Checklist for third party assessment

  1. Management Controls
    • What detailed background checks are performed on prospective employees?
    • Is a similar screening process carried out for contractors and temporary staff?
    • Does employment application ask if the prospective employee has ever been convicted of a crime?
    • Are prior employment verifications performed for initial employment?
    • Do employees sign a non-disclosure agreement stating they will keep information obtained as part of their employment confidential?
    • Is there a documented process to verify a requestor’s ID and need-to-know before client information is shared?
    • Does the 3rd Party have documented information/physical security policy and procedures?
    • Are compliance checks with 3rd Party’s policies and procedures conducted regularly?
    • Does either an internal or external auditor independently audit 3rd Party’s operational controls on a periodic basis?
    • Is an independent review carried out in order to assess the effective implementation of security policies?
    • Can the 3rd Party provide evidence of having gone through a recent 3rd party audit of their organization’s operational policies, procedures, and operating effectiveness, such as a SAS70 Type 2?
    • When using external facilities management have appropriate security controls been agreed with the contractor and built into the contract?
    • Is security responsibility regarded as a business issue, and as such is it accepted by, and does it have input from all parts of the company’s management team?
    • Does the 3rd Party have a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized software?
    • Does the 3rd Party have a process in place to notify IT security of breaches and/or problems so that proper notification and correction can be done?
  2. Access and Identification
    • Does the 3rd Party have controlled access to all entrances at their facility (i.e. card key entrance, security guard, and receptionist)?
    • Are access logs kept for at least 90 days and reviewed as needed?
    • Do associates wear or carry identification badges at all times when traveling through facilities?
    • Is there a published roster of authorized individuals?
    • Does the 3rd Party require all visitors to sign a security log and be accompanied by an escort while in production areas?
    • Are visitors required to sign in and wear temporary badges that identify them as visitors? Are visitors escorted through the facilities?
    • Does the 3rd Party perform package searches of all visitors and employees as they leave sensitive areas?
    • Is 3rd Party equipment and data required to be carried as separate package when traveling off-premise?
    • Is responsibility for the protection of individual assets and the carrying out of security processes explicitly defined?
    • Is the 3rd Party’s facility regularly patrolled by public law enforcement or a private security service?
  3. Building Facilities - Location
    • Are the servers and facilities that house or access confidential located in a secure facility?
    • Is the in-house telephone exchange housed in a secure area?
    • Is equipment located to minimize unnecessary access to work areas?
    • Is all confidential and restricted information marked as such and stored in a secure area (room, cabinet) with access restricted to authorized personnel only?
  4. Security: Physical Security Systems
    • Is security monitoring of the facilities done through one or more of the following?
      • Security personnel stationed at unlocked entrances
      • Security cameras at building exits and internal areas
      • Motion detectors
      • Card readers
    • Does the 3rd Party have a security system with electronic access control systems, card key entry systems, etc. to control access to the data center, environmental support systems, and data media storage areas?
    • Is the 3rd Party’s facility protected by an intrusion detection alarm system?
    • Are important organization records safeguarded from loss, destruction, or falsification within the requirements of the legislative or regulatory environment within which the organization operates?
    • Is the 3rd Party’s facility serviced by full time fire protection services?
    • Are facilities equipped with fire suppression and fire alarm systems?
    • Is there regularly testing of fire suppression and preventive devices within the data center?
    • Are lighting protection filters fitted to external communication lines?
  5. Data Security - Policies
    • Does the 3rd Party maintain a documented process for immediate disabling or modification of access entitlements when an employee status changes (termination, transfer, etc.)?
    • Is system access and security based on the concept of least possible privilege and need-to-know?
    • Do you have established authentication and access control process?
    • Are controls in place to monitor activity on all configurable systems and devices that store or process confidential or sensitive information?
    • Are processes in place to ensure that log file data is not lost through overwriting or by audit function cessation?
    • Are actions to be taken if the employee disregards security requirements?
    • What controls or policies are there in place to ensure the integrity of your authentication system?
  6. Data Security - Access, Authentication, and Audit
    • Are users only able to gain access to the services that they are authorized to use?
    • Are all users of the 3rd Party’s systems uniquely identified at sign-on within the system security package?
    • Are all PCs that have or will have resident client data secured against removal by unauthorized persons?
    • Is the allocation of password securely controlled?
