GDPR Screening
- Do you know how personal data is stored, processed, shared and used within your organization?
- Have you performed a data processing audit, identifying all the elements requiring modification within your current data processing activities?
- Do you keep a registry of all operations performed on personal data related to the following processes: collection, storage, use, sharing and destruction?
- Do you have an impact assessment process in place (one that will be applied and documented for each process that presents a risk)?
- Are you able to guarantee that the amount of personal data collected will be strictly limited to that which is necessary for the optimal use of any new product, service or application?
- Do you perform third-party security audits / due diligence checks on the companies you collaborate with?
Certifications
- Are you compliant with FISMA standards?
- Have you received the Cloud Security Alliance STAR certification?
- Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ?
- Have you undergone a SSAE 18 audit?
- What are the certifications of the datacenter hosting the DESelect application?
- Do you have a SOC 2 certification?
Service Scope
- Have you ever had a data breach?
- Describe how long your organization has conducted business in this product area.
- Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships
- Will data regulated by PCI DSS (Payment Card Industry Security Standards Council) reside in DESelect?
- Does DESelect process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act?
- Name of application/ service/ It hardware being provided
Supporting Documentation
- If requested, can you make any other documents supporting your responses in this questionnaire available?
- If requested, can you make the Information Security Policies and Procedures that are applicable for the service/project available?
- If requested, can you make the most recent Application Code Review or Penetration Testing Reports (carried out by independent third party) available?
A5. Information Security Policies
A6. Organisation of Informational Security
- Are you covered by any cybersecurity insurance?
- Do you have appointed person(s) responsible for Information Security, with defined roles and responsibilities?
- Is there a formal change management process in place?
- Do you conduct internal audits regularly as prescribed by industry best practices and guidance?
- Do you have a Bring Your Own Device Policy (BYOD) which is implemented?
A7. Human Resources Security
A8. Asset Management
A9. Access Control
- Do you have a written policy for user changes (joiners, movers, leavers) to be handled?
- Are you disabling access rights immediately after the end of employment?
- Do you have a written password management policy?
- Do you allow remote access?
- Do you use generic accounts to acces the servers and applications for administrator purposes?
- Do you allow multiple employees to use the same login?
A10. Cryptography
- Do you have a mean to remotely wipe data on a lost or stolen phone, laptop or similar device?
- Do you use at-rest database encryption for data?
- Do you use encryption protocols when transferring data? If yes, which ones?
- Do you encrypt devices holding personal data or confidential information (e.g. laptops, hard drives, usb,…)?
A11. Physical & Environmental Security
- How will you protect data from physical and environmental threats or from unauthorized access?
- Are there enhanced security measures such as additional locks in areas where content is stored (e.g. server room, machine room)?
- Is physical access to your premises restricted by the use of access control technologies- such as keypads, smart cards or key code access?
- Do you have a physical security policy in place ?
A12. Operations Security
- What operating system(s) is/are leveraged by the system(s)/application(s)?
- Do you have a data/services recovery and restauration according to the criticality of the applications?
- Are backups securely stored?
- Do you perform backups and restore exercises?
- Do you monitor logs?
- Do you have policies and controls in place to manage IT infrastructure?
A13. Communications Security
A14. System Acquisition, Development, and Maintenance (Application Security)
- Are upgrades or system changes installed during off-peak hours or in a manner that does not impact the customer?
- Do you support role-based access control (RBAC) for end-users / administrators?
- What does the Salesforce Security Review entail?
- Describe the release management process you use?
- Is sensitive data encrypted (eg. user access tokens)?
- How does DESelect keep client specific data and infrastructure apart from other clients? Is DESelect single-tenant/multi-tenant?
A15. Supplier Relationships
- Which subcontractors do you work with?
- Is any 3rd party / open source software used within your solution?
- Is personal data and confidential information that is stored in the cloud encrypted on database level?
- Do your terms and conditions contain a framework and/or process for dispute resolution, for example in the event of loss or damage to digital content?
A16. Information Security Incident Management
- Please describe the service level agreements (SLA) for disaster recovery (RTO/RPO) and what system performance you guarantee after recovery?
- What is your policy on breach notification?
- Do you have agreements with subprocessors about data breach notifications?
- Will you agree to coordinate with us on any external communications relating to a cyber incident that involves our data?
- Will you agree to provide all reasonable assistance with any investigation into a cybersecurity incident affecting our data?
- Will you share the results of a cybersecurity audit if you conduct any?