resilience | |
| K.9.5.4 Do Disaster Recovery tests include remote access tests? Business Resilience | |
| K.9.5.5 Do Disaster Recovery tests include full scale exercises / end-to-end? Business Resilience | |
| K.9.5.6 Do Disaster Recovery tests include production transaction processing? Business Resilience | |
| K.9.5.7 Do Disaster Recovery tests include typical business volumes / full capacity? Business Resilience | |
| K.9.5.8 Do Business Continuity tests include business relocation testing? Business Resilience | |
| K.9.5.9 Do Disaster Recovery tests include data center failover testing? Business Resilience | |
| K.9.5.10 Are critical service providers included in Disaster Recovery testing? Business Resilience | |
| K.9.5.11 Do Disaster Recovery tests include recovery and continuity of information security controls that may be impacted by a disaster event? Business Resilience | |
| K.9.5.12 Do Business Continuity tests include recovery and continuity of information security operational processes and controls that may be impacted by a non-Disaster Recovery event (e.g., loss of physical work place, reduction in available IS personnel)? Business Resilience | |
| K.9.5.13 Do Business Continuity exercises include recovery and continuity of IT operational processes and controls that may be impacted by a non-Disaster Recovery event (e.g., loss of physical work place, reduction in available IT operations personnel)? Business Resilience | |
| K.9.6 Are the results of exercises conducted internally shared with customers? Business Resilience | |
| K.9.7 Are joint exercises conducted in partnership with customers? Business Resilience | |
| K.9.8 Is there an established Business Resiliency exercise scenario addressing cyber resilience? Business Resilience | |
| K.9.8.1 Does cyber resilience testing include Malware scenarios? Business Resilience | |
| K.9.8.2 Does cyber resilience testing include Insider Threat scenarios? Business Resilience | |
| K.9.8.3 Does cyber resilience testing include data or system destruction and corruption scenarios? Business Resilience | |
| K.9.8.4 Does cyber resilience testing include communications infrastructure disruption scenarios? Business Resilience | |
| K.9.8.5 Does cyber resilience testing include simultaneous Attack scenarios? Business Resilience | |
| K.10 Is there a Pandemic / Infectious Disease Outbreak / mass absenteeism Plan? Business Resilience | |
| K.10.1 Are there trigger points for activating proactive and reactive elements of a pandemic or mass absenteeism plan? Business Resilience | |
| K.10.2 Is there a defined exercise regime/schedule focused on key elements of the pandemic or mass absenteeism plan? Business Resilience | |
| K.11 Are any critical subcontractors necessary to provide the scoped services to clients? Business Resilience | |
| K.11.1 Is a critical vendor Dependency Chart or list made available to clients? Business Resilience | |
| K.11.2 Are each of the vendors identified in the vendor dependency chart or list subjected to at least an annual disaster recovery test for service provided? Business Resilience | |
| K.11.2.1 Does the business continuity plan include table top exercises? Business Resilience | |
| K.11.2.2 Does the business continuity plan include simulated testing? Business Resilience | |
| K.11.2.3 Does the business continuity plan include functional testing? Business Resilience | |
| K.11.2.4 Does the business continuity plan include full scale failover testing? Business Resilience | |
| K.11.3 Does more than one critical vendor support the live platform at any given time? Business Resilience | |
| K.11.4 Are all suppliers of critical hardware, network services and facility services involved in annual continuity and recovery tests? Business Resilience | |
| K.11.4.1 Do Business Resiliency test scenarios contain fail-over across critical vendors? Business Resilience | |
| K.11.4.2 Are there requirements to review and update the BCP for each significant business change to the critical supporting vendors? Business Resilience | |
| K.11.5 Do contracts with Critical Service Providers include a penalty or remediation clause for breach of availability and continuity SLAs? Business Resilience | |
| K.11.6 Is priority access to resources from suppliers contractually ensured in the event of an adverse situation, affecting multiple customers of suppliers (e.g., fuel oil, recovery center space)? Business Resilience | |
| K.12 Do formal business continuity procedures include the ability to reconstruct material financial transactions sufficient to support normal operations and obligations? Business Resilience | |
| K.13 Could more than one data center contain Scoped Systems and Data at any one time? Business Resilience | |
| K.13.1 Do the data centers backup one another? Business Resilience | |
