rdkls/gist:f06a51bf018e617fce25e32706b6af09

## gistfile1.txt

Will the System be deployed on Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS)?

Will the Cloud Deployment Model be Private Cloud, Public Cloud, Community Cloud, or Hybrid Cloud? Please provide a brief description.

What 3rd party Certifications or Accreditations have been acquired by the Cloud provider?  (e.g. ISO/PCI/SSAE16/270001/IRAP)

Are all data centres in Australia? If not, can the system be configured to only use Data Centres located in Australia?

Does the vendor have an overarching Information Security Policy/Information Security Framework? Please provide a list of security documents in place currently.

Is regular security training conducted for all staff? How frequently is this conducted?

How are the tenant boundaries enforced within the environment?

How will Customer Information at rest and in transit be effectively segregated from other client information? Please provide details.

Are criminal history checks conducted on all employees and contractors?

What is the nature and details of the data to be stored in this cloud service?

Provide details of data protection controls for data in transit (to end users and between service components over shared networks) and for data at rest within the service

What is the process and requirements for granting access to tenants? And for administrators?

What remote access security controls are in place?

Where will Customer information be stored, backed up, processed and hosted?

What are the data backup policies for the cloud service offering?

What are the data retention policies for the service provider upon contract termination?

What processes are used to sanitise storage media before it is made available to another customer?

Have any security assessments been performed against the proposed cloud capability? (including risk assessments, Vulnerability assessments, Penetration Tests)

What Role Based Access Controls (RBACs) are in place within the Cloud Service Provider Environment?

Are any Cloud Service Provider resources outside of Australia provided privileged access to any components of the Cloud Service Provider Environment?

Does any multi-tenancy encryption key sharing occur?

How frequently does vulnerability testing occur and how are vulnerabilities managed?

How frequently does penetration testing occur? How are any findings managed?

What controls are in place to detect and support response to security events?

What is the process for communicating possible intrusions and breaches to subscribers?

What security event logs will be available to Customer?

For security event logs not available to Customer, how are these monitored by the Cloud Provider?

Describe how investigations into security breaches are conducted, including the implementation of recommended remediation strategies?

What data breaches has the service experienced? When did these occur, and how has the risk of a recurrence been mitigated?

Does Business Continuity Plan (BCP) and/or Disaster Recovery Plan (DRP) exist?  How frequently are they tested, and when were they last tested

What is the recovery time objective (RTO)?

What is the Recovery Point Objective (RPO)?

Does the vendor meet Privacy or GDPR requirements?

	Will the System be deployed on Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS)?

	Will the Cloud Deployment Model be Private Cloud, Public Cloud, Community Cloud, or Hybrid Cloud? Please provide a brief description.

	What 3rd party Certifications or Accreditations have been acquired by the Cloud provider?  (e.g. ISO/PCI/SSAE16/270001/IRAP)

	Are all data centres in Australia? If not, can the system be configured to only use Data Centres located in Australia?

	Does the vendor have an overarching Information Security Policy/Information Security Framework? Please provide a list of security documents in place currently.

	Is regular security training conducted for all staff? How frequently is this conducted?

	How are the tenant boundaries enforced within the environment?

	How will Customer Information at rest and in transit be effectively segregated from other client information? Please provide details.

	Are criminal history checks conducted on all employees and contractors?

	What is the nature and details of the data to be stored in this cloud service?

	Provide details of data protection controls for data in transit (to end users and between service components over shared networks) and for data at rest within the service

	What is the process and requirements for granting access to tenants? And for administrators?

	What remote access security controls are in place?

	Where will Customer information be stored, backed up, processed and hosted?

	What are the data backup policies for the cloud service offering?

	What are the data retention policies for the service provider upon contract termination?

	What processes are used to sanitise storage media before it is made available to another customer?

	Have any security assessments been performed against the proposed cloud capability? (including risk assessments, Vulnerability assessments, Penetration Tests)

	What Role Based Access Controls (RBACs) are in place within the Cloud Service Provider Environment?

	Are any Cloud Service Provider resources outside of Australia provided privileged access to any components of the Cloud Service Provider Environment?

	Does any multi-tenancy encryption key sharing occur?

	How frequently does vulnerability testing occur and how are vulnerabilities managed?

	How frequently does penetration testing occur? How are any findings managed?

	What controls are in place to detect and support response to security events?

	What is the process for communicating possible intrusions and breaches to subscribers?

	What security event logs will be available to Customer?

	For security event logs not available to Customer, how are these monitored by the Cloud Provider?

	Describe how investigations into security breaches are conducted, including the implementation of recommended remediation strategies?

	What data breaches has the service experienced? When did these occur, and how has the risk of a recurrence been mitigated?

	Does Business Continuity Plan (BCP) and/or Disaster Recovery Plan (DRP) exist?  How frequently are they tested, and when were they last tested

	What is the recovery time objective (RTO)?

	What is the Recovery Point Objective (RPO)?

	Does the vendor meet Privacy or GDPR requirements?