1. Instructions

    1. Instructions

  2. Privacy and security of information

    1. *Does your organization process personally identifiable information (PII) or protected health information (PHI)?

    2. *Does your organization have a security program?

    3. If so, what standards and guidelines does it follow?

    4. *Does your information security and privacy program cover all operations, services and systems that process sensitive data?

    5. *Who is responsible for managing your information security and privacy program?

    6. *What controls do you employ as part of your information security and privacy program?

    7. *Please provide a link to your public information security and/or privacy policy

    8. *Are there any additional details you would like to provide about your information security and privacy program?

  3. Physical and data centre security

    1. *Are you in a shared office?

    2. *Do you review physical and environmental risks?

    3. *Do you have procedures in place for business continuity in the event that your office is inaccessible?

    4. *Do you have a written policy for physical security requirements for your office?

    5. *Is your network equipment physically secured?

    6. What data centre providers do you use if any?

    7. *How many data centres store sensitive data?

    8. *What countries are data centres located in?

    9. * Please let us know of all that apply.

  4. Web application security

    1. *What is the name of your application? And what does it do?

    2. *Do you have a bug bounty program or other way to report vulnerabilities?

    3. *Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?

    4. *Does your application require login credentials?

    5. *How do users get their initial password?

    6. *Do you have minimum password security standards?

    7. *How do you store passwords?

    8. *Do you offer single sign-on (SSO)?

    9. *How can users recover their credentials?

    10. Does your application employ a defense in depth strategy? If so, what?

    11. *How you regularly scan CVE for known vulnerabilities?

    12. *How do you do quality assurance?

    13. *Do you employ pentesting?

    14. *Who can we contact for more information related to your web application security?

  5. Infrastructure security

    1. *Do you have a written network security policy?

    2. *Do you use a VPN?

    3. *Do you employ server hardening?

    4. *How do you keep your server operating systems patched?

    5. *Do you log security events?

    6. *What operating systems are used on your servers?

    7. *Do you backup your data?

    8. *How do you store backups?

    9. *Do you test backups?

    10. *Who manages your email infrastructure?

    11. *How do they prevent email spoofing?

    12. *How do you protect employee devices from ransomware and other types of malware?

    13. *What operating systems do employee devices use?

    14. *Are employee devices encrypted?

    15. *Do you employ a third-party to test your infrastructure security?

    16. *Who can we contact in relation to infrastructure security?

Vendor Risk Assessment Questionnaire


Vendor Risk Assessment Questionnaire


Click ✓ Start to begin
or press Enter ↵


Thank you for completing this checklist!


All required items on the checklist are submitted. We're reviewing your submission and will stay in touch.














Powered by

DeliveredOkay

Start

Send

Instructions

Thank you for taking the time to fill out this assessment questionnaire.


What do you need to know?


  1. Provide all required information here using this form.
  2. Click ✓ Ok to submit and check off each request.
  3. Drafts are saved automatically and your progress restored (so you don't have to complete the checklist in one go


Need help?


Click the message icon in the top left corner to leave a message or comment for the question or section you're stuck in or need help with.


Getting started


Click the ✓ Ok button below to get started.


*Does your organization process personally identifiable information (PII) or protected health information (PHI)?

*Does your organization have a security program?

If so, what standards and guidelines does it follow?

*Does your information security and privacy program cover all operations, services and systems that process sensitive data?

*Who is responsible for managing your information security and privacy program?

 Please provide the name of the individual and their title within the business.  

*What controls do you employ as part of your information security and privacy program?

 Please let us know of all that apply.  

*Please provide a link to your public information security and/or privacy policy

*Are there any additional details you would like to provide about your information security and privacy program?

 Use this space to let us know of anything else you'd like to add on this front.  

*Are you in a shared office?

*Do you review physical and environmental risks?

*Do you have procedures in place for business continuity in the event that your office is inaccessible?

*Do you have a written policy for physical security requirements for your office?

*Is your network equipment physically secured?

What data centre providers do you use if any?

 Please let us know of all that apply.  

*How many data centres store sensitive data?

*What countries are data centres located in?

 Please let us know of all that apply.  

* Please let us know of all that apply.

 Use this space to let us know of anything else you'd like to add on this front.  

*What is the name of your application? And what does it do?

What is the name of your application? And what does it do?


*Do you have a bug bounty program or other way to report vulnerabilities?

*Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?

*Does your application require login credentials?

*How do users get their initial password?

 Do they receive it via email? Do they set it themselves? Do they require a code?  

*Do you have minimum password security standards?

*How do you store passwords?

 Please describe this process.  

*Do you offer single sign-on (SSO)?

*How can users recover their credentials?

 Please describe this process.  


Does your application employ a defense in depth strategy? If so, what?

 Please describe this strategy if applicable.  

*How you regularly scan CVE for known vulnerabilities?

*How do you do quality assurance?

 Please describe this process.  

*Do you employ pentesting?

*Who can we contact for more information related to your web application security?

Please provide the name of the individual, their title within the business and their contact details.

*Do you have a written network security policy?

*Do you use a VPN?

*Do you employ server hardening?

*How do you keep your server operating systems patched?

 Please describe this process. 

*Do you log security events?

*What operating systems are used on your servers?

Please let us know of all that apply.

*Do you backup your data?

*How do you store backups?

Please describe this process.

*Do you test backups?

*Who manages your email infrastructure?

 Please provide the name of the individual and their title within the business.  

*How do they prevent email spoofing?

 Please describe this process.  

*How do you protect employee devices from ransomware and other types of malware?

*What operating systems do employee devices use?

Please let us know of all that apply.  

*Are employee devices encrypted?

*Do you employ a third-party to test your infrastructure security?

*Who can we contact in relation to infrastructure security?

Please provide the name of the individual, their title within the business and their contact details.