Vendor Security Assessment Template

 Vendor Security Assessment

This template is meant as a starting point to initiate a security review of any vendor who will have access to your company's data and/or systems. You may want to add additional queries, but as a basis these are the fundamental questions you should ask.

1. Overview

   1. Company name:

   2. Company address:

   3. Company website:

   4. Security point of contact name, title, and contact information:

   5. Please describe the service you provide:

   6. How long has your company been in business and providing this solution?

2. Risk and Governance

   1. Do you have a formalized and approved information security policy?

   2. Do you update your security policies and procedures at least annually? Please describe this process.

   3. Do you complete a risk assessment at least on an annual basis? Please describe this process.

   4. Do you have disciplinary or sanctions program for employees who violate security policies and procedures?

3. Workforce Security

   1. Do you complete background checks on employees who will have access to sensitive information?

   2. Do you enforce employment agreements that cover confidentiality of sensitive information?

   3. Do you have a security and awareness training program? Please describe.

4. Device Security

   1. Do you have a formal mobile device management program?

   2. Are employees able to access our data or system from BYOD devices? If yes, please describe any compensating controls in place to address this.

   3. Are you able to remotely wipe and lock mobile devices that accesses our system and data?

   4. Are mobile device hard drives encrypted?

   5. Is anti-virus installed on end points?

5. Identity and Access Management

   1. How do you limit the use of shared accounts and logins?

   2. Do you require multi-factor authentication (MFA) for access to potentially sensitive data? Please describe how this is enforced.

   3. Do you have a password policy and requirements for users selecting and storing passwords? Please describe how this is enforced.

   4. How do you review user access and authorizations on a periodic basis?

   5. Do you use a centralized identity management solution such as Single Sign On?

6. Application and Data Security

   1. Please describe your software development lifecycle and how security is addressed as a part of development.

   2. What is your change management process?

   3. Do you complete static code analysis? Please describe the process.

   4. Do you complete dynamic code analysis? Please describe the process.

   5. Are developers trained on secure coding techniques at least annually?

   6. How is sensitive data encrypted at rest?

   7. How is sensitive data encrypted in transit?

   8. Is penetration testing performed at least annually by a 3rd party? Please summarize the testing and response process.

   9. Do you perform vulnerability scanning? Please describe process, frequency, and tools used.

   10. Does the application we are evaluating support SAML 2.0 Single Sign On (SSO) for authenticating our uses? Please outline any prerequisites for using SSO, such as a specific licensing level (ie SSO is only available for enterprise customers).

   11. Does the application we are evaluating support multi-factor authentication (MFA)? If yes, what forms of MFA are supported (ie. Google Authenticator, hardware token, SMS)?

7. Incident Preparedness

   1. Do you have a formal incident management policy? Please describe.

   2. Do you test your incident management policy at least annually? Please describe.

   3. Do you have a formalized business continuity plan? Please describe.

   4. Do you test you business continuity plan at least annually? Please describe.

   5. Do you test your backup or redundancy mechanisms at least annually? Please describe.

   6. How do you work towards having all information security events reported in a timely manner?

   7. Is there a preferred channel of communication for workforce personnel and external business partners to report security incidents?

8. Data Privacy

   1. Do you have a privacy management program? Please describe.

   2. Do you enter into GDPR Data Processing Agreements?

   3. Do you complete Data Protection Impact Assessments as a part of your privacy program?

   4. Will you delete our data if we ask you to? Please describe this process.

   5. Do you make available a subvendor directory of vendors that store and process our data on your behalf? If yes, please share.

9. Vendor Management

   1. Do you have a vendor management policy and process?

   2. Do you rely on any contractors or third parties for development services? If so, where are they based and what functions do they complete?

   3. Do you complete security reviews of vendors at least annually? Please describe.

Insert signature box for approvers here: