Acme Inc.

Vendor Risk Assessment Questionnaire

  1. Instructions

    1. Instructions

  2. Vendor Information

    1. *Company Name

    2. *Point of Contact

    3. Business Address

    4. Industry

    5. Description of Services Provided

  3. Privacy and Data Protection

    1. *What types of data do you collect from clients?

    2. *How do you ensure compliance with relevant data protection laws (GDPR, CCPA, etc.)?

    3. Where is client data stored (on-premise, cloud, hybrid)?

    4. *Do you use encryption for data at rest and in transit?

    5. *How long is client data retained?

    6. *Who has access to sensitive client data within your organization?

    7. *What authentication and authorization mechanisms are in place?

    8. *Do you share any client data with third parties?

    9. *How do you assess the security practices of third-party partners?

    10. *Do you have an incident response plan for data breaches?

    11. *How do you notify clients in the event of a breach?

    12. *Have you experienced any data breaches in the last 12 months?

  4. Physical Security

    1. *How is access to your facility controlled?

    2. *Do you use badge readers, biometric scanners, or other systems?

    3. *Are there surveillance systems in place (CCTV)?

    4. *How long is footage retained?

    5. *How is access to surveillance data restricted?

    6. Are there security personnel on site?

    7. *How are visitors to the facility tracked and monitored?

    8. *Are there restrictions on where visitors can go within the facility?

    9. Any additional details

  5. Web Security

    1. *Have you performed a recent vulnerability assessment (e.g., OWASP top 10)?

    2. *Do you use firewalls and intrusion detection systems?

    3. *What types of user authentication are implemented (e.g., MFA)?

    4. Are all web communications encrypted (e.g., SSL/TLS)?

    5. How do you protect against man-in-the-middle attacks?

    6. *How frequently do you apply patches and updates to web applications and servers?

    7. *Do you have a system for automatically applying critical security updates?

    8. *How do you handle security incidents on your web properties?

    9. *What is your process for mitigating and reporting web security incidents?

    10. *Do you offer single sign-on (SSO)?

    11. *How do you store user passwords?

    12. *How do you handle forgotten passwords or account recovery?

  6. Infrastructure Security

    1. *What network security measures are in place (e.g., firewalls, VLANs)?

    2. *Do you perform regular penetration testing and vulnerability scanning?

    3. *Are you using any cloud services?

    4. *How do you secure data in the cloud (encryption, access control)?

    5. *What is your disaster recovery plan for infrastructure failure?

    6. *How frequently are backups performed, and where are they stored?

    7. *Do you backup your data?

    8. *How do you restrict access to infrastructure resources?

    9. *What tools are used for monitoring and logging access to critical infrastructure?

    10. *Do you use third-party hosting providers?

    11. *How do you ensure that you and your third-party providers meet the infrastructure security standards?

    12. *What operating system(s) do your employees use?

  7. Compliance and Certifications

    1. What regulatory frameworks does your organization comply with (e.g., HIPAA, PCI-DSS)?

    2. Do you hold any industry-recognized security certifications (e.g., ISO 27001, SOC 2)?

    3. Can you provide recent audit reports or security assessments?

  8. Vendor Risk Management and Training

    1. *How do you train employees on security best practices?

    2. *Do you provide regular training on recognizing phishing or social engineering attacks?

    3. *How do you assess the security practices of your own vendors and subcontractors?

    4. *How often do you review and update your security policies and practices?

    5. *Do you perform ongoing risk assessments for evolving threats?

Vendor Risk Assessment Questionnaire


Vendor Risk Assessment Questionnaire

Acme Inc.



Thank you for completing this checklist!


All required items on the checklist are submitted. We're reviewing your submission and will stay in touch.








Powered by

OkaySend

Start

    Send

    Instructions

    This questionnaire helps us assess your business's security posture across key areas. Thank you for taking the time to complete it.



    What do you need to know?


    1. Provide all required information here using this form.
    2. Click ✓ Ok to submit and check off each request.
    3. Drafts are saved automatically and your progress restored (so you don't have to complete the checklist in one go


    Need help?


