WIXLIB

HALKYN CONSULTING LTDSupplier SecurityAssessmentQuestionnaireSecurity Self-Assessment and ReportingThis questionnaire is provided to assist organisations in conducting supplier security assessments. Itis designed to be provided to the supplier (with minimal editing to enter company & supplier names)who completes it as a self-assessment questionnaire. The nature of this document means cannot beused as a replacement for a formal, on-site, security assessment by a qualified professional but it canbe used to help allocate resources and prioritise site visits.

Halkyn Security Consultingwww.halkynconsulting.co.ukSupplier Security Assessment Questionnaire(SSAQ)This SSAQ has been issued by [Company Name] to [Supplier Name] to serve as a preliminaryassessment of the security controls provided as part of the requested service. On completion[Company Name] will make a decision as to the level of physical audit required. Any deliberatelyfalse statements on this assessment will be treated as a breach of contract / disqualify [SupplierName] from tendering services under this agreement [delete as applicable].Instructions: Please provide a detailed response to each question. For questions that are notapplicable to the services provided to [Company Name], please mark the question as “N/A” andprovide an explanation.Part 1: Document ControlSupplier Name &Address:Assessment Completedby:Date of assessment:Additional DocumentsProvidedRelevant Network DiagramRelevant Security DiagramRelevant System ArchitectureTechnical Interface DesignRelevant 3rd Party Security Assessment(s) (e.g. SAS 70, Pentests, etc.)Part 2: Policy ComplianceControl AreaControl QuestionSecurityPoliciesDoes your organization have adocumented information securitypolicy?Supplier responseWhat is the time interval at whichsecurity policies are reviewed andupdated?Who is responsible for security policydevelopment, maintenance, andissuance?Are all security policies and standardsreadily available to all users (e.g.,posted on company intranet)?[Company Name] Supplier Security Assessment QuestionnairePage 1 of 8

Halkyn Security Consultingwww.halkynconsulting.co.ukControl AreaControl QuestionSupplier responsePolicyCoverageSelect the security areas which are addressed within your information securitypolicies and standards:Acceptable UseRemote Access / WirelessIT Security Incident ResponseData/System ClassificationThird Party ConnectivityPhysical SecurityNetwork/Perimeter SecurityOtherDetails:PolicyProvisionData PrivacyAccess ControlEncryption StandardsAnti-VirusEmail / Instant MessagingPersonnel SecurityClear DeskIs a complete set of yourorganisation’s security policiesavailable for review?Part 3: Detailed Security Control AssessmentControl AreaControl QuestionOrganizationalSecurityHave security-related jobresponsibilities, including oversightand accountability, been clearlydefined and documented?Have the security policies, standards,and procedures been reviewed andcritiqued by a qualified third party?Has the security perimeterinfrastructure been assessed andreviewed by a qualified third party?AssetClassificationand ControlSupplier responseDo your third-party contracts containlanguage describing responsibilitiesregarding information protectionrequirements?Describe the process by which thirdparties are granted privileged accessto [Company Name] Data.Do you maintain an inventory of allimportant information assets withasset owners clearly identified?Describe your informationclassification methods and labellingpractices.Describe how user access is grantedto different informationclassifications?What are your procedures withregards to the handling and storageof information assets?[Company Name] Supplier Security Assessment QuestionnairePage 2 of 8

Halkyn Security ConsultingControl AreaControl QuestionPersonnelSecurityDo terms and conditions ofemployment clearly defineinformation security requirements,including non-disclosure provisionsfor separated employees andcontractors?Describe the screening process for allusers (employees, contractors,vendors, and other third-parties)?Do you conduct formal informationsecurity awareness training for allusers, including upper management?Do you require additional training forsystem administrators, developers,and other users with privilegedusage?Is there a formal procedure dictatingactions that must be taken when auser has violated any informationsecurity policies?Are all users required to sign aconfidentiality agreement?Physical andEnvironmentalSecurityDescribe the physical securitymechanisms that preventunauthorized access to your officespace, user workstations, and serverrooms/data centres?Are all critical information assetslocated in a physically secure area?www.halkynconsulting.co.ukSupplier responseHow do you protect your systemsfrom environmental hazards such asfire, smoke, water, vibration,electrical supply interfaces, and dust?What type of fire suppressionsystems are installed in the datacentres (pre-action, mist, wet, cleanagent, etc)?What physical access restrictionshave you put in place? Pleasedescribe your badge access system.How is contractor access granted tosecure locations?What exterior security is provided(i.e. gates, secure vehicle access,security cameras, etc.)?[Company Name] Supplier Security Assessment QuestionnairePage 3 of 8

