GDPR Screening
- Do you know how personal data is stored, processed, shared and used within your organization?
- Have you performed a data processing audit, identifying all the elements requiring modification within your current data processing activities?
- Do you keep a registry of all operations performed on personal data related to the following processes: collection, storage, use, sharing and destruction?
- Do you have an impact assessment process in place (one that will be applied and documented for each process that presents a risk)?
- Are you able to guarantee that the amount of personal data collected will be strictly limited to that which is necessary for the optimal use of any new product, service or application?
- Do you perform third-party security audits / due diligence checks on the companies you collaborate with?
Certifications
- Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?
- Are you compliant with FISMA standards?
- Have you received the Cloud Security Alliance STAR certification?
- Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ?
- Have you undergone a SSAE 18 audit?
- What are the certifications of the datacenter hosting the DESelect application?
Service Scope
- Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions?
- Have you ever had a data breach?
- Describe how long your organization has conducted business in this product area.
- Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships
- Will data regulated by PCI DSS (Payment Card Industry Security Standards Council) reside in DESelect?
- Does DESelect process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act?
Supporting Documentation
- Do you notify your tenants when you make material changes to your information security and/or privacy policies?
- If requested, can you make any other documents supporting your responses in this questionnaire available?
- If requested, can you make the Information Security Policies and Procedures that are applicable for the service/project available?
- If requested, can you make the most recent Application Code Review or Penetration Testing Reports (carried out by independent third party) available?
A5. Information Security Policies
A6. Organisation of Informational Security
- Are you covered by any cybersecurity insurance?
- Do you have appointed person(s) responsible for Information Security, with defined roles and responsibilities?
- Is there a formal change management process in place?
- Do you conduct internal audits regularly as prescribed by industry best practices and guidance?
- Do you have a Bring Your Own Device Policy (BYOD) which is implemented?
A7. Human Resources Security
- Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally-owned assets?
- Does your company conduct background checks on employees?
- Do you have a security awareness program in place?
- Do you have a documented offboarding policy?
- Are all personnel required to sign an Acceptable Use Policy for the use of professional information and systems?
A8. Asset Management
- Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership?
- Is there a formal documented asset management program in place?
- Do you allow the use of personal removable data storage devices?
- Do you have a system for information classification?
A9. Access Control
- Is physical and logical user access to audit logs restricted to authorized personnel?
- Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege?
- Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only?
- Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?
- Do you have a written policy for user changes (joiners, movers, leavers) to be handled?
- Are you disabling access rights immediately after the end of employment?
A10. Cryptography
- Do you have a mean to remotely wipe data on a lost or stolen phone, laptop or similar device?
- Do you use at-rest database encryption for data?
- Do you use encryption protocols when transferring data? If yes, which ones?
- Do you encrypt devices holding personal data or confidential information (e.g. laptops, hard drives, usb,…)?
A11. Physical & Environmental Security
- Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic?
- How will you protect data from physical and environmental threats or from unauthorized access?
- Are there enhanced security measures such as additional locks in areas where content is stored (e.g. server room, machine room)?
- Is physical access to your premises restricted by the use of access control technologies- such as keypads, smart cards or key code access?
- Do you have a physical security policy in place ?
A12. Operations Security
- What operating system(s) is/are leveraged by the system(s)/application(s)?
- Do you have a data/services recovery and restauration according to the criticality of the applications?
- Are backups securely stored?
- Do you perform backups and restore exercises?
- Do you monitor logs?
- Do you have policies and controls in place to manage IT infrastructure?
A13. Communications Security
A14. Application Security
- Do you publish a list of all APIs available in the service and indicate which are standard and which are customized?
- Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?
- Do you conduct application penetration tests of your cloud infrastructure regularly?
- Do you conduct network penetration tests of your cloud service infrastructure at least annually?
- Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?
- Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?
A15. Supplier Relationships
- Do third-party agreements include provision for the security and protection of information and assets?
- Which subcontractors do you work with?
- Is any 3rd party / open source software used within your solution?
- Is personal data and confidential information that is stored in the cloud encrypted on database level?
- Do your terms and conditions contain a framework and/or process for dispute resolution, for example in the event of loss or damage to digital content?
A16. Information Security Incident Management
- Do you have the capability to recover data for a specific customer in the case of a failure or data loss?
- Have you tested your security incident response plans in the last year?
- Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?
- Please describe the service level agreements (SLA) for disaster recovery (RTO/RPO) and what system performance you guarantee after recovery?
- What is your policy on breach notification?
- Do you have agreements with subprocessors about data breach notifications?