director of information security - unm itit.unm.edu/.../security-questionnaire-vendor.docx · web...

The mission of the University of New Mexico is to serve as New Mexico’s flagship institution of higher learning through demonstrated and growing excellence in teaching, research, patient care, and community service. Information security ensures business continuity, minimizes business risks, and maximizes return on investments and business opportunities. We ensure the protection of data through various controls; including, but not limited to:

Security policy and awareness trainingDocumentationProcess improvementVulnerability and access managementSecurity architectureRisk and privacy management

In order to maintain the high standards of excellence our customers have come to expect, all vendors must meet or exceed the levels of data protection we have established.

A process and system must be defined and in place to ensure changes are not implemented without proper testing and approval. User access and responsibilities, authorization levels and environments must be segregated to help prevent fraud and other unauthorized activity. This includes isolating systems and environments for acceptance testing, security and functionality prior to deployment.

Tools must be in place to inhibit the spread of malicious code. Some of these may include: proxy services, firewalls, anti-spam, and anti-virus tools. Our expectation is that there will be enterprise monitoring and vulnerability management for IT operations. Users must be properly identified and pass through required firewalls prior to access being granted. Encryption policies must be in place for all employees to adhere to. It is critical that all system documentation, procedures, confidential and sensitive information remain secure. Media disposal policies and procedures must be in place and adhered to in order to guarantee the proper destruction of all data.

Security, both physical and informational, is critical for data protection. Access logs should include, but not be limited to, application changes, invalid password attempts, data access requests, and physical pass-card activity.

The University of New Mexico (UNM) is committed to the security and privacy of our Students, Faculty and Staff. UNM maintains security throughout the data lifecycle. We look forward to engaging in the first steps towards a potential relationship.

University of New Mexico Third-Party Questionnaire v2_0 of 23

ISO 27002 Third Party Security Questionnaire

Company Name: Completed By:

Contact Name/Phone:

Date Submitted:

What type of information will be stored in this system?

Is this a cloud solution, SAAS or ASP solution?

Will this vendor have access to UNM network and systems?

Summary of solution or services provided:


A.5 SECURITY POLICYA.5.1 Security PolicyStandard Name Control Name Control Definition Yes No CommentReview of Security Policy by Internal Audit

Review and Evaluation Does the information security policy have an owner who is responsible for its maintenance and review according to a defined review process?

Review of Security Policy by Internal Audit

Review and Evaluation Does the process provide controls that ensure a review takes place in response to changes in the original risk assessment?

Review of Security Policy by Internal Audit

Review and Evaluation Are there scheduled, periodic reviews of the following:a. The policy’s effectiveness, demonstrated by the nature, number and impact of recorded security incidents?b. Cost and impact of controls on business efficiency?c. Effects of changes to technology?

A.6 ORGANIZATION OF INFORMATION SECURITYA.6.1 Internal OrganizationalStandard Name Control Name Control Definition Yes No CommentInformation Security Committee

Management Information Security Forum

1. Is there a management forum to ensure that there is clear direction and visible management support for security initiatives in place?2. Does the management forum promote security through appropriate commitment and adequate resources?3. Does the management forum undertake the following: a. Reviewing and approving information security policy and overall responsibilities? b. Monitoring significant changes in the exposure of information assets to major threats? c. Reviewing and monitoring information security incidents? d. Approving major initiatives to enhance information security?

Authority and Responsibility for the Firm's Information Security Program

Allocation of information security responsibilities

Are responsibilities for the protection of individual assets and for carrying out specific security processes clearly defined?

Approval for Information Processing Facilities

Authorization process for Information processing facilities

Has a management authorization for new information processing facilities been clearly defined?


Investigation of Security Incidents

Specialist information security advice

Is specialist advice on information security sought from either internal or external advisors and coordinated throughout the organization?

Information Security's Relationship with Industry Groups

Cooperation between organizations

Are appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators maintained?

Communications and reporting of events

Organizational Security Is there a point of contact established for the reporting of info security events and known throughout the organization for providing adequate and timely response?

A.6.2 External PartiesStandard Name Control Name Control Definition Yes No CommentRequesting Access for Third Parties

Identification of risks from third party access (On premise and remote access)

In regards to third party access, are the following in place to assess the risks to organizational information processing facilities:1. Third party has had the appropriate security due diligence accomplished to ascertain their security posture?2. Appropriate security controls are implemented?3. Do third parties use VPN’s for business to business communication?

Third Party Agreements Security requirements in third party contracts

Are formal contracts in place that contains all necessary security requirements?

Requirements for Outsourced Agreements

Security requirements in outsourcing contracts

Are security requirements of an organization outsourcing the management control of all or one of its information systems, network and/or desktop environments addressed in a contract agreed to between parties?


A.7 ASSET MANAGEMENTA.7.1 Responsibility for AssetsStandard Name Control Name Control Definition Yes No CommentInventory of Information Resources

Inventory of Assets Is an inventory of all important assets associated with each information system current and maintained?

A.7.2 Information ClassificationStandard Name Control Name Control Definition Yes No CommentSecurity Classifications Classification Guidelines Are controls in place for the following:

1. Classification and proactive controls for sharing or restricting information?

2. Controls that take into account the business needs and impacts

Labeling Sensitive Electronic Information

Information labeling and handling

Are procedures in place for the following:1. Labeling in accordance with the

classification scheme?2. Handling in accordance with the

classification scheme?

Record Retention Schedule Must Support Regulatory Requirements

Data Destruction Are data destruction techniques in compliance with your published data destruction policy?


A.8 HUMAN RESOURCES SECURITYA.8.1 Prior EmploymentStandard Name Control Name Control Definition Yes No CommentSecurity Responsibilities in Job Descriptions

Including security in job responsibilities.

Are security roles and responsibilities as set forth in the organizations information security policy documented in job definitions?

Pre-Employment Background Checks

Personnel screening and policy

Are background checks executed on the following personnel prior to hiring:1. Permanent staff?2. Temporary staff?3. Contractors?

Non-Disclosure Agreements (NDAs)

Confidentiality agreements Do the employees sign a confidentiality agreement as part of their initial terms and conditions of employment?

Including Security Responsibilities in the Terms and Conditions of Employment

Terms and conditions of employment

Do the terms and conditions of employment state the employee’s responsibility for information security?

Pre-Employment Credit Checks

Background checks Do employee background checks include all or part of the following:1. Criminal history?2. Credit check?3. Reference check?4. Education check?5. Work history check?

Including Security Responsibilities in the Terms and Conditions of Employment

Personnel Security Are employees and contractors required to sign an agreement verifying they have read and understood the security policies and procedures?

A.8.2 During EmploymentStandard Name Control Name Control Definition Yes No CommentsInformation Security Training

Information security education and training

Do employees receive the following:1. Security Awareness and Education Training? 2. Recurring training on organizational policies and procedures?


A.9 PHYSICAL AND ENVIRONMENTAL SECURITYA.9.1 Secure AreasStandard Name Control Name Control Definition Yes No CommentsComputer Processing Facilities Must be Protected by Physical Controls

Physical security perimeter Do security perimeters protect areas that contain information processing facilities?

Working in Secured Areas Physical entry controls Are secured areas protected by appropriate entry controls to ensure that only authorized personnel are allowed access?

Securing Sensitive Office Areas

Securing offices, rooms and working facilities.

Are secured areas created in order to protect offices, rooms, and facilities with special security requirements?

Isolating Delivery and Loading Areas

Isolated delivery and loading areas.

Are delivery areas protected as follows:1. Controlled access from information processing facilities?2. Isolated from information processing facilities to avoid unauthorized access?

Protecting Secure Areas Secure Areas Which of the following physical entry controls are applied:1. Visitors supervised/escorted?2. Photo identity badges issued/worn all times?3. Access rights revoked on leaving?4. Restricted sensitive area access?5. Visitor log not limited to date, entry- exit time, ID verification details?6. Audit trail of all access maintained securely and reviewed regularly?

A.9.2 Equipment SecurityStandard Name Control Name Control Definition Yes No CommentsEnvironmental Conditions Must Be Monitored in Computing Environments

Equipment sitting and protection

Is equipment protected in such a way that:1. The risk is reduced from environmental threats and hazards?2. The risk is reduced from opportunities for unauthorized access?

Protecting Computing Facilities from Electrical Problems

Power supplies Is equipment protected from powers failures and other electrical anomalies by using:1. Uninterrupted power supplies?2. Line conditioners?3. Surge suppressors?


Securing Cable and Line Facilities

Cabling security Power and telecommunications cabling must be protected from interception and damage. Is the cabling:1. Run in an orderly manner that allows segregation and maintenance?2. Labeled appropriately to ensure segregation from power and maintenance cabling?

Regular Maintenance of Information Systems

Equipment maintenance

Equipment must be correctly maintained to enable its continued availability and integrity.1. Are service records kept?2. Are records available for review?

Authorization Requirements Prior to Taking Equipment offsite

Security of equipment off-premises

Is any use of equipment for information processing outside an organizations premise authorized by the proper management authority?

Disposing of Information in Electronic Form

Secure disposal or re use of equipment

Is information removed from equipment prior to disposal or reuse by the following:1. Hard drives are wiped with an approved process and product?2. Hard drives are destroyed by degaussing when no longer usable?3. Floppy disks are destroyed by dismantling the cover and cutting up the disk?4. Tapes destroyed by degaussing or burning?5. Compact disks and digital video disks are destroyed by scratching the surfaces and breaking into pieces?

Distributing Information in Electronic Form

Security of Portable devices off premise

Is non public customer data or employee data ever stored on portable devices (i.e. Laptops, Smart Phones, Tablets, jump drives, etc.) and transported outside your facility?

Unapproved Removal of Resources to be Considered Theft

Removal of property Are there policies and procedures in place to ensure equipment, information, or software belonging to the organization are not removed without authorization from management?

Automatic Fire Suppression

Environmental controls Are fire suppression mechanisms built into the data center?


A.10 COMMUNICATIONS AND OPERATIONS MANAGEMENTA.10.1 Operational Procedures and ResponsibilitiesStandard Name Control Name Control Definition Yes No CommentsInformation to be Included in Operational Manuals

Documented operating procedures

Are the build guidelines and operating procedures identified in the security policy:1. Documented and maintained?2. Available for review?

Changes to Production Assets Must Follow Formal Change Controls

Operational change controls

Are the following available for operational changecontrol:1. Test documentation?2. Change control procedures?3. Change control logs?4. Management approvals?

List of Duties to be Separated

Segregation of duties Is there a segregation of duties in operational personnel to include the following:1. Firewall administrators?2. System security administrators?3. System administrators?4. Super users?5. Developers are segregated from those users who have access to the production environment?6. Backup administrators?7. Tape librarians?

Separation of Development, Testing and Production Environments

Separation of development and operational facilities

Does the following apply to development and operational facilities:1. Development and operational facilities are logically separate?2. Development and operational facilities are physically separate?3. There are policies and procedures in place governing the migration of development to operational?

Review of a Service Provider's Security Controls

External facilities management

Has a risk assessment been performed on external facilities and their management services to include:1. Risk identified?2. Risks mitigated by the business?3. Or have the risks been accepted by the business?

Information to be Included in Operational

Build Guidelines Are build guidelines for various operating systems published and followed when building servers?

Segregation of Special Privileges

System Administrator Do system administrators have individually assigned ID’s?