| K.13.1.1 Are backup data centers' availability mode cold standby? Business Resilience | |
| K.13.1.2 Are backup data centers' availability mode warm standby? Business Resilience | |
| K.13.1.3 Are backup data centers' availability mode hot standby? Business Resilience | |
| K.13.2 Are the failover sites for the underlying infrastructure running on different vendor physical systems? Business Resilience | |
| K.13.3 Are site failover tests performed at least annually? Business Resilience | |
| K.13.4 Are sites failed over regularly as part of normal change activities? Business Resilience | |
| K.14 Are networks fully redundant, with at least two network paths to any node, and for every network device, at least one other redundant network device of the same type? Business Resilience | |
| K.15 Is there sufficient redundancy capacity to ensure services are not impacted in multi-tenancy environments during peak usage and above? Business Resilience | |
| K.16 Is there sufficient Volume or Disk partitioning to prevent inadvertent resource bottlenecks from guest operating systems? Business Resilience | |
| K.17 Are backups of Scoped Systems and Data performed? Business Resilience | |
| K.17.1 Is there a policy or process for the backup of production data? Business Resilience | |
| K.17.1.1 Are backup media and restoration procedures tested at least annually? Business Resilience | |
| K.17.1.2 Is backup media tracked and reviewed for compliance to data retention/destruction requirements at least annually? Business Resilience | |
| K.17.2 Are backup and replication errors reviewed and resolved as required? Business Resilience | |
| K.17.2.1 Are backup and replication errors reviewed and resolved at least weekly? Business Resilience | |
| K.17.2.2 Are backup and replication errors reviewed and resolved on a daily basis? Business Resilience | |
| K.17.3 Is backup media stored offsite? Business Resilience | |
| K.17.3.1 Is secure transport used to move backup media offsite? Business Resilience | |
| K.17.3.2 Is shipment tracking used when moving backup media offsite? Business Resilience | |
| K.17.3.3 Is receipt verification used when moving backup media offsite? Business Resilience | |
| K.17.3.4 Is there a verifiable Chain of Custody when moving backup media offsite? Business Resilience | |
| K.17.4 Are backups containing Scoped Data stored in an environment where the security controls protecting them are equivalent to production environment security controls? Business Resilience | |
| L.1 Are there policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements? Compliance | |
| L.1.1 Is there a documented process to identify and assess regulatory changes that could significantly affect the delivery of products and services? Compliance | |
| L.1.1.1 Does the regulatory change management process include receiving, monitoring, tracking/logging, and where necessary, implementing changes required to comply with applicable new regulations and regulatory alerts? Compliance | |
| L.1.2 Are business licenses, permits, or registrations maintained in all jurisdictions where required? Compliance | |
| L.2 For employees with access to Scoped Data and/or Scoped Systems, is training on legislative and regulatory requirements provided and updated on a regular basis? Compliance | |
| L.3 Is there an internal audit, risk management, or compliance department, or similar management oversight unit with responsibility for assessing, identifying and tracking resolution of outstanding regulatory issues? Compliance | |
| L.3.1 Does the audit function have independence from the lines of business? Compliance | |
| L.3.2 Is there non-audit staff dedicated to compliance and risk responsibilities? Compliance | |
| L.3.3 Are audits performed to ensure compliance with applicable statutory, regulatory, contractual or industry requirements? Compliance | |
| L.4 Is there a set of policies and procedures that address required records management and compliance reporting? Compliance | |
| L.4.1 Are compliance issues logged, tracked, and reported to management? Compliance | |
| L.4.2 Are internal management reporting and/or external reporting to government agencies maintained in accordance with applicable law? Compliance | |
| L.4.3 Are regulatory alerts and updates on changes in applicable law or regulations reported routinely to management and if appropriate, to the Board of Directors? Compliance | |
| L.7 Are there policies and procedures to address bribery, corruption, the prohibition of providing monetary offers or preventing improper actions that create advantage in practices with individuals and corporate representatives? Compliance | |
| L.7.1 For public companies, are there policies and procedures to address accounting provisions as outlined under FCPA? Compliance | |