    • Is there an all systems lockout where users are asked for re-identification if there is no activity in a session for 30 minutes?
    • Does the 3rd Party’s automated security package log user transactions, failed access attempts & other violations at all times?
    • Are all workstations (PC or other) which access client systems themselves secured against unauthorized access by at least?
      • User ID and Password
      • “Boot protection” to limit system start-up from an alternative source
      • Inactivity time-out of no more than 30 minutes
    • Is access to all information assets on the 3RD PARTY’s system traceable to the User ID level?
    • Are audit trails created for all financial transactions and all transactions that change customer information or identification and authentication mechanisms, system operator, support personnel and manager actions?
    • Is the user’s identity, or the process acting on behalf of the user, maintained for the duration of the session?
    • Are activity log files and associated control mechanisms protected from unauthorized access and modification and are resistant to attacks?
  7. Data Security - Administration
    • Does the 3rd Party have an Information Security Administrator (ISA) function?
    • Is the ISA function separate from Systems Administration?
    • Is the ISA prohibited from initiating programs or processing or authorizing business transactions?
    • Does the 3rd Party’s ISA review violation reports every business day and have a standard to resolve incidents quickly?
    • Does the Information Security Administrator log and archive all information security related communications?
    • Is there a trained security engineer on staff?
  8. Security Awareness and Training
    • Is a mandatory security awareness program in place for employees to make them aware of confidential information, the company’s security policies and standards, and good security practices?
    • Are contractors, consultants, and vendors given appropriate security awareness training and/or information?
    • Is refresher security awareness training provided as needed?
    • Are all users informed of formal procedures for reporting the different types of security incident?
  9. User IDs and Passwords
    • Are all users aware that they are accountable for all activity associated with their passwords?
    • Is there a password expiration requirement how often?
    • Are password files encrypted wherever stored (including PCs)?
    • Are passwords prevented from being displayed on the screen during logon?
    • Is the password entry process terminated after 3 consecutive invalid sign on attempts occurring in a single session?
    • Are User ID’s disabled after a minimum of consecutive unsuccessful logon attempts?
    • Are default accounts, such as the guest account, disabled, deleted, and/or renamed when operating systems or products are installed?
    • Are passwords disclosed to the owners of User IDs in a secure manner?
    • Where possible, are password composition rules in effect to enforce strong passwords and to prevent dictionary attacks?
    • Are passwords prevented from being the same as the User ID?
    • Is the sharing of passwords prohibited?
    • Are users instructed on how to create strong passwords?
    • Where possible and appropriate, is only one effective concurrent session is allowed for users?
    • Are passwords not stored or scripted such that the user gains access without logging in?
    • Does the password change process force re-authentication (the current password is re-entered, followed by the forced creation of a new password, then new password re-entry verification)?
    • Does the process for resetting users’ forgotten passwords and/or for unlocking their accounts include verifying users through some type of shared secret?
    • Are passwords changed by an administrator or help desk associate valid for only one use (i.e. the user must change the password after initial login)?
    • Is a process is in place to change or disable IDs and/or passwords, as appropriate, when individuals transfer, take a leave of absence, change responsibilities, or terminate employment?
    • Are disabled IDs deleted on a regular basis?
    • Do users log off when they leave for the day?
  10. Data Security - Hardcopy
    • Does the 3rd Party have controls and procedures for the generation, distribution and storage of hardcopy reports?
    • Does the 3rd Party require and enforce, via spot audits, a “clean desk” policy?
    • Does the 3rd Party have a documented procedure to destroy Restricted and Confidential information at the end of its life cycle?
    • Is sensitive data and licensed software totally erased from equipment prior to disposal?
    • Does the 3rd Party use a shredder to destroy hard-copy data?
  11. Network Security
    • Does the organization have a ‘default deny and implicit drop stance’ that forces systems fail closed and dropping all traffic not expressly permitted?
    • Is there a network firewall in place?
    • Is there a policy concerning the use of networks and network services?
    • Are there controls to restrict the route between the user terminal and the computer services that the user is required to access?
    • Are digital certificates/signatures or Message Authentication Codes (MAC) used?
    • Is remote access to diagnostic ports securely controlled, with procedures or more durable controls (such as passwords), for example, to ensure that they are only accessible by arrangement between the manager of the computer service and the support personnel requiring access?
    • What network traffic is allowed to pass to your network from the Internet?