A.10.3 System Planning and AcceptanceStandard Name Control Name Control Definition Yes No CommentsInformation Resource Capacity Management

Capacity Management Has capacity planning been accomplished to project for:1. Future capacity requirements?2. Adequate processing power and storage to be made available?3. Monitoring of the performance for corrective action?4. Contingency planning for recovery?

Formal System Acceptance Criteria

System acceptance Has acceptance criteria been established to account for the following:1. New information systems?2. Upgrades and new versions?3. Suitable testing of the system before accepting?

Inventory of Information Resources

Patch Monitoring and Management

Is there a process or system in place to manage operating system and application vulnerabilities and their associated patches?

Data Processing Controls Detect and correct Are databases configured to dynamically detect and correct errors?

A.10.4 Protection Against Malicious SoftwareStandard Name Control Name Control Definition Yes No CommentsResponsibilities for Malicious Code Program

Controls against malicious software

Are policies and procedures in place to establish controls to detect and prevent against malicious software to include:1. Installation of a current antiviral product?2. Change control for antiviral signature updates?3. Appropriate user’s awareness procedures?

A.10.5 Back-UpStandard Name Control Name Control Definition Yes No CommentsPeriodic Inspection of Off-Site Storage

Information back-up Is essential business information and software backed up to include the following requirements:1. Regular testing of backups?2. Storage off site?3. Manuals?4. Diagrams?5. Procedures?

Backup Schedules Backup process Is there a backup system in place?


A.10.6 Network ManagementStandard Name Control Name Control Definition Yes No CommentsAccess to Network Services

Firewall Configuration Are firewalls configured to deny all except that which is explicitly allowed?

Network address protection

Network Management Is the firewall configured to translate (hide) internal IP addresses using network address translation (NAT)?

Network scanning Network Management Is a vulnerability scan or penetration test performed on all Internet-facing applications and systems before they go into production?

Network and systems protection

Network Management Are computing systems protected by an intrusion detection system?


Network Management Is the intrusion detection system network based?


Network Management Is the intrusion detection system host based?

A.10.7 Media HandlingStandard Name Control Name Control Definition Yes No CommentsAcceptable Use Policy (AUP)

Management of removable computer media

Are there policies and procedures in place and approved by management to control:1. Tapes?2. Disks?3. USB Devices?4. Printed reports?5. Compact Disks?6. Digital Video disks?7. Mobile Devices?8 Portable media Storage (MMC, SD, etc.)?

Handling Information in Hard Copy Form

Information handling procedures

Are processes and procedures for the handling and storage of information established to protect from unauthorized disclosure or misuse?

Access to Network Documentation Must Be Restricted

Security of system documentation

Is system documentation protected from unauthorized access?

Storing Backup Data Offsite

Off site storage Is backup media stored offsite?


A.10.8 Exchange of InformationStandard Name Control Name Control Definition Yes No CommentsTransporting Information in Electronic Form

Physical media in transit

Are there policies and procedures in place for the transportation of media that includes protection from:

1. Unauthorized access?2. Misuse?3. Corruption

Security Requirements for Electronic Data Interchange (EDI) Connections

Electronic Commerce Security

Are there policies and procedures in place to protect electronic commerce against:1. Fraudulent activity?2. Contract dispute and disclosure?3. Modification of information

Security Standards for Email Systems

Security of electronic mail

Have policies and procedures been developed and implemented that require controls be put in place to reduce security risks created by electronic mail?

Web Content Authors Publicly available systems

Is there a formal authorization process in place to protect the integrity of publicly available information to include:1. Formal approval release process?2. Policies and procedures to prevent the unauthorized modification of the information?

Securing Telephone Conversations

Other forms of information exchange

Are there policies and procedures in place to protect the exchange of information through the use of:1. Telephone systems?2. Facsimile systems?3. Video communication systems?4. Instant Messaging?5. Voice over IP systems?

Securing sensitive information

Exchanges of information and software

Is sensitive (cardholder) information stored in a database located on the internal network (not the DMZ) and protected by a firewall?

