WIXLIB

IT stionnaireQuestionnaire

Please complete the entire form and do not leave any information blank. Incomplete information, will delay theprocess of the assessment. Our SLA requires a minimum of 10 business days to review. If you have any questionsregarding this form, you can email them to itsecurityoffice@utoledo.edu.A. General Information1. Is this a funded project?YesNo2. Has this project been reviewed by the Governance Committee:3. Has this project been reviewed by the purchasing department? If yes, by who?Yes4.Date Form Completed:Brief Description of theproject, grant, or purchase:5.Purpose of the project, grant, or purchase:6.UT Customer Contact:7.UT IT Project Manager:8.UT IT Support Contact:YesNoNoB. Vendor Information9.Business or Legal Entity Name and Address:Name and contact information of vendor representative completing questionnaire:10. Vendor Contact Name:Vendor Telephone Number:Vendor Email Address:Vendor Website (url):C. Project Information11. What is the name of the product?12. What is the version of the product?13.Is this an upgrade, a new install, or has thesoftware been purchased?14.Have other UT locations deployed this application orsystem?15. Is this product a regulated medical device?16.YesNoIf yes, list locations:YesNoAttach MDS2 formOptional Comments:D. UT ResourcesDescribe the technical resources required for this project:17.18.Describe remote access needed by the vendor for thisproject. UT currently supports, VDI, client VPN's, andbranch VPN.Information Security Questionnaire - Page 1 of 5

University of Toledo defines data as any data that the University has an obligation to provide for confidentiality, availability, or integrity along with security terms or19. Theother cyber security legal, regulatory, or industry standard requirements defined in the project agreements or grant terms? Check all that apply below:General Data Protection Regulations (GDPR)DFARS 252.204-7012Federal Information Security Management Act of 2002 (FISMA)FTC "Red Flags" RuleGLBA Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA/HITECH)Ohio HB-104Service Organization Controls (SSAE-16, SOC-1, SOC-2, SOC-3, etc.)Payment Card Industry Data Security Standard (PCI-DSS)Industry Standards (NIST, ISO 27000, etc.)Right to AuditStudent Data (FERPA)Personally Identifiable Information (Social Security Number, Drivers LicenseNumber, etc.)Intellectual PropertyOther (Please Describe)Credit Card or Financial Account DataWill this project involve the creation, processing, storage, transmission, receipt, or disposal of sensitive data?20.YesPlease Describe:21. UT staff responsible for compliance:Title:Department:Will sensitive data be exposed, transmitted, or shared to any outside organization? If yes, please provide information on how this will se Describe:23. UT contact responsible for data access approvals:24. Is wired or wireless access to the UT network required?YesNoIs wired or wireless access required to the internet?E. Antivirus Compatibility25.Does your application or system require any special configuration or file exclusions for antivirus? If yes, UT will need a comprehensive list of theexclusions and documentation demonstrating justification for the exclusions (i.e. real-time scanning, file, or folder exclusions).26. Describe limitations, exclusions for special configuration for anti-virus software used with the product:27. Has this product been tested and confirmed to operate with Microsoft System Center Endpoint Protection? (SCEP)?F. Workstation ComponentsWill product be installed on UT workstations?28.YesNoAre any third party applications or software componentsrequired to use the product?If yes, please explain. For example; Oracle, Java, Microsoft.NET runtime components, Adobe Flash,Adobe Reader?Is this product or solution tested with other third party software for compatibility?29.30.If Yes, how are update compatibility notices communicated to theuniversity:Provide the minimum and recommended workstation specifications:Does your product require the use of a web browser?31.If Yes, list supported browsers and versions:What OS platforms are supported?MACIOSWindowsLinuxOther32.How often are patches applied and who is responsible to apply the patches? UT or the vendor?Hardware Platform: (cloud base, hybrid, on- premis) If cloud or hybrid,please explain in full detail:Information Security Questionnaire - Page 2 of 5

G. Server ComponentsHardware Platform?33. What server platforms are used?Cloud BaseHybridWindows (version)On-premisLinux/Unix (version)OtherOther ( or versions)How often are patches applied and who is responsible to apply the patches? UT or the vendor?H. Network Services34.List the network services required to support this application. (i.e. SMTP, FTP, HTTP, FTP, file sharing, SNMP, etc.) Please include data flow diagrams. Listall TCP, UDP, ICMP needed ports and explain purpose.If unsecure services are used (HTTP, FTP, Telnet, SNMP v1&2, etc.), can the secure alternatives be used instead (HTTPS, SFTP, SSH, SNMP v3, etc.)?YesNoDoes the product require LDAP or other directory service integration? List all that apply:YesNo37. Does your application require internet access for server components of the proposed system?YesNo38. Does your product include a web server or are web services required?YesNoYesNoYesNoYesNo35.If No, please explain:36.Will your application require any ports open in our outside firewall? List all ports and their purpose?39.40. Does this application utilize a mobile device component?I. Authentication and Access Control41. Does the application or system use hard coded passwords?42.YesWill there be any problems with changing any default or factoryset passwords or pass codes?YesNoIf yes, are the passwords encrypted when transmitted:Yes, we have passwords or passcodesthat are hard-coded.ADFS, LDAP, SAML, etc.How will user authentication take place for this system?NoNo, all passwords and passcodes may bechanged.UT active directory to manage user authentication and authorization43.This system has its own authentication and authorization mechanismDoes your application support single sign on?YesNoIf this system utilizes its own user authentication process, describe44. that process and how it works:45.If the system utilizes its own user authentication process, do controls exist to enforce secure password policies? Check all that apply:Minimum LengthExpirationPassword ComplexityWhich methods are used to authenticate users to this application? Check all that apply:Password HistoryUnique User IDPassword46.Hardware TokenSoftware TokenChallenge Questions47. Who will be responsible for creating and managing user accounts?MFAOtherUTVendorIf this system utilizes its own user authentication process, describe the process of howan account can be suspended or revoked if needed:48.Information Security Questionnaire - Page 3 of 5