| L.7.2 Do employees receive training that covers Anti-Bribery and Anti-Corruption topics? Compliance | |
| L.8 Is there a compliance program or set of policies and procedures that address Anti-Trust and Anti-Competitive Business Practices? Compliance | |
| L.8.1 Is training on Anti-Trust and Anti-Competitive Business Practices for all relevant Constituents? Compliance | |
| L.8.1.1 Is training on Anti-Trust and Anti-Competitive Business Practices conducted on an annual basis? Compliance | |
| L.10 Is there a documented policy for Ethical Sourcing? Compliance | |
| L.10.1 Is there a defined supplier code of conduct required of all suppliers? Compliance | |
| L.10.2 Are their defined standards in the sourcing process to address sustainability? Compliance | |
| L.11 Is there a documented internal compliance and ethics program to ensure professional ethics and business practices are implemented and maintained? Compliance | |
| L.11.1 Has the organization established its standards of conduct concerning integrity and ethical values that are understood by all levels and by outsourced service providers? Compliance | |
| L.11.2 Is there a whistleblowing policy and/or separate communication channel procedure to report compliance issues? Compliance | |
| L.11.3 Do employees undergo annual training regarding company expectations related to non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities? Compliance | |
| L.13 Is there a defined policy or guidelines for social media conduct? Compliance | |
| L.14 Will this engagement include any call center related services? . Compliance | |
| L.14.6 Is the call support team physically segregated from teams servicing other clients? . Compliance | |
| L.14.7 Do any call center personnel who would support this account work offshore (outside the client's country)? . Compliance | |
| L.14.8 Do CSR (Customer Service Representatives) have the ability to work remotely? Compliance | |
| L.14.11 Is a documented methodology for caller authentication used (e.g. secret questions, etc.)? Compliance | |
| L.16 Are marketing or selling activities conducted directly to Client's customers? Compliance | |
| L.16.1 Is there a documented consumer protection compliance program? Compliance | |
| L.16.2 Is training conducted for Constituents who have direct customer contact regarding consumer protection compliance responsibilities? Compliance | |
| L.16.3 Are processes in place to periodically review call center scripts, call monitoring, and/or email marketing to identify compliance issues? Compliance | |
| L.16.4 Is there an incentive or compensation program for Constituents who directly sell/market to Client customers? If yes please describe in the 'Additional Information' field Compliance | |
| L.16.5 Are there documented policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices? Compliance | |
| L.16.6 Are calls for telemarketing purposes recorded and retained? If yes, please provide the retention period in the 'Additional Information' field. Compliance | |
| L.17 Are collections activities conducted directly to Client's customers? Compliance | |
| L.17.1 Are calls for collections purposes recorded and retained? If yes, please provide the retention period in the 'Additional Information' field. Compliance | |
| L.18 Is a web site(s) maintained or hosted for the purpose of advertising, offering, managing, or servicing accounts, products or services to clients' customers? Compliance | |
| L.18.1 Are documented terms and conditions, software licensing agreements maintained and available online for enabling compliance with applicable legal, regulatory, and/or contractual obligations related to product or service specifications? Compliance | |
| L.18.2 Are terms of sale, dispute and/or return of goods procedures available online? Compliance | |
| L.19 Are there direct interactions with your client's customers? Compliance | |
| L.19.1 Is there a documented process for receiving and responding to inquiries, complaints and requests directly from individuals or the client's customers? Compliance | |
| L.19.2 Is there a documented process to provide periodic summary reports to management regarding types and resolution of complaints? Compliance | |
| L.19.3 Is there a documented process to provide periodic summary reports to your applicable Clients regarding types and resolution of complaints? Compliance | |
| L.19.4 Is there a documented process to receive and respond to complaints, inquiries and requests from business or trade associations (e.g. BBB, GMOs, chambers of commerce, PCI Council) and from government agencies, including state attorneys general? Compliance | |
| L.19.5 Is there a documented escalation and resolution process to address specific complaints to management and the client? Compliance | |
| L.20 Are documented policies and procedures maintained to enforce applicable legal, regulatory or contractual cybersecurity obligations? Compliance | |