Acceptable Use of Modems

Modems Are modems deployed on any workstation that is connected to the network?

A.10.10 MonitoringStandard Name Control Name Control Definition Yes No CommentsAudit Trail Logs Operator logs Is there logging of operational staff activities to

include:1. A log of their daily activities?2. Regular review of their logs?3. Independent 3rd party checking of their logs?

Fault Logging Fault logging Are there policies and procedures in place for reporting and corrective action for fault logging?

Monitoring Monitoring of system Are there policies and procedures in place for


Network/System Activity use monitoring to include:1. Monitoring the use of information facilities?2. Regular review of the results of monitoring activities?

Monitoring Network Logs Monitoring system access and use

Are audit logs kept for an agreed period (3 month online and 1 year offline) to assist in access control monitoring or future investigations?

System Clocks Clock synchronization Is there a domain time server on the network to synchronize network and computer time for accurate recording?

Event Log Contents Log Review Are there audit log policies and procedures in place to attest and validate the following:1. Exceptions and other security related events?2. Retention period to assist in future investigations?3. Access control monitoring?4. The policies and procedures are enforced?

Systems Monitoring Monitoring system access and use

Which of the following are considered while protecting log information and logging facilities against tampering and unauthorized access?1. Alterations to the message types that are recorded?2. Log files being edited or deleted?3. Storage capacity of the log file media?4. None of the above?

Systems Monitoring Monitoring system access and use

Which of the following are included in audit logs?1. User ID’s?2. Dates, times and details of key events?3. System identity and location?4. Successful & unsuccessful access attempts?5. Changes to system configuration?6. File accessed and kind of access?7. Alarms raised by access control system?8. Use of privileges?9. Network address and protocols?10. Activation and de-activation of protection systems like Anti-virus, firewalls etc?


A.11 ACCESS CONTROLA.11.1 Business Requirement for Access ControlStandard Name Control Name Control Definition Yes No CommentsUsers Must be Granted the Minimum Level of Access Required

Access control policy Are there policies and procedures in place to control user access that includes the following:1. Valid business requirements for access?2. Users roles defined and documented?

A.11.2 User Access ManagementStandard Name Control Name Control Definition Yes No CommentsCollusion avoidance User access

managementAre activities segregated which require collusion in order to defraud?

Collusion avoidance User access management

Is care taken that no single person can perpetrate fraud in areas of single responsibility without being detected?

Collusion avoidance User access management

If there is a danger of collusion are controls devised so that two or more people need to be involved?

Modifying User Access Privileges

User registration Are there policies and procedures in place for authorization and formal user registration and deregistration of access to all multi-user information systems and services?

Initial Passwords User password management

Are there policies and procedures in place for the formal issue/reset of passwords?

Periodic Review of General Access Accounts

Review of user access rights

Are there policies and procedures in place to create a formal process for:1. Annual revalidation against the business requirements?2. Monitoring systems to ensure user privileges are not excessive?

Periodic Review of Privileged Access Accounts

Generic Accounts Have generic accounts with administrative access privileges been disabled or deleted?

Periodic Review of Access Accounts

User Access Management

Are accounts that are not used for a lengthy amount of time (inactive accounts) automatically disabled in the system after a pre-defined period?


A.11.3 User ResponsibilitiesStandard Name Control Name Control Definition Yes No CommentsPassword Management Systems

Password Use Are the following security controls in place regarding passwords:

1. Length of time between when a password is set and when the password expires is 90 days or less?

2. The minimum number of passwords stored in history is at least 6?

3. Passwords contain 8 or more alphanumeric characters?

4. Passwords are stored in one-way encrypted format?

5. Passwords do not contain a common dictionary word, user ID or first/last name?

6. Initial passwords expire upon first logon?7. Passwords and IDs are restricted from being

sent in the same email communication?8. User accounts are locked after 5 or more

invalid login attempts?9. UNIX systems use a shadow file to mask the

user’s encrypted password?10. Passwords for users in an Administrator role

expire in 30 calendar days or less?11. Administrator passwords for an application

or system are changed immediately when an Administrator leaves the company or changes job roles within the company?