    Click the message icon in the top-right corner to leave a message or comment for the question or section you're stuck in or need help with.


    Getting started


    Click the ✓ Ok button below to get started.


    *Response requiredCompany Name

    *Response requiredPoint of Contact

    Business Address

    Industry

    Description of Services Provided

    *Response requiredWhat types of data do you collect from clients?

    *Response requiredHow do you ensure compliance with relevant data protection laws (GDPR, CCPA, etc.)?

    Where is client data stored (on-premise, cloud, hybrid)?

    *Response requiredDo you use encryption for data at rest and in transit?

    *Response requiredHow long is client data retained?

    *Response requiredWho has access to sensitive client data within your organization?

    *Response requiredWhat authentication and authorization mechanisms are in place?

    *Response requiredDo you share any client data with third parties?

    • Yes

    • No

    *Response requiredHow do you assess the security practices of third-party partners?

    *Response requiredDo you have an incident response plan for data breaches?

    *Response requiredHow do you notify clients in the event of a breach?

    *Response requiredHave you experienced any data breaches in the last 12 months?

    *Response requiredHow is access to your facility controlled?

    *Response requiredDo you use badge readers, biometric scanners, or other systems?

    *Response requiredAre there surveillance systems in place (CCTV)?

    *Response requiredHow long is footage retained?

    *Response requiredHow is access to surveillance data restricted?

    Are there security personnel on site?

    What is their role in enforcing security protocols?

    *Response requiredHow are visitors to the facility tracked and monitored?

    *Response requiredAre there restrictions on where visitors can go within the facility?

    Any additional details

    *Response requiredHave you performed a recent vulnerability assessment (e.g., OWASP top 10)?

    *Response requiredDo you use firewalls and intrusion detection systems?

    *Response requiredWhat types of user authentication are implemented (e.g., MFA)?

    Are all web communications encrypted (e.g., SSL/TLS)?

    How do you protect against man-in-the-middle attacks?

    *Response requiredHow frequently do you apply patches and updates to web applications and servers?

    *Response requiredDo you have a system for automatically applying critical security updates?

    *Response requiredHow do you handle security incidents on your web properties?

    *Response requiredWhat is your process for mitigating and reporting web security incidents?

    *Response requiredDo you offer single sign-on (SSO)?

    *Response requiredHow do you store user passwords?

    *Response requiredHow do you handle forgotten passwords or account recovery?

    *Response requiredWhat network security measures are in place (e.g., firewalls, VLANs)?

    *Response requiredDo you perform regular penetration testing and vulnerability scanning?

    *Response requiredAre you using any cloud services?

    *Response requiredHow do you secure data in the cloud (encryption, access control)?

    *Response requiredWhat is your disaster recovery plan for infrastructure failure?

    *Response requiredHow frequently are backups performed, and where are they stored?

    *Response requiredDo you backup your data?

    *Response requiredHow do you restrict access to infrastructure resources?

    *Response requiredWhat tools are used for monitoring and logging access to critical infrastructure?

    *Response requiredDo you use third-party hosting providers?

    • Yes

    • No

    *Response requiredHow do you ensure that you and your third-party providers meet the infrastructure security standards?

    Please describe this process.

    *Response requiredWhat operating system(s) do your employees use?

    What regulatory frameworks does your organization comply with (e.g., HIPAA, PCI-DSS)?

    Do you hold any industry-recognized security certifications (e.g., ISO 27001, SOC 2)?

    Can you provide recent audit reports or security assessments?

    Choose filesor drag files here

    *Response requiredHow do you train employees on security best practices?

    • Yes

    • No

    *Response requiredDo you provide regular training on recognizing phishing or social engineering attacks?

    • Yes

    • No

    *Response requiredHow do you assess the security practices of your own vendors and subcontractors?

    *Response requiredHow often do you review and update your security policies and practices?

    *Response requiredDo you perform ongoing risk assessments for evolving threats?

    • Yes

    • No