    • Does the 3rd Party use any wireless LAN technology? If yes what extra security to protect yourself?
    • What transport protocols, services, and ports are enabled on the firewall and network routers?
    • Are direct (non-Internet) network connections to computers housing confidential data secured appropriately (connection definitions, IDs, passwords, etc.)?
    • When large networks extend beyond organizational and corporate boundaries, are they separated into logical domains protected by a defined perimeter (firewall), which restricts the connection capabilities of users, systems and network services?
    • Are connections to the Internet secured with industry-recognized firewalls that are configured and managed to adhere to industry best practices?
    • Are the following security conditions addressed?
      • The deployed firewall(s) effectively separate web servers from the internal network.
      • Web servers are located in a DMZ with a firewall or firewall interface between the Web Servers and the internal network.
      • The deployed firewall(s) effectively separate Internet email and DNS servers from the internal network.
      • The email/DNS servers are located in a DMZ with a firewall or firewall interface between the mail/DNS servers and the internal network.
    • Is technology, such as Network Address Translation (NAT) used to keep internal IP addresses of all servers from becoming known to the Internet?
    • Is administrative access to firewalls and other perimeter devices are allowed only through a secured internal network or through direct serial port access?
    • Are firewalls configured to log exceptions and issue alerts? Are the logs are kept for at least 2 months and are reviewed as needed?
    • Is there ‘back door’ access to the internal network (back door access is that which would allow connection to the internal network without going through the firewall or secured remote access system)?
    • Are modems attached to network connected workstations disabled for inward dial
    • Are operating system patches that address security vulnerabilities applied promptly – in a timeframe commensurate with the risk?
    • Are new servers added to the infrastructure scanned for vulnerabilities and not deployed for intended use until scans are free of unacceptable vulnerabilities? Where possible, does a change management process support this?
    • Are ongoing vulnerability and penetration assessments performed on all servers on a regular basis and appropriate actions taken to remove vulnerabilities?
  12. Encryption
    • Does the 3rd Party encrypt data that is transmitted (tape or electronic) from your site to other locations?
    • Where encryption is implemented, is dual access control of encryption keys required?
    • If remote access is allowed, does the 3rd Party utilize challenge response, dynamic passwords or cryptographic techniques?
    • Is there a process to monitor the passwords issued to temps and consultants?
    • Is user IDs assigned to outside personnel working on a contract basis set with expiration dates?
    • Can users select their own passwords?
    • If processing restricted or confidential data, is it encrypted?
    • Does the encryption system utilize certified products?
    • Does the encryption system used comply with import, export and all other applicable laws?
    • Is the encryption key management system in use, certified?
    • Is all cryptographic hardware tamper-proof or does it use unique key per transaction?
  13. Client Proprietary Information
    • Is (or will) the 3rd Party’s employee access to client proprietary information restricted (or be restricted) to batch processing (i.e. is on-line edit capability prohibited)?
    • Does the 3rd Party return all client tapes within the required retention time frame?
    • Does the 3rd Party return client data tapes in their original encrypted format?
    • Does the 3rd Party prohibit duplication of client data other than authorized back up copies?
    • Are exchanges of data and software with other organizations formally controlled?
    • Do you log and verify receipt, shipment and check out of all data tapes?
    • Is there appropriate management structure and control to ensure compliance with personal data protection laws and regulations (employee or customer)?
  14. Disaster Recovery and Business Continuity Planning (Interact with middle management and technology staff to understand the 3RD PARTY's disaster recovery policies) - Policies
    • What are the 3rd Party’s severity levels for their BCP and the types of responses?
    • Within the 3rd Party staff, are responsibilities and emergency arrangements identified and agreed?
    • Does segregation of duties exist between process/application owners, those responsible for disaster recovery/BCP, and those responsible for ongoing operations at the 3rd Party?
    • Does the 3rd Party have formal change control procedures governing the implementation of disaster recovery/BCP to ensure that security and control procedures are not compromised?
    • Does the 3rd Party have incident response procedures in place and test them regularly?
    • Does the 3rd Party have documented roles and responsibilities for each team member?
    • Does the 3rd Party have a documented and established incident response program?
  15. Back-up (Recovery from System Failure)
    • What are the 3rd Party’s procedures for recovering the data lost due to a systems failure?
    • Has the 3rd party operations, and business management reviewed and approved the backup procedures, schedules and retention periods at least annually?