Use of Screen Savers Unattended User Equipment

Are users required to protect unattended equipment by:

1. Using screen locks that automatically time-out after a pre-determined amount of time?

2. Locking the screen/application when not in use?

3. Receiving regular education regarding the hazards of not securing equipment?

Protection of Information in Facilities

General Controls Which of the following applies of office areas which contain IT facilities and Secure Processing?

1. Clear-Desk Policy?2. Mail-Points Protected?3. Printers and Fax Machines cleared of

sensitive data?4. Sensitive Data/Information locked securely?


A.11.4 Network Access ControlStandard Name Control Name Control Definition Yes No CommentsControlling Network Roaming

Enforced path Are users controlled by logon script and network mapping to ensure they only access a direct path to the resources required by the business need?

External Connections Require Two-Factor Authentication

User authentication for external connections

When remote connections to the network are required, are there policies and procedures in place to ensure proper authentication of the user?

Use of Remote Maintenance Ports

Remote diagnostic port protection

Are diagnostic ports disabled when not in use?

Isolating Servers Accessed from External Networks

Segregation in networks

Are network controls in place to segregate the following:1. Information services?2. Users?3. Information systems?4. Client and customer systems?

Use of Routing Controls Network routing control Are there policies and procedures in place to ensure routing controls do not channel information that allows a breach of access to the business application?

Unnecessary services Network access control Are all production systems (servers, network components, workstations, laptops, etc) hardened by removing all unnecessary services and protocols installed by the default configuration?

Rules authorization Network access control Do changes to the firewall need authorization and are the changes logged?

Application controls Network access control When authenticating over the Internet is the application designed to prevent malicious users from trying to determine existing user accounts?

Configuration guidelines Network access control Are all router, switches, wireless access points, and firewall configurations secured and do they conform to documented security standards?

Configuration guidelines Network access control Are egress and ingress filters installed on all border routers to prevent impersonation with a spoofed IP address?


A.11.5 Operating System Access ControlStandard Name Control Name Control Definition Yes No CommentsAutomatic Terminal Identification

Automatic Terminal Identification

Are procedures in place for automatic terminal identification to authenticate connections to specific locations and portable equipment?

Use of User IDs User identification and authentication

Are users accessing information sources validated by the following so that their activities can be traced for responsibility:1. A unique identifier?2. A unique password?

Use of Advanced System Utilities Must be Monitored

Use of system utilities Are there policies and procedures in place to ensure system utility programs are restricted and tightly controlled?

Use of Duress Alarms Duress alarm to safeguard users

Are there duress alarms available to users in high threat areas where they might be the target of coercion?

Session Timeouts Terminal timeout Are there policies and procedures in place to ensure inactive sessions time out?

Use of Login/Warning Banners

Log on banners Are login banners displayed to ensure users are aware of resource ownership and policies?

A.11.6 Application and Information Access ControlStandard Name Control Name Control Definition Yes No CommentsApplication Controls Information access

restrictionIs access to information and application system functions restricted in accordance with the access control policy and procedures?

Sensitive System Isolation

Sensitive system isolation

Do sensitive systems have a dedicated (isolated) network and computing environment?

Use of Group and Shared IDs

Group ID’s Do applications use group ID’s or passwords?

A.11.7 Mobile Computing and TeleworkingStandard Name Control Name Control Definition Yes No CommentsMonitoring mobile computing

Mobile computing and teleworking

Does each mobile computer with direct connectivity to the Internet have a personal firewall and anti-virus software installed?


A.12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCEA.12.2 Correct Processing in ApplicationsStandard Name Control Name Control Definition Yes No CommentsUse of Validation Controls Input data validation Is there a method in place to ensure data input to

application systems can be validated to ensure that it is correct and appropriate?