| L.20.1 Are all systems regularly reviewed for compliance with all cybersecurity legal, contractual, and policy requirements? Compliance | |
| L.20.2 Is cryptography enabled in accordance with all legal and contractual requirements? Compliance | |
| L.23 Are client audits and/or risk assessments permitted? Compliance | |
| L.23.1 Are onsite audits or risk assessments by clients permitted? Compliance | |
| L.23.4 Is evidence of internal controls available during a client assessment? Compliance | |
| L.23.4.1 Are system and Network topology and architecture diagrams available during a client risk assessment or audit? Compliance | |
| L.23.4.2 Are data flow/System Interface diagrams available during a client risk assessment or audit? Compliance | |
| L.23.4.3 Is a list of ports that are open externally available during a client risk assessment or audit? Compliance | |
| L.23.4.4 Are system configuration standards available during a client risk assessment or audit? Compliance | |
| L.23.4.5 Are standard operating procedures available during a client risk assessment or audit? Compliance | |
| L.23.5 Are controls validated by independent, third party auditors or information security professionals? Compliance | |
| L.23.5.1 Has a proactive Shared Assessments SCA (Standardized Control Assessment) been performed within the last 12 months? Compliance | |
| L.23.5.2 Has a SOC 1 audit been performed within the last 12 months? Compliance | |
| L.23.5.3 Has a SOC 2 audit been performed within the last 12 months? Compliance | |
| L.23.5.5 Has an ISO 27001 control assessment been performed within the last 12 months? Compliance | |
| L.23.5.6 Has an ISO 27017 control assessment been performed within the last 12 months? Compliance | |
| L.23.5.7 Has an ISO 27018 control assessment been performed within the last 12 months? Compliance | |
| L.23.5.8 Has a NIST 800 53 control assessment been performed within the last 12 months? Compliance | |
| L.23.5.9 Has a PCI DSS control assessment been performed within the last 12 months? Compliance | |
| L.23.5.10 Has a HITRUST CSF control assessment been performed within the last 12 months? Compliance | |
| L.23.5.11 Has a Multi-tiered cloud computing Security - Singapore (MCTS) assessment been performed within the last 12 months? Compliance | |
| L.23.5.12 Have any other audits, risk or control assessments been performed within the last 12 months by an independent firm with transparent standardized audit criteria? If yes, please list/describe in the 'Additional Information' field. Compliance | |
| L.25 Is there a compliance program or set of policies and procedures that address internal and external Fraud Detection and Fraud Prevention? Compliance | |
| L.25.3 Are there documented and defined monitoring and oversight functions for suspected fraud instances or fraud investigations? Compliance | |
| L.25.4 Are customer account activities monitored for unusual or suspicious activity? Compliance | |
| L.26 Is there a set of policies and procedures that address Anti-Money Laundering obligations? Compliance | |
| L.26.1 Do employees receive training on Anti-Money Laundering if applicable to the services provided? Compliance | |
| L.31 Is there a set of policies and procedures that address International Trade and Export Compliance? Compliance | |
| L.31.1 Are there policies and procedures to maintain compliance with international requirements for import and/or export of goods or services? Compliance | |
| L.31.2 Are there policies and procedures to maintain compliance with implemented trade partner restrictions based on international requirements? Compliance | |
| L.31.3 Are there policies and procedures to ensure any international sourcing using third party customs brokers maintain International Trade and Export compliance? Compliance | |
| L.32 Are accounts opened, financial transactions initiated or other account maintenance activity (e.g., applying payments, address changes, receiving payments, transferring funds, etc.) through either electronic, telephonic, written or in-person requests made on behalf of your clients' customers? Compliance | |
| L.32.1 Are there policies and procedures to address payments compliance in the delivery of the product or services if required by regulation? Compliance | |
| L.32.3 Are electronic commerce web sites or applications used to transmit, process or store Scoped Systems and Data? Compliance | |
| L.32.3.2 Are all transaction details i.e., payment card info and information about the parties conducting transactions, prohibited from being stored in the Internet facing DMZ? Compliance | |
| L.32.4 Do the services require receiving or processing credit or debit card data? If yes, indicate the PCI Level in the 'Additional Information' field (Level 1, 2, 3 or 4). Compliance | |