    • Does the 3rd Party have a retention schedule for all backups?
    • Is the 3rd Party backup recovery tested at least annually?
    • How are servers backed up at the 3rd Party?
    • Does the 3rd Party back up data and applications on a daily basis, and are backup tapes stored securely offsite? Are the 3rd Party’s back-up procedures reviewed annually and updated when necessary?
    • What are the back-up options that enable the 3rd Party to run the facility without power? For how many days can they employ these options?
    • If the 3rd Party sends tapes off-site, are they stored in containers that are closed with uniquely numbered seals and verified upon return?
    • Can we see the location where the 3rd Party stores tapes? Are they stored in containers that are closed, with uniquely numbered seals, and verified upon return?
    • Can we look at the bonded carrier services that are used to transfer information to and from the 3rd Party offsite location?
  16. Power Failure
    • What type of back-up power supply equipment exists at the 3rd Party?
    • Does this 3rd Party system operate in load balancing mode?
    • How much diesel stock is maintained at each 3rd Party center?
    • How are outages or temporary loss of services communicated within the 3rd Party?
    • Does the 3rd Party have a secondary uninterrupted power system (UPS) exist for all technology components (e.g. workstations, servers, networking equipment, emergency lighting)? To what extent is voltage and frequency stabilized?
    • Does the 3rd Party provide emergency lighting in case of main power failure?
    • Does an 3rd Party contingency plan cover the actions to be taken on failure of UPS?
    • How long can the 3rd Party’s UPS hold the current voltage load and when is the voltage handed of to the generator?
  17. Connectivity and Telecom Infrastructure
    • How much IPLC redundancy (Mbps of bandwidth) does the 3rd Party have at the POL level, link level, carrier level, and route level?
    • With how many telecom carriers with which has the 3rd Party procured links? Who are the 3rd Party’s carriers for international links, national links and last mile links?
    • How much Internet bandwidth does the 3rd Party have available to remotely access client applications and databases?
    • What VPN solution is the 3rd Party using? What encryption technology is the 3rd Party using?
    • Does the 3rd Party have dedicated fiber from the provider with back-up through RF (microwave) and captive satellite earth stations?
    • How many of the 3rd Party’s centers are connected to each other on a redundant fiber?
    • How many critical network components have been configured in a fail over mode on the redundant private fiber links across the 3rd Party’s centers?
    • How many 3rd party centers have independent last mile links?
    • Does the 3rd Party have IPLC’s present on both satellite and fiber media?
    • Does the 3rd Party have multiple telecom service providers for international segments?
    • Does each service center have its own E1 links to sustain operations in case of an E1 outage in another center?
    • Does the 3rd Party take steps to ensure that in-house telephone exchanges have duplicate or alternative processors, alternative groups of exchange lines and routes to more than one main external exchange?
    • Does the 3rd Party label telephone wires/cables and armored ducting for critical cables?
    • Does the 3rd Party’s telephone system have a control and monitoring facility capable of providing reports on usage, traffic and response statistics?
    • Does the 3rd Party provide have a 24x7x365 onsite technology helpdesk to coordinate outages?
    • Describe the 3rd Party’s procedures for call routing?
  18. Contingency Planning
    • Has the 3rd Party developed data processing and operations contingency plans?
    • Does the 3rd Party perform a hardware failure analysis routinely?
    • Are the 3rd Party’s business clients notified during failures to ensure that any critical and immediate business needs are met?
    • Does the 3rd Party have operating procedures for the recovery of full or partial network failures?
  19. Off-Site Storage
    • Does the 3rd Party store all data used for processing at their facility?
    • Has offsite storage vendor’s security has been certified if applicable?
    • If the 3rd Party stores information at an off site facility, do they utilize bonded carrier services to transfer information to and from the off-site location?
    • Does the 3rd Party’s off-site facility have a data center?
  20. Virus Protection
    • What type of anti-virus software does the 3rd Party have installed on Desktops/Servers, E-mail servers, E-mail Gateway?
    • Are these software applications automatically updated? How often?
    • Are the 3rd Party PCs protected with McAfee Anti-virus and it the anti-virus software updated at least monthly?
    • Does the 3rd Party update the appropriate anti-virus software regularly?
    • Does the 3rd Party isolate affected machines to initiate cleaning mechanisms?
https://www.linkedin.com/pulse/my-top-10-posts-pulse-ronald-bartels/

Comments