Use of Message Authentication Controls

Message authentication

For applications that require the integrity of the message content to be secure, are there message authentication procedures in place?

Use of Output Controls Output data validation Is there a method in place to ensure data output from application systems can be validated to ensure that it is correct and appropriate?

A.12.3 Cryptographic ControlsStandard Name Control Name Control Definition Yes No CommentsUse of Digital Signatures Digital signatures Are digital signatures applied to protect the

authenticity and integrity of electronic information?

Use of Non-Repudiation Services

Non-repudiation services

Are there non repudiation services in place to resolve disputes about occurrence or non-occurrence of an action or event?

Managing Encryption Keys

Key management Is there a key management system in place to support the following:1. An agreed set of standards?2. Procedures and methods?3. An approved set of cryptographic techniques?4. Standards are enforced?

A.12.4 Security of System FilesStandard Name Control Name Control Definition Yes No CommentsSecurity Must be Considered for all Software Upgrades

Control of operational software

Are procedures in place for the control implementation of software on operational systems to include:1. A formal change control process?2. Restricted access to only those who have a current business need?3. An audit trail of management approvals?4. Active content is in use?

Use of Production Data for Testing Purposes

Protection of system test data

Are there policies and procedures in place to ensure test data:1. Is obfuscated if drawn from a production environment?2. Is in an environment separate from production?

Access to Program Source Libraries

Access control to program source library

Are there controls in place to ensure program source libraries are strictly controlled?


A.12.5 Security in Development and Support ProcessesStandard Name Control Name Control Definition Yes No CommentsTesting System Changes Change control

proceduresAre there change control procedures in place to preclude introduction of software on operational systems to include:1. Testing prior to deployment?2. Management approval prior to deployment?3. Establishment of restart points?4. Management approval for sign off on changes?5. Kept up to date and backed up by a copy retained at an off-site location?

Testing Controls Change control procedures

Are the following points in place for change control procedures:1. Record of agreed authorization levels?2. Changes only by authorized users?3. Controls reviewed after change?4. Affected software & hardware identified?5. Formal approval before work starts?6. User acceptance before implementation?7. System documentation updated after change?8. Version control for software updates?9. Audit log of change requests?10. Implementing changes at appropriate time?11. Integrated operations and application change control procedures?

Test data protection Change control procedures

Identify any of the following test data controls in use (especially live data) are used within the testing environment:1. Same access controls as live?2. Separate authorization?3. Live data scrubbed to delete sensitive (cardholder) information?4. Audit log of live data copying?

Protecting Source Code Access to production code

Do developers have access to production code?

A.12.6 Technical Vulnerability ManagementStandard Name Control Name Control Definition Yes No CommentsIntroduction of Malicious Code

Covert channels and Trojan code.

Is the integrity of software checked for malicious logic and Trojans prior to being introduced into the environment?


A.13 INFORMATION SECURITY INCIDENT MANAGEMENTA.13.1 Reporting Information Security Events and WeaknessesStandard Name Control Name Control Definition Yes No CommentsIncident Reporting Policy Reporting security incidents Are there incident management procedures in

place to address the following:1. Establishment of responsibilities and procedures to ensure a quick effective and orderly response to security incidents?2. To collect incident related data such as audit trails?

A.13.2 Management of Information Security Incidents and ImprovementsStandard Name Control Name Control Definition Yes No CommentsSecurity incident response

Incident response procedures

Is a security incident response plan formally documented and disseminated to the appropriate responsible parties?

Analysis of Security Incidents and Technical Malfunctions

Learning from incidents Are there mechanisms in place to quantifiably monitor the following:1. Types of incidents and malfunctions?2. Volumes of incidents and malfunctions?3. Costs of incidents and malfunctions?

Formal Disciplinary Process for Security Violations

Disciplinary process Is there a formal disciplinary process for violation of organizational security policies and procedures by employees, temporary employees, and contractors?