| L.32.4.1 Does your credit and debit card process comply with PCI Standards? Compliance | |
| L.33 Is there a records retention policy covering paper & electronic records, including email in support of applicable regulations, standards and contractual requirements? Compliance | |
| L.33.2 Are there procedures for managing conflicting regulatory record retention and deletion requirements as part of eDiscovery obligations (e.g. managing legal holds or preservation requests pending vs. deletion schedules) ? Compliance | |
| L.34 Are policies and procedures in place to restrict activities or transactions for sanctioned countries (e.g. country blocking)? Compliance | |
| L.34.7 Is a sanctions risk assessment performed on all relevant entities within the organization on a periodic basis, with results shared with management? Compliance | |
| L.34.10 Are there compliance and sanction checks (e.g., Office of Foreign Assets Controls - OFAC) performed against customers, suppliers and third parties? Compliance | |
| L.34.10.1 Are there policies and procedures to address ongoing due diligence of business partners including guidelines for periodic screening? Compliance | |
| L.34.11 Is there a sanctions compliance program or set of policies and procedures that address obligations for Office of Foreign Assets Controls (OFAC) requirements? Compliance | |
| P.1 Is there collection of, access to, processing of, or retention of any client scoped Data that includes any classification of non-public personal information or personal data of individuals? Privacy | |
| P.1.1 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as personally identifiable financial information under the Gramm-Leach-Bliley Act? Privacy | |
| P.1.1.1 Does the client scoped data include the disclosure of account numbers or identifiers to the consumer's account? Privacy | |
| P.1.1.2 Does the contract limit the usage of the account number information? Privacy | |
| P.1.1.3 Is client scoped data collected, accessed, processed, or retained that can be classified as consumer report information or derived from a consumer report under the Fair and Accurate Credit Reporting Act (FACTA)? Privacy | |
| P.1.1.3.1 Are policies and procedures for secure disposal of consumer information maintained to prevent the unauthorized access to or use of information in a consumer report or information derived from a consumer report? Privacy | |
| P.1.1.4 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as protected health information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act? Privacy | |
| P.1.1.4.1 Are there documented policies and procedures to detect and report unauthorized acquisition, use, or disclosure of PHI client scoped data? Privacy | |
| P.1.1.4.2 Are there documented procedures to enable the ability to reasonably amend PHI maintained by the service provider upon request? Privacy | |
| P.1.1.4.3 Are training records maintained for employees (including management) with access to or potential access to client PHI to meet the privacy and security obligations required by HIPAA? If yes, please describe in 'Additional Information' field. Privacy | |
| P.1.1.4.4 Is there a business associate contract in place to address obligations for the privacy and security requirements for the services provided to the covered entity? Privacy | |
| P.1.1.5 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under U.S. State Privacy Regulations? (e.g., CA, MA, NY, NV, WA, CO) Privacy | |
| P.1.1.5.1 If client scoped data includes data of California residents, does the contract prohibit the vendor from retaining, using or disclosing the personal information for any other commercial purpose other than the specific purpose of performing the services? Privacy | |
| P.1.1.6 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as European Union covered Personal Data, or Sensitive Personal Data (e.g., genetic data, biometric data, health data)? Privacy | |
| P.1.1.6.1 Are there documented policies and procedures for cross border data flows or transfers of client Scoped Data to the US from other countries; or from EU to other countries? Privacy | |
| P.1.1.6.2 Has your organization filed for external certification to address European Union data protection obligations for onward transfer to locations outside the EU? If yes, provide the link or information regarding registration and certification agency. If not, please identify your authorization mechanism in place to meet EU data transfer obligations in the 'Additional Information' field. Privacy | |
| P.1.1.6.3 If necessary, is your organization registered with the appropriate Data Protection Authorities? If yes, please list which authorities and member countries are in scope for the services in the 'Additional Information' Field. Privacy | |
