Send and sign agreements in seconds, with Concord

Effortless contract management, from drafting to e-signing and beyond. Book a live demo to see Concord in action.

Download template Book a demo

Vendor Security Assessment Template

An important piece of compliance, especially Soc II compliance, is understanding the security implications of each vendor you have, and ensuring regular review and renewal of agreements. With the Vendor Security Assessment template from Aptible you can ensure that each new vendor requested by your internal team has all the right questions answered. Using Concord you can even automate approval workflows to ensure that the right internal parties sign off on every new vendor considered.

 

Vendor Security Assessment

This template is meant as a starting point to initiate a security review of any vendor who will have access to your company’s data and/or systems. You may want to add additional queries, but as a basis these are the fundamental questions you should ask.

  1. Overview
    1. Company name:
    2. Company address:
    3. Company website:
    4. Security point of contact name, title, and contact information:
    5. Please describe the service you provide:
    6. How long has your company been in business and providing this solution?
  2. Risk and Governance
    1. Do you have a formalized and approved information security policy?
    2. Do you update your security policies and procedures at least annually? Please describe this process.
    3. Do you complete a risk assessment at least on an annual basis? Please describe this process.
    4. Do you have disciplinary or sanctions program for employees who violate security policies and procedures?
  3. Workforce Security
    1. Do you complete background checks on employees who will have access to sensitive information?
    2. Do you enforce employment agreements that cover confidentiality of sensitive information?
    3. Do you have a security and awareness training program? Please describe.
  4. Device Security
    1. Do you have a formal mobile device management program?
    2. Are employees able to access our data or system from BYOD devices? If yes, please describe any compensating controls in place to address this.
    3. Are you able to remotely wipe and lock mobile devices that accesses our system and data?
    4. Are mobile device hard drives encrypted?
    5. Is anti-virus installed on end points?
  5. Identity and Access Management
    1. How do you limit the use of shared accounts and logins?
    2. Do you require multi-factor authentication (MFA) for access to potentially sensitive data? Please describe how this is enforced.
    3. Do you have a password policy and requirements for users selecting and storing passwords? Please describe how this is enforced.
    4. How do you review user access and authorizations on a periodic basis?
    5. Do you use a centralized identity management solution such as Single Sign On?
  6. Application and Data Security
    1. Please describe your software development lifecycle and how security is addressed as a part of development.
    2. What is your change management process?
    3. Do you complete static code analysis? Please describe the process.
    4. Do you complete dynamic code analysis? Please describe the process.
    5. Are developers trained on secure coding techniques at least annually?
    6. How is sensitive data encrypted at rest?
    7. How is sensitive data encrypted in transit?
    8. Is penetration testing performed at least annually by a 3rd party? Please summarize the testing and response process.
    9. Do you perform vulnerability scanning? Please describe process, frequency, and tools used.
    10. Does the application we are evaluating support SAML 2.0 Single Sign On (SSO) for authenticating our uses? Please outline any prerequisites for using SSO, such as a specific licensing level (ie SSO is only available for enterprise customers).
    11. Does the application we are evaluating support multi-factor authentication (MFA)? If yes, what forms of MFA are supported (ie. Google Authenticator, hardware token, SMS)?
  7. Incident Preparedness
    1. Do you have a formal incident management policy? Please describe.
    2. Do you test your incident management policy at least annually? Please describe.
    3. Do you have a formalized business continuity plan? Please describe.
    4. Do you test you business continuity plan at least annually? Please describe.
    5. Do you test your backup or redundancy mechanisms at least annually? Please describe.
    6. How do you work towards having all information security events reported in a timely manner?
    7. Is there a preferred channel of communication for workforce personnel and external business partners to report security incidents?
  8. Data Privacy
    1. Do you have a privacy management program? Please describe.
    2. Do you enter into GDPR Data Processing Agreements?
    3. Do you complete Data Protection Impact Assessments as a part of your privacy program?
    4. Will you delete our data if we ask you to? Please describe this process.
    5. Do you make available a subvendor directory of vendors that store and process our data on your behalf? If yes, please share.
  9. Vendor Management
    1. Do you have a vendor management policy and process?
    2. Do you rely on any contractors or third parties for development services? If so, where are they based and what functions do they complete?
    3. Do you complete security reviews of vendors at least annually? Please describe.

Insert signature box for approvers here:

 

Our templates are intended for reference use. Concord holds no responsibility for any reliance placed on these templates. These templates do not constitute legal counsel and should not be treated as such. By using any of these templates, you acknowledge and consent to these conditions.

Send and sign agreements in seconds, with Concord

Effortless contract management, from drafting to e-signing and beyond. Book a live demo to see Concord in action.

Download template Book a demo

Our templates are intended for reference use. Concord holds no responsibility for any reliance placed on these templates. These templates do not constitute legal counsel and should not be treated as such. By using any of these templates, you acknowledge and consent to these conditions.

Download

Our templates are intended for reference use. Concord holds no responsibility for any reliance placed on these templates. These templates do not constitute legal counsel and should not be treated as such. By using any of these templates, you acknowledge and consent to these conditions.

Start sending and signing today.

Concord unlocks the data trapped in your agreements, and transforms it into actionable insights that drive revenue growth.

  Intuitive Google-style interface

  Industry-leading AI-powered search

  Real-time sending and e-signing

  Instant access to actionable insights

  Unlimited storage for all agreements

  Transparent cost-efficient pricing