For the authorization aspect of this system, list the various account types native to thissystem and what their capabilities are (i.e. admin., user, super user, etc.):49.50. Does this application allow role based access? If yes, provide documentation on each role and their rights. Include in Email submission.YesNoIs there any known issues with the workstations using encryption on them? The University of Toledo currently uses McAfee, Winmagic, and BitLocker, and File Vault.YesNoIs transmission of data between endpoints encrypted?YesNoYesNoDoes your solution provide any validation techniques to ensure integrity when processing or storing data into the system? Please describe ifapplicable:YesNoDo any mechanisms exist to ensure the integrity of historically stored data? Please describe if applicable:YesNoIs disk or file/folder encryption natively used within your system for stored data? If yes, please describe which algorithms and key strengths thesystem is capable of:YesNoIf sensitive data is stored within this application or system, has the application been audited for compliance with federal or industry regulations and57. standards (HIPAA, PCI, etc.)? If yes, include PCI addendum:YesNoJ. Data Security and Encryption51.52.If yes, describe the algorithms and key strengths your solutions is capable of supporting:53. If data transmission is not encrypted, can a third-party encryption solution be used to provide this layer of security:54.55.56.K. System LoggingWhat activity can be audited through the system logs? Check all that apply:58.59.Specific activities performed by users (reading, modifying, and deleting:Which data types are stored in the system logs:Credit Card (CHD, Merchant ID (MID), CVV2 or CVC2 dataDate and time of loginUser account that logged onDate and time of logoutOther, please describe:Patient DataPersonal Identifiable/Employee DataConfidential business (planning, financial, etc.) dataIP Addresses60. Is sensitive data stored in the log files? (for example; password, Social Security Numbers, etc.):YesNo61. Does the application or system have the capability of utilizing a centralized logging mechanism?YesNo62. Are the log files archived for protection and future needs?YesNoYesNoIs encryption used to protect the confidentiality and integrity of the stored logs? If yes, what are the algorithms and key strengths?63.Information Security Questionnaire - Page 4 of 5

Can UT access the user activity/audit logs without vendor intervention? If yes, explain the process:YesNoYesNo64.L. Web Security (skip if product has no web service functionality)65.Does your system utilize web based access for users or administrators as opposed to installing specialized client software for access?YesNo, client software must be installed. Web pages are not used in this system. If no, skip the remaining questions in this section.66. If a web server is part of this system setup, which web server(s) are used:67. Will the latest version of this web server be used:Yes68. Which web protocol will be used with this system:HTTPApacheIISOtherNo, the version we use is?HTTPSBoth, depending on what part of the site is accessed.69. Can the HTTP settings be set to redirect all traffic from port 80 to port 443 and use HTTPS exclusively:70. What version(s) of SSL/TLS does this web server/application support? Select all that apply:SSL v1SSL v2SSL v3TLS v1TLS v1.1 & Above71. Can earlier versions of SSL that have been identified as vulnerable be disabled?72.Will the webpage for this system be available through the internet for users, employees, andpatients, or is this an internal use only system?YesInternal OnlyNoneNoThe system will have an internet facing presenceM. Compliance and PrivacyDo you use de-identified data from our users? If yes, describe:YesNo76. Does this application/system take credit-card payments?YesNo77. Have you read and understand policy 3364-40-24 regarding the use of credit cards at the University of Toledo?YesNo78. Have you worked with the Treasurer's office to have this credit card account set up?YesNo73.74. Provide the end of life date for this product:75. When the product or service is no longer required, how will UTdata be returned?N. Payment Card Industry (PCI)79. Please attach any documents pertaining to the vendor's PCI DSS compliance, including the appropriate Attestation of Compliance (AOC).Submit RequestMANDATORY ASSESSMENT DOCUMENTATIONForward any flow diagrams, documentation, and certifications to itsecurityoffice@utoledo.edu.11/12/2019Information Security Questionnaire - Page 5 of 5

J. Data Security and Encryption 51. Is there any known issues with the workstations using encryption on them? The University of Toledo currently uses McAfee, Winmagic, and Bit Locker, and File Vault. No. 52. Is transmission of