| P.1.1.6.4 If required, is there a designated Data Protection Officer? If yes, please identify in the 'Additional Information' field. Privacy | |
| P.1.1.6.5 Is there a process maintained to remove Personal Data based on the Right to be Forgotten if applicable to the services provided? Privacy | |
| P.1.1.7 Is Client scoped data collected, transmitted, processed or retained that can be classified as Personal Information as defined by Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or Canadian Provincial Privacy Regulations Privacy | |
| P.1.1.7.1 Are there contractual obligations and procedures defined to address breach notification to the client including maintenance of record-keeping obligations of all breaches? Privacy | |
| P.1.1.8 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any other international privacy jurisdictions? If Yes, list in the Additional information Field Privacy | |
| P.1.1.8.1 Has the organization filed for Cross Border Privacy Rules (CBPR) Certification under the Asia Pacific Economic Cooperation(APEC) Framework? If yes, provide link to external certification. Privacy | |
| P.1.1.9 Is client scoped data collected, accessed, transmitted, processed or retained that can be classified as Cardholder Data (CHD) within a Cardholder Data Environment (CDE) for credit card processing? Privacy | |
| P.1.1.9.1 Is a Report on Compliance (ROC), or Self-Assessment Questionnaire (SAQ) and Attestation of Compliance for Service Providers (AOC) available? If Yes, Please provide and note in additional comments the type of third party assurance documentation Privacy | |
| P.1.1.10 Is client-scoped data of minors collected, transmitted, processed or stored that can be classified under the Children's Online Privacy Protection Act? Privacy | |
| P.1.1.10.1 Does the organization maintain an external safe harbor certification for children's privacy? If yes, please indicate the certifying organization and link to current status Privacy | |
| P.1.2 Is there a designated organizational structure or function responsible for data privacy or data protection as it relates to client-scoped privacy data? Privacy | |
| P.1.3 Is documentation of data flows and/or data inventories maintained for client scoped privacy data based on data or asset classification? Privacy | |
| P.1.3.2 Does the data inventory and data flow documentation include locations regarding data collected, accessed, transmitted, processed or retained by affiliates, subcontractors, or vendors ? Privacy | |
| P.1.3.3 Does the data inventory and/or data flow documentation include identification of any access, transfer, processing, or retention that crosses national borders? Privacy | |
| P.1.4 Is there a documented Privacy Policy or procedures for the protection of personal information collected, accessed, transmitted, processed, or retained on behalf of the client? Privacy | |
| P.1.4.2 Are there privacy policies and procedures with identified privacy controls that are reviewed and revised at least annually? Privacy | |
| P.1.4.3 Is there a management procedure maintained to monitor changes in applicable privacy statutory, regulatory or contractual regulations or contractual obligations? Privacy | |
| P.1.4.4 Is there a documented privacy policy and are procedures maintained for the protection of information collected, transmitted, processed, or maintained on behalf of the client? Privacy | |
| P.1.5 Are regular privacy impact risk assessments conducted? If yes, please provide frequency and scope in 'Additional Information' field. Privacy | |
| P.1.5.1 Are privacy risks identified and associated mitigation plans documented in a formal data protection or privacy program plan that is reviewed by management? Privacy | |
| P.1.5.3 Are procedures to assess privacy impact maintained which embed privacy requirements into new systems, applications or devices? (e.g., Privacy by Design) throughout the system lifecycle? Privacy | |
| P.1.6 Is a Training and Awareness Program maintained that addresses data privacy and data protection obligations based on role? Privacy | |
| P.1.6.1 Is privacy awareness training conducted for new employees at the time of onboarding? Privacy | |
| P.1.6.2 Is privacy awareness training for employees conducted on an annual basis including acceptance of responsibilities for privacy requirements? Privacy | |
| P.1.6.3 Are privacy awareness training obligations extended to the organizations fourth parties (e.g. subcontractors or vendors) Privacy | |
| P.1.7 Are documented policies and procedures maintained to detect and report unauthorized acquisition, use, or disclosure of client scoped Data? If yes, please describe in 'Additional Information' field. Privacy | |
| P.1.7.1 Is a process maintained to identify and record any detected or reported unauthorized disclosures of personal information? Privacy | |