A.14 BUSINESS CONTINUITY MANAGEMENTA.14.1 Information Security Aspects of Business Continuity ManagementStandard Name Control Name Control Definition Yes No CommentsInclusion of Principle Tasks in Business Continuity Plans

Business continuity plans

Are business continuity plans in place that include a schedule of principle tasks to be completed, responsibilities for each task and a list of services to be recovered, in priority order?

Requirement for Business Continuity Plans

Requirements for plans Are the business continuity plans:1. Documented for all critical parts of the enterprise?2. Based on the results of thorough risk analyses?3. Developed in conjunction with user representatives?4. Subject to formal change control procedures?5. Distributed to all individuals who would require them in case of an emergency?6. Kept up to date and backed up by a copy retained at an off-site location?

Business Continuity Plans Must be Developed for Critical Systems

Testing of plans Are the business continuity plans been periodically tested and documented?


A.15 COMPLIANCEA.15.1 Compliance with Legal RequirementsStandard Name Control Name Control Definition Yes No CommentsAdhering to Copyright Laws and License Agreements

Intellectual property rights (IPR)

Are there policies and procedures implemented to ensure compliance with legal restrictions on the use of material in respect of intellectual property rights, and on the use of proprietary software products?

Approval Required Prior to Destroying Records

Safeguarding of organizational record

Are important records protected from loss, destruction, and falsification?

Mission and Purpose of Information Security

Data protection and privacy of personal information

Are policies and procedures in place to ensure controls are applied to protect personal information in accordance with relevant legislation?

Use of Encryption Products Outside of the U.S.

Regulation of cryptographic controls

Are there controls in place to enable compliance with national agreements, laws, regulations or other instruments to control the access to or use of cryptographic controls?

Internal Audit Regulatory Agencies Are there any agencies that regulate the operating environment? If yes, please explain.

A.15.2 Compliance with Security Policies and Standards, and Technical ComplianceStandard Name Control Name Control Definition Yes No CommentsResponsibilities of the Information Security Function

Responsibilities of the Information Security Function

Are managers taking action to ensure that all security procedures within their area of responsibility are carried out correctly and all areas within the organization are subjected to regular review to ensure compliance with security policies and standards?

Independent Testing of Information Resources and Practices

Technical compliance checking

Are information systems periodically and regularly checked for compliance with security implementation standards?

A.15.3 Information Systems Audit ConsiderationsStandard Name Control Name Control Definition Yes No CommentsRestricted Use of System Audit Tools

Protection of system audit tools

Is access to system audit tools protected to prevent any possible misuse or compromise?


A.16 - PCIA.16.1. PCI QuestionsStandard Name Control Name Control Definition Yes No CommentsData Processing Controls Systems planning and

acceptanceAre controls implemented on the server side to prevent SQL injection cross site scripting and other bypassing of client side-input controls?

Media Storage Media handling and security

Are all media that store sensitive data (cardholder information) properly inventoried and securely stored?

Protection of card validation code

Media handling and security

Is it prohibited to store the card-validation code (3 digit value printed on the signature panel of a card) in the database, log files or point-of-sale products?

Card contents storage Media handling and security

Is it prohibited to store the card-validation code (3 digit value printed on the signature panel of a card) in the database, log files or point-of-sale products?

Information protection Monitoring system access and use

Are account numbers sanitized before being logged in the audit log?

Use of Validation Controls.

Security in application system

Are you protecting information involved in online transactions from incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay?

Transmission Protection Cryptographic controls Which of the following methods are in place for transmissions of sensitive cardholder information:1. TLS with 128-bit encryption?2. Secure File transfers (eg. Secure FTP)?3. Encrypted email?

Securing sensitive information

Exchanges of information and software

Is sensitive (cardholder) information stored in a database located on the internal network (not the DMZ) and protected by a firewall?


director of information security - unm itit.unm.edu/.../security-questionnaire-vendor.docx · web...

Documents