Halkyn Security ConsultingControl AreaControl Questionwww.halkynconsulting.co.ukSupplier responseIs there a natural disaster risk? Whatmeans of business continuity anddisaster recovery are employed tomitigate?Describe your facilities systemmaintenance process.Are the systems configured to recordsystem faults?Do you have a formal mediadestruction policy?Do you employ automatic lockingscreen savers when users’workstations remain idle after a setperiod of time?How is the removal of equipmentfrom the premises authorized andcontrolled?Are logs maintained that record allchanges to information systems?Communications Describe how you segregate duties toand Operationsensure a secure environment.ManagementDescribe how changes are deployedinto the production environment.Who manages/maintains your datacentre? If you use a third-partycontractor to maintain your systems,describe the vetting process by whichthat contractor was selected.How do you protect your systemsagainst newly-discoveredvulnerabilities and threats?How do you prevent end users frominstalling potentially malicioussoftware (e.g., list of approvedapplications, locking down thedesktop)?Do you scan traffic coming into yournetwork for viruses?How do you protect theconfidentiality and integrity of databetween your company and[Company Name]?[Company Name] Supplier Security Assessment QuestionnairePage 4 of 8

Halkyn Security ConsultingControl AreaControl Questionwww.halkynconsulting.co.ukSupplier responseHow do you dispose of computermedia when they are no longer ofuse?Do you keep logs of media disposalactivity?How is system documentation(network diagrams, run books,configuration guides, etc.) securedfrom unauthorized access?Are backup procedures documentedand monitored to ensure they areproperly followed?Describe how you protectinformation media (e.g., back-uptapes) that is shipped offsite.Describe the process by whichsoftware malfunctions are reportedand handled.Describe your hiring process and howa new employee is granted access tonetwork resources.Describe the process by which a nonemployee (e.g., contractor, vendor,and customer) is granted access tonetwork resources.How many users will have privilegedaccess to systems containing[Company Name] Data?What processes and standards doyou follow for incident management,problem management, changemanagement, and configurationmanagement?Please describe the technicalplatform that supports themonitoring, maintenance andsupport processes (both hardwareand software platforms).Access ControlPlease describe your Access ControlPolicy.Describe your account and passwordrestrictions for internally facingapplications.Describe your account and passwordrestrictions for externally facingapplications.[Company Name] Supplier Security Assessment QuestionnairePage 5 of 8

Halkyn Security ConsultingControl AreaControl Questionwww.halkynconsulting.co.ukSupplier responseDescribe your authenticationmethods used to authenticate usersand or third parties via externalconnections.Do you conduct periodic checks onusers’ accesses to ensure their accessmatches their responsibilities?Describe how you segment yournetwork (i.e. security zones, DMZs,etc).Do you enable any remoteadministration capabilities on yourservers and network devices? If so,which protocol(s) do you use?Describe any controls which are usedto monitor and record system andapplication access.Do workstations or productionservers currently utilize any type ofHost Intrusion Prevention orDetection software?To what extent are user’s system uselogged and monitored?Are failed login attempts recordedand reviewed on a regular basis?Development &MaintenanceWhat tools and technologies do youutilize to effectively manage thedevelopment lifecycle?Do you use data sets containingpersonal information from actualpeople when testing an application?If so, what measures do you take toprotect that information?Are your test systems secured in thesame manner as your productionsystems?Describe how you protect yourapplication source librariesDo security specialists conducttechnical reviews of applicationdesigns?Are security professionals involved inthe testing phase of an application?Describe how you protect yourapplications from covert channelsand Trojan code.[Company Name] Supplier Security Assessment QuestionnairePage 6 of 8

Halkyn Security ConsultingControl AreaControl Questionwww.halkynconsulting.co.ukSupplier responseDuring the course of a softwaredevelopment project, when do youtypically start to discuss the securitydesign requirements?Have your developers been trained insecure coding techniques?Describe your techniques to handleinput and output validation whendesigning a software application.Do you assess the risks aroundmessaging to determine if messageauthentication is required?InformationHas a dedicated Information SecuritySecurity Incident Response Team been established?ManagementHas the Incident Response Teambeen trained in evidence gatheringand handling?Are incident reports issued toappropriate management?After an incident, are policies andprocedures reviewed to determine ifmodifications need to beimplemented?BusinessContinuityManagementHas an organizational disasterrecovery plan coordinator beennamed and a mission statementidentifying scope and responsibilitiesbeen published?Has a "worst-case" scenario torecover normal operations within aprescribed timeframe beenimplemented and tested?Has a listing of current emergencytelephone numbers for police, firedepartment, medical aid andcompany officials been strategicallylocated throughout all facilities andat off-site locations?[Company Name] Supplier Security Assessment QuestionnairePage 7 of 8