| P.1.7.2 Is there a process in place to identify and report privacy incidents including notification to external authorities as required by applicable privacy or cyber security law? Privacy | |
| P.2 Does the organization have or maintain internet-facing websites(s), mobile applications, or other digital services or applications that, collect, use, or retain client-scoped private data and are used directly by individuals? Privacy | |
| P.2.1 Do clear and conspicuous privacy notices identify the purposes for which personal information is collected, used, processed, retained, maintained, and disclosed? Privacy | |
| P.2.2 Do privacy notices include the categories of information collected, use of outside data sources, including any categories of affiliates or non-affiliated third parties with whom the personal data is shared? Privacy | |
| P.2.3 Is there an ongoing process to regularly review and update privacy policies and notices on a periodic basis? Privacy | |
| P.2.4 Is notice provided at or before point of collection regarding the selling of personal data or sharing of data with third parties for marketing purposes? If yes, please describe the notice in the 'Additional Information' field. Privacy | |
| P.2.6 Do Privacy notices identify the Web technology used (e.g. pixels, cookies, web beacons) including description(s) of how technologies are used, and include opt-out mechanisms? Privacy | |
| P.3 Is personal data collected directly from an individual on behalf of the client? Privacy | |
| P.3.1 Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data? Privacy | |
| P.3.2 Are choices offered regarding the collection, use processing, retention, disclosure and disposal of client-scoped personal data communicated? Privacy | |
| P.4 For client-scoped Data, is personal data provided to the organization directly by the client? Privacy | |
| P.4.1 Are there documented policies and operating procedures regarding limiting the personal data collected and its use to the minimum necessary? Privacy | |
| P.4.3 Is there a process in place to review and assess any new uses of personal data, confirm authorization or re-gain consent? Privacy | |
| P.5 Are there controls in place to ensure that the collection and usage of client scoped data or personal information used or processed by the organization is limited and in compliance with applicable law? Privacy | |
| P.5.1 Is there a documented records retention policy and process with defined schedules that ensure that Personal Information is retained for no longer than necessary? Privacy | |
| P.5.2 Is there a policy and process to limit any secondary use of client Scoped Data unless authorized? Privacy | |
| P.5.3 Are there control mechanisms in place to de-identify, mask, anonymize, or pseudonymize personal data to prevent loss, theft, misuse or unauthorized access? Privacy | |
| P.5.4 Is there a policy and/or process to limit or prevent the sharing of client-scoped Data with affiliates unless authorized? Privacy | |
| P.6 Are Individuals informed about their rights to access, review, update, and correct their personal information which is maintained by the organization? Privacy | |
| P.6.1 Is there a documented process to reasonably authenticate or verify an individual's request prior to fulfilling their request for access to their personal information? Privacy | |
| P.6.1.1 Is there a process to inform individuals in writing of the reason a request for access to their personal information was denied and the dispute mechanisms if any to challenge as specifically permitted or required by law or regulation? Privacy | |
| P.6.1.2 Does the mechanism to inform individuals about their rights of access to their personal information include specified timeframes, formats, costs of response, or exceptions/limitations? Privacy | |
| P.6.2 If required, are there processes established to require the service provider to enable the fulfillment of data subject access rights and requests? If yes, please describe in 'Additional Information' field. If no, please explain reason. Privacy | |
| P.6.2.1 Does the process to respond to an individual's access request include the categories and specific pieces of personal information if collected by the organization? Privacy | |
| P.6.2.2 Does the process to respond to an individual's access request include the personal information that has been shared with fourth parties (vendors, subcontractors, service providers) ? Privacy | |
| P.6.2.3 Does the process to respond to an individual's access request include providing the sources of information collected? Privacy | |
| P.6.2.4 Does the process to respond to an individual's access request include providing the business or commercial purpose for collecting or selling personal information? Privacy | |
| P.7 Are policies and procedures in place to address third party privacy obligations including limitations on disclosure and use of client scoped data? Privacy | |
| P.7.1 Do agreements with third parties who have access to or potential access to client Scoped Data address confidentiality, audit, security, and privacy, including but not limited to incident response, ongoing monitoring, return of data, and secure disposal of private data? Privacy | |
| P.7.2 Do agreements with third parties who have access to or potential access to client Scoped Data address limitations on personal data use and sharing, retention of personal data and restrictions on selling of personal data? Privacy | |
| P.7.4 If required, are there contractual controls established to require the service provider to enable the fulfillment of data subject access rights and requests? If yes, please describe in 'Additional Information' field. If no, please explain reason. Privacy | |
| P.7.5 Are policies and procedures documented that demonstrate the understanding by the organization of its privacy obligations and implementation of limitations on disclosure, use, sharing, and retention of client scoped data? Privacy | |
| P.7.6 Do fourth-parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to or process client scoped data? Privacy | |
| P.7.6.1 Has client consent been obtained for any usage of fourth-parties, subcontractors, sub-processors or sub-service organizations? Privacy | |
| P.7.6.2 Is a contract maintained with such fourth parties to require each fourth-party, subcontractor, sub-processor, or sub-service organization to adhere to the same legal and contractual requirements that are required by the service organization? Privacy | |
| P.7.7 Are there documented policies, procedures or mechanisms to provide notice, and if required obtain consent for any new, or changed usage of fourth parties, subcontractors, sub-processors, or sub-service organizations? Privacy | |
| P.7.8 Is there a documented process to obtain and periodically assess compliance with confidentiality and privacy commitments and requirements between client and service provider? Privacy | |
| P.8 Is there a documented data protection program with administrative, technical, and physical and environmental safeguards for the protection of client-scoped Data? Privacy | |
| P.8.1 Are tests conducted of the effectiveness of the key administrative, technical, physical and environmental safeguards for protecting personal information at least annually? Privacy | |
| P.8.2 Are mechanisms established so that access to personal information is limited to authorized personnel based upon their assigned roles and responsibilities? Privacy | |
| P.8.3 Is there a mechanism that informs individuals of the administrative, technical, and physical safeguards taken to protection their personal data? Privacy | |
| P.8.4 Is there a vendor risk management program (including ongoing monitoring) maintained to address the security of the client scoped data, that may be accessed, processed, communicated to, or managed by external parties? Privacy | |
| P.8.5 Is there a control to protect personal information stored on portable media or devices from unauthorized access? Privacy | |
| P.8.6 Is there a process or mechanism to minimize the use of personal data in testing, training and research? Privacy | |
| P.9 Is there a documented policy or process to maintain accurate, complete and relevant records of client scoped data? Privacy | |
| P.9.1 Are procedures documented that outline the relevancy of the personal data collected, used, or processed to the defined purpose in the contract or privacy notice? Privacy | |
| P.10 Is there a data privacy or data protection function that maintains enforcement and monitoring procedures to address compliance for its privacy obligations for client-scoped privacy data? Privacy | |
| P.10.1 Are there enforcement mechanisms in place to address privacy inquiries, complaints, disputes and recourse for violations of privacy compliance? Privacy | |
| P.10.2 Are there policies and processes in place to address privacy inquiries, complaints and disputes? Privacy | |
| P.10.3 Is an independent dispute mechanism maintained for resolution of privacy disputes? If so, identify the provider in 'Additional Information' field. Privacy | |
| P.10.5 Is compliance with privacy policies, commitments, SLAs, contractual obligations, and applicable laws/regulations reviewed, documented, with results reported to management? Privacy | |
| P.10.6 Are there processes in place to address instances of non-compliance with privacy obligations for client scoped data, including corrective measures and disciplinary measures? Privacy | |
| P.10.7 Are there any open or unresolved privacy findings or citations from regulatory authorities applicable to the services? Privacy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment