Due Diligence Checklist-Vendor On-boarding



Downloadable Version available at the bottom of the page









Sr. No.DomainAreasCheck / ObservationDescriptionResponseRemarks
1Physical SecurityPhysical Access to processing facilitiesIs the access to your facility restricted to employees and authorized personnel only?The access to the Vendor's facility should be made available to employees and authorized support personnel only.
2Physical SecurityPhysical Access to processing facilitiesIs the access to the employees / vendors restricted by means of strong physical access control mechanisms?Strong physical access controls (like Access IDs, Smart Cards) need to be deployed to ensure that the access is restricted to employees. Access cards mechanisms are prone to impersonation and might necessitate other controls like biometric access to ensure traceability and accountability.
3Physical SecurityPhysical Access to processing facilitiesIs there a mechanism that informs the security personnel of the lost access cards (if available) or termination of access rights to personnel?If access cards are used by personnel and visitors to gain access into the premises, there should be a mechanism to report lost access cards and a procedure to disable the access rights from the cards that were reported.
4Physical SecurityPhysical Access to processing facilitiesIs the access to the Vendor's facility to employees / authorized personnel / visitors regulated by guards / receptionist?Even if there is a deployment of an access card mechanism to gain access into the facility, there must be a security guard / receptionist to guide the visitors to the intended place. Third Party Personnel who may not be familiar to the location have to be provided guidance by them.
5Physical SecurityPhysical Access to processing facilitiesIs an updated log maintained to track / monitor the movement of employees and authorized personnel?There should be an updated log that captures the movement of authorized personnel into the Vendor site. The log may be physical or electronic, but must be present to ensure tracking. The movement of personnel visiting the Vendor's facility may also be monitored with the help of CCTV setup.
6Physical SecurityPhysical Access to processing facilitiesIs a separate log maintained to track / monitor the visit of other personnel?In addition to monitoring of employees and support personnel, a separate log is to be maintained to monitor the visit of other personnel to the site.
7Physical SecurityPhysical Access to processing facilitiesIs the movement of assets tracked / monitored and reconciled?Assets here refer to the replacement assets. For example, desktop PCs and Laptops that are being replaced / serviced at the Vendor's premises. Information like Laptop details, Personal Contact numbers, Persons to contact etc. have to be logged for references. Laptop Sr.no of visitors have to be reconciled on exit.
8Physical SecurityPhysical Access to processing facilitiesAre the access logs being reviewed for any suspicious activities? Logging and tracking are essential and these logs have to be analyzed by the SPOCs for any suspicious activities / deviations.
9Physical SecurityPhysical Access to processing facilitiesDoes all employees, contractors and third party users and all visitors wear some form of visible identification?Visitor entry pass/ ID Card, Employee ID card, separate Entry pass/id cards for Vendor, contractors must be available and clearly distinguished
10Physical SecurityPhysical Access to processing facilitiesCan personnel carry and use personal storage media devices into the facility?Personal storage media devices like USB devices, Removable Hard-Disks etc. should be restricted within information processing facilities. They can be mis-handled to transfer www.infosec-career.com specific information from the Vendor site.
11Physical SecurityPhysical Access to processing facilitiesIs delivery and loading areas controlled and isolated from information processing facilities to avoid unauthorized access?Delivery and loading area must be separate and with appropriate access control mechanism in place
12Physical SecuritySecurity at the vendor SiteHas enough precautions been taken and controls implemented to protect the premise and information assets from external and environmental threats like fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster?
Essential physical security controls for detecting and controlling a fire-outbreak. In addition to installation of the controls, it is essential they are tested regularly.
13Physical SecuritySecurity at the vendor SiteIs the fire fighting system tested periodically?Implemented Fire fighting system must be tested at least half yearly
14Physical SecuritySecurity at the vendor SiteIs lightning protection applied to all buildings and lightning protection filters fitted to all incoming power and communications lines?Lighting protection is required for safe grounding of current which prevents the damage of electric equipment
15Physical SecuritySecurity at the vendor SiteIs there an UPS mechanism / Power Generator in place at the Vendor site?Essential requirement for ensuring continuity in case of a power outage.
16Physical SecurityVendor Site AssessmentIs your information processing facility in a location that is externally obvious?The vendor's information processing facility should not be in a externally obvious location with indications of www.infosec-career.com related operations explicitly displayed at their premises.
17Physical SecurityVendor Site AssessmentWhether www.infosec-career.com information processing facilities are in close proximity to potentially harmful installations?Information Processing facilities near places where explosive materials are operated (e.g.; Kitchen) are subjected to associated risks.
18Physical SecuritySecurity at the vendor SiteAre there guidelines for movement of equipment within the Vendor's facility?In case of a shared facility, there should be procedures for movement of user machines and server equipment that contained www.infosec-career.com related information. www.infosec-career.com specific data has to be removed from the storage repositories in case of movement.'
19System SecurityControls against Malicious SoftwareIs there a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized or unsupported software, including freeware or shareware? If yes, what are the controls related to preventing their use?There should be a guidance document on the usage of licensed software and the installation and usage of unauthorized software.
20System SecurityControls against Malicious SoftwareIs the appropriate anti-virus software employed and regularly updated?An AV solution should be installed and regularly updated as control against malicious codes/software.
21System SecurityData SecurityDo you have controls to prevent individuals from storing any confidential information or data on their desktop? If yes, please describe.confidential data / information should not be allowed to store on local drives to maintain its availability, confidentiality and integrity. Data should be stored on central file server where security controls, like data backup, access controls are implemented.
22System SecurityServer SecurityIs there a configuration management document for servers and network? Does this document capture the all the secure settings and application specific settings?Secure configuration document for servers and network element should be available, maintained and updated.
23System SecurityServer SecurityAre the audit and logging settings appropriately configured?
Do suspicious activities like Failed logins, Start and stop of services, Modification of user privileges and Denial of Service attempts logged?
Logs on servers and critical equipment should be enabled and periodically monitored to record and identify security incidents.
24System SecurityDesktop Configuration / SecurityDo you prohibit end-users from having administrator access on their desktops? If yes, please describe the controls you use for this purpose.Desktops should be hardened as per the secure configuration / hardening document. Unauthorized admin access can lead to data breach.
25System SecurityDesktop Configuration / SecurityAre all read/writeable devices controlled at the desktop (e.g. devices, CD burners, DVDs, zip drives, USB drives)? If yes, please describe.Desktops should be hardened as per the secure configuration / hardening document. Only authorized personnel should have access to USB / CD / DVD drives
26System SecurityDesktop Configuration / SecurityDo you have controls to prevent users from altering security system configurations (e.g. screen saver settings, anti-virus settings)?Secure configuration / hardening document should be available and implemented on all desktops
27System SecurityDesktop Configuration / SecurityDo you require users' approval before the help desk can take remote control of their desktops?Without knowledge of end user, help desk or technical support staff should not allowed to take control of users machine.
28System SecurityDesktop Configuration / SecurityDo you use standard security configurations on operating systems, applications, laptops, desktops, and virtual machines? If yes, please provide details of your standard.Secure configuration document for servers and network element should be available, maintained and updated.
29System SecurityDesktop Configuration / SecurityDo you have set and documented security baselines for all operating systems that are in line with industry practices or minimum security baselines?Secure configuration document for servers and network element should be available, maintained and updated.
30System SecurityDesktop Configuration / SecurityAre share folders available with insecure permissions?Access should be restricted to shared folders by specifying granular permissions to the specific users/groups.
31System SecurityDesktop Configuration / SecurityIs time zone setting correctly configured on the machine?Correlation of logs and identification of the correct time frame for a malicious activity cannot be done if time zone setting is incorrect.
32System SecurityDesktop Configuration / SecurityIs security assessment( VA/PT/ Appsec) of application and systems used for accessing\processing of www.infosec-career.com data done?An intruder can use a vulnerability for gaining unauthorized access to the www.infosec-career.com Data.
33System SecurityDesktop Configuration / SecurityIs the screen saver with Password protect option enabled and configured correctly?An intruder can use an unattended console for gaining unauthorized access to the network / server segments.
34System SecurityDesktop Configuration / SecurityAre guest accounts disabled in the User machines?Since Guest account is a default account, it is a common target for attackers to get unauthorized access to the user machines.
35System SecurityDeclining technologyDo you have a program that monitors technology products and versions that require third party support to ensure that the products continue to be supported? If yes, please provide documentation or describe.Monitoring of software's / technology products for end of support by OEM or vendor
36Asset inventory and configuration managementAsset InventoryDo you prevent removal of client related assets (storage media, hardware) from the premises? Please provide details.Assets which are in use to provide services to client should be removed after getting proper approval from client.
37Asset inventory and configuration managementAsset InventoryDo you have an application or process for inventory tracking? If yes, how often is the physical inventory validation performed?Asset inventory should be tracked and maintained
38Asset inventory and configuration managementAsset SecurityDo you have controls to safeguard the information during transport? Please describe if the process of loading and unloading is conducted in a controlled environment. Describe the container used for transportSecurity controls like, shock proof and fire proof media case should be used to transport sensitive assets, loading unloading areas should be properly protected and guarded.
39Asset inventory and configuration managementAsset SecurityDo you have documented procedures regarding the movement of assets (both inside and out of your organization)?Guidelines for movement of assets should be documented
40Asset inventory and configuration managementAsset SecurityDo you have a documented process to pass the custody of the assets between locations?Guidelines for movement of assets should be documented
41Asset inventory and configuration managementAsset SecurityDo the procedures for the disposal, reuse, or repair of electronic media (e.g. end-user devices, tapes, disk drives, multifunction devices, copiers) require degaussing and/or data erasure and/or destruction to ensure that the data cannot be recovered? If so, what standard (beyond simple deletion or formatting) do you use for data destruction?Low level formatting or data degaussing or destruction should be performed, prior to dispose / reuse / repair of any equipment containing client data
42Asset inventory and configuration managementAsset SecurityDo you have a documented process for removing physical property, such as hardware, backup tapes, from the premises?documented process for removing physical property, such as hardware, backup tapes, from the premises
43Business ContinuityContinuity of Business OperationsDoes a BCP plan guide the continuity of business operations at the time of a disaster?Continuity of vendor business operations at agreed service levels should be defined by a well-documented BCP / DR policy. The Vendor should have a sound BCP strategy to ensure continued operations.
44Business ContinuityContinuity of Business OperationsDoes vendor identify the events that cause interruptions to various departments supporting various business activitiesHave vendor performed risk assessment to analyze associated threats and vulnerability with the concerned business process.
45Business ContinuityContinuity of Business OperationsHave the training plan of Business continuity plan for various department is identified.BCM training is required to ensure that effective continuity strategy is in place
46Business ContinuityContinuity of Business OperationsDo the business continuity plans describe in detail about roles and responsibilities describing who is responsible for executing all aspects of the plan. The BCP should clearly state the roles and responsibilities of individuals at the time of a disaster.
47Business ContinuityContinuity of Business OperationsAre the plans reviewed on periodic basis and on every significant change to environmentChanges in Assets, Business Operations should trigger the changes in the Business Continuity Plan of the Vendor.
48Business ContinuityContinuity of Business OperationsDoes the Vendor have alternate facilities equipped to resume business operations in case of a disaster?The Vendor must have alternate processing facilities to resume critical activities in case of a disaster. The vendor could resort to having a hot site, warm site or a cold site arrangement.
49Business ContinuityContinuity of Business OperationsAre the Business continuity arrangements are tested and updated regularly?
Does vendor regularly test and update business continuity plans t to ensure their effectiveness
Testing business continuity plan is required to analyze effective recovery strategy is in place
50Business ContinuityContinuity of Business OperationsAre the provisions made for the periodic transfer of backup media to a secure offsite storage facility?Necessary backup media and restoration procedures should be ensured to ensure resumption of operations at the vendor facility.
51Business ContinuityContinuity of Business OperationsAre services provided to www.infosec-career.com covered under scope of BCPServices provided to www.infosec-career.com should covered the scope of BCP.
52Business ContinuityContinuity of Business OperationsIssues faced during testing and the action taken for the same are documented?Issues faced during the BCP testing and the action taken should be documented.
53Business ContinuityContinuity of Business OperationsEvacuation drills conducted - Observations & action taken Report are maintained?Evacuation drills conducted - Observations & action taken should be placed.
54Change ManagementChange Management ProcessDo you have a documented change control policy or program that has been approved by management? If yes, please describe it.The vendor must follow a well documented, management approved change management process. The change management process should include necessary approvals.
55Change ManagementChange NotificationHas the vendor documented detailed procedure for identifying of changes to be notified to www.infosec-career.com, sending an approval request & communication processVendor should maintain necessary documents for communication of changes and obtaining the approvals from www.infosec-career.com
56Change ManagementChange Management ProcessIs there an established SPOC for notifying these changes and ensuring documentation?The Vendor SPOC should be responsible for communicating the changes and maintaining an updated list of changes.
57Change ManagementChange Management ProcessDo you follow your standard change control policies and procedures for changes required throughout the Software Development Lifecycle (SDLC) process? If not, please explain how you control changes in the different SDLC phases.Vendor must plan and test all the changes prior moving to production to ensure effective change management procedure.
Development and production environment must be separate to ensure confidentiality of production data, continuity of application as development may lead to downtime and unauthorized access to production data may lead to compromise with integrity
58Change ManagementChange Management ProcessDo you perform a security review for any changes as part of the overall change approval process?After applying every change, security review should be carried out to analyze whether any new vulnerabilities are arise due to the applied change
59Change ManagementChange Management ProcessAre logs maintained , capturing all relevant details, whenever a change is effected.Logs are required to analyze what all steps performed for any change moved to production
60Change ManagementChange Management ProcessDoes the vendor organization maintain Audit Trail of all the change requests?Audit trails are required to analyze what all steps performed for any change moved to production
61Change ManagementChange Management ProcessIs the change management process reviewed on periodic basis and on every significant change to environmentThe change management process should be reviewed on a periodic basis. Inclusion of Assets, Changes in Location, modification in system configurations trigger the initiation of the Change management routine.
62Change ManagementEmergency ChangesHas provider documented a process for handling emergency changes to ensure that these types of changes are carried out in controlled & timely mannerIn addition to conventional changes, the vendor has to have procedures for emergency changes.
63Change ManagementEmergency ChangesDoes the process mandate the implementer to document a post implementation report detailing reason for change, steps involved and implementation resultsUnlike conventional change processes, Emergency changes are not preceded by approvals and communication process prior to implementation but has to be documented.
64Change ManagementEmergency ChangesDoes the process mandate change management committee to review the implementation report & ask implementer to roll-back the change if it doesn't meet the desired objectiveThere must be a procedure to monitor the implications of the change and a roll back strategy.
65Change ManagementChange Management ProcessDoes your formal change control process ensure that systems are tested in an environment with production quality & security controls?Changes should be tested in production equivalent environment to ensure that change will work properly in actual production environment, without any issue
66Change ManagementChange Management ProcessAre your third parties required to notify you of any changes that might affect services rendered? If yes, please describe.Any changes to third-party systems, which serves to www.infosec-career.com, should be notify to www.infosec-career.com to take necessary action at www.infosec-career.com
67Change ManagementChange Management ProcessDo you have a change process that ensures your production and back up environments (technology) remain in sync? If yes, please describe.Production and Backup environment should be in sync with minimum gap, keeping in mind the RPO and RTO of SLA with clients and company requirement.
68Compliance and Legal AgreementsInformation systems should be regularly reviewed for compliance with the organization's information security policies and standardsMonitoring of compliance
69Compliance and Legal Internal AuditDo you have an internal department (i.e. Audit, Compliance, etc.) who is responsible for testing/auditing against legal and regulatory requirements related to your business?Team / personnel should be identified to perform various legal / contractual / regulatory related assessment
70Compliance and Legal Internal AuditIf yes, how does your internal audit function determine the scope and frequency of your internal audits?Describe the function of internal audit team.
71Compliance and Legal Internal AuditIf yes, to which most senior level or role in your organization are audit reports issued?Internal audit / assessment should be carried out as per legal / regulatory / contractual requirements and reports should be communicated to concerned parties
72Compliance and Legal Compliance FrameworkWhat framework / standard for internal control (e.g. COSO, ISO 27001) have you adopted? Do you have a process for independent validation of the design and operating effectiveness of your internal controls specifically related to the proposed services?Standard / Framework should be adopted to implement effective internal control and processes.
73Compliance and Legal Compliance FrameworkHave you had any external audits in the last 18 months (e.g. ISO 27001)? If yes, please provide results.External Audit against standards like ISO 27001
74Data GovernanceBackup ManagementAre back-up copies of essential business information and software taken regularly?Backup operations are necessary during the restoration operations in case of a system outage.
75Data GovernanceBackup ManagementIs there a backup and recovery document?Backup and recovery document should be maintained
76Data GovernanceHandling Backup MediaHow is access to backup media controlled?Access to backup media should be controlled to prevent leakage of information stored in them.
77Data GovernanceHandling Backup MediaIs backup media stored in fireproof environment? Backup media should be protected with requisite controls to prevent environmental damage.
78Data GovernanceHandling Backup MediaIs there a procedure for media rotation?Reusability criteria for media should be well established and must be within the limits for media type.
79Data GovernanceHandling Backup MediaWhat are the precautions taken for media (aged/unused) disposal?Careless disposal / re-use of media could result in leakage of bank’s sensitive information. Storage devices containing bank’s information should be physically destroyed or securely overwritten, prior to disposal.
80Data GovernanceHandling Backup MediaIs back-up of confidential data protected by means of encryption?Encryption ensures confidentiality of backup data .
81Data GovernanceHandling Backup MediaAre the back-ups stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site?Appropriate backup management Procedure are in place and followed.
82Data GovernanceHandling Backup MediaIs the back-up information( at off-site) given an appropriate level of physical and environmental protection consistent with the standards applied at the main site?Appropriate backup management Procedure are in place and followed.
83Data GovernanceRetention and RestorationDoes the backup policy identify the period for backup data retention?The data retention period for backup data must be communicated to the vendor and must be followed.
84Data GovernanceRetention and RestorationWhat are the steps followed in restoring backup? Are the steps documented and available to the authorized personnel?Procedures for restoration testing should be documented and followed adequately.
85Data GovernanceRetention and RestorationIs the media and back up restoration tested periodically? In addition to the backup of data and system files, adequate testing for restoration must be performed to ensure that the backup data is usable.
86Data GovernanceData classificationDoes your organization have a clearly-defined and documented information/data classification scheme?Approved Data classification scheme should be communicated and available to all
87Data GovernanceData classificationAre your data labeling and handling procedures aligned with your information/data classification scheme?data labeling should be done as per the approved data classification scheme
88Data GovernanceData classificationDo you have a documented records retention policy or program that has been approved by management? If yes, please attach or describe it.Describe the record retention policy
89Data GovernanceData classificationDo you separate www.infosec-career.com data logically or physically from other client data? If yes, please describe your processwww.infosec-career.com data should be protected for unauthorized access
90Data GovernanceData ownership, stewardship, and data transferDo you have data loss prevention (DLP) / data rights management (DRM) controls for managing client data? If yes, please describe. If no, www.infosec-career.com may implement DLP / DRM solution for at your processing facilities, where www.infosec-career.com data is being processed and you need to provide necessary support.Client data should be protected against unauthorized access/modification/disclosure by means of DLP or DRM controls
91Disposal, eradication, and destruction managementData GovernanceDo you have a process to remove data prior to decommissioning equipment that housed, stored, processed, controlled or accessed confidential information?

Describe your procedures for the decommissioning process. Describe if the same procedure is utilized for non-repairable equipment.
Low level formatting or data degaussing should be performed, prior to decommissioning of any equipment containing client data
92Email SecurityInformation exchange policies and proceduresHave vendor defined Email security policy or Email policy?Email security policy is required to define safe acceptable email usage by employees.
93Email SecurityInformation exchange policies and proceduresAre the users aware of their responsibilities with regards to information protection that is exchanged using all types of communication facilitiesUser responsibilities are generally highlighted in Acceptable usage policy to define what is expected from users/employees which is in line with Organization policies and procedures
94Email SecurityProvision of e-mail access to usersAre user e-mail accounts at the Vendor facility created after necessary management / HR approvals?E-mail accounts for communication with www.infosec-career.com should be created after necessary approvals and must be commissioned on a need only basis.
95Email SecurityProvision of e-mail access to usersAre there well-documented procedures for disabling or removing e-mail accounts after the employee leaves?There must be a defined procedure for disabling/removal of user e-mail accounts on employee termination / transfer.
96Email SecurityProvision of e-mail access to usersAre the e-mail accounts shared between users?Sharing of e-mail ids between users obviates accountability for the communication.
97Email SecuritySecure Configuration of the E-mail infrastructureIs the e-mail systems are configured for sending mails to non-www.infosec-career.com ids?
Access rules have to be configured on the e-mail system to ensure that the same is used for communication with www.infosec-career.com only.
98Email SecuritySecure Configuration of the E-mail infrastructureAre the mail backups encrypted at the time of storage?The PST backup of the e-mails should be encrypted during storage.
99Email SecuritySecure Configuration of the E-mail infrastructureIs the retention period defined for backed up mails? Is email data purged after the retention period is complete?The retention and purging procedures should be followed as per defined policy.
100Email SecuritySecure Configuration of the E-mail infrastructureAre the mail attachments scanned for Virus and other malicious content?Virus and malicious content may affect the systems at the Vendor premises and e-mails received/sent have to be scanned for suspicious content.
101Email SecuritySecure Configuration of the E-mail infrastructureDo you encrypt emails that contains www.infosec-career.com information before it leaves the organization? If you encrypt information, describe the encryption mechanisms you use.Mail attachments should be encrypted before sending as the traffic could be sniffed in transit, leading to unauthorized disclosure and modification of information.
102Email SecuritySecure Configuration of the E-mail infrastructureDoes e-mail communication from the vendor include a standard disclaimer as a part of the contents?Standard disclaimers should be a part of all e-mail communication with www.infosec-career.com.
103Email SecuritySecure Configuration of the E-mail infrastructureDoes the Vendor have an e-mail administrator with defined responsibilities for secure configuration and maintenance?The e-mail administrator should have the responsibility of configuration and maintenance of e-mail related activities of the Vendors. This responsibility may be shared by a system administrator.
104Encryption managementEncryption requirementsDo you have a documented encryption policy or program that has been approved by management? If yes, please provide or describe.Encryption policy should detailing type of encryption methodology allowed, in line with regulatory / legal / contractual requirement should be documented and approved
105Encryption managementEncryption requirementsDoes your encryption policy dictate when and how encryption should be employed?Encryption policy should clearly dictates that what, when and how of the use of encryption
106Encryption managementEncryption requirementsAre laptops, mobile devices, or removable media, encrypted with a strong industry standard algorithm?information assets / endpoints should be encrypted with approved strong encryption mechanism
107Encryption managementDevice InventoryIn instances where a hardware token or smartcard is used to access an application or system, are the token devices inventoried in a secure system that manages the lifecycle of the token or smartcard?Inventory of devices should be reviewed periodically to prevent any kind of misuse
108Encryption managementEncryption requirementsIs www.infosec-career.com data/information encrypted while at rest (i.e. stored in databases, applications, disk storage, or backup media)? If yes, please name the encryption algorithm you use to protect the data in storage and backup files.www.infosec-career.com data should be stored securely and protected against unauthorized access / modification / disclosure
109Encryption managementEncryption requirementsDo you encrypt data transmission on external networks? If yes, which network segments are involved and where is encryption terminated?All communication should be protected by means of encryption
110Encryption managementEncryption requirementsDo you encrypt data transmission on internal networks? If yes, on which network segments? Where is encryption terminated on the internal segments?All communication should be protected by means of encryption
111HRPre-employmentDo you perform background checks on employees? Please describe what all check program / procedure includes during screening procedures.Extensive background checks on the employees / vendor being hired by the vendor will serve as a good preventive control. Any history of suspicious incidents for the employees to be hired has to be analyzed, verified and must influence the selection process.
Typical checks included under employee background checks would include Criminal, Academics, Credit and Reference verifications.
112HRPre-employmentAre any employees or officers of your company exempt from background screening?If a screening criterion is not required for all employees, please describe the circumstances under which such screening is required.
113HRPre-employmentDoes the aforementioned screening process apply in its entirety to non-employees (e.g. contractors, temp labor, and subcontractors)? If not, please describe the variance.Extensive background checks on the employees / vendor being hired by the vendor will serve as a good preventive control. Any history of suspicious incidents for the employees to be hired has to be analyzed, verified and must influence the selection process.
114HRPre-employmentWhat criteria does your company use to fail or reject a candidate and/or employee based upon the results of a background check?Describe the criteria / circumstances in which background check could be excused
115HRDuring EmploymentAre your employees required to sign a Non-Disclosure (NDA)/Confidentiality Agreement?The vendor should apprise its employees on the criticality of data being handled at the premises and sign a NDA at the time of employment
116HRDuring EmploymentAre security roles and responsibilities of employees, contractors and third party users defined and documented in accordance with the organization’s information security policy?Vendor's Management shall ensure that its employees and contractors are properly briefed on their information security roles and responsibility prior to being granted access to confidential information or information system of www.infosec-career.com
117HRDuring EmploymentDo you have a well defined process for assigning a "need to do" access to its employees?Is the access to Client data to employees available on a "need-to-know" and "need-to-do" basis?
118HRDuring EmploymentDo you have a documented, acceptable-use policy that has been approved by management, published, executed, and communicated? If so, please attach or describe it.An acceptable usage policy document highlighting the recommended information handling guidelines should be circulated to the employees.
119HRDuring EmploymentDoes the you have a well defined formal disciplinary process for employees who have committed a security breach?The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches of information security.
120HRTermination of EmploymentDescribe the disciplinary action for violations of company policies and procedures?An effective employee termination process should be available with the Vendor to avoid the loss of www.infosec-career.com related information and the restriction/ removal of access rights to users who are handling www.infosec-career.com data.
121HRTermination of EmploymentDo you have procedures to manage access by employees and contractors who have been terminated, transferred, or whose status has changed? If yes, please describe.There should be an effective communication mechanism to apprise the system admits to manage employee access rights at the time of termination and the user access profile lest should be updated.
122HRTermination of EmploymentDo termination procedures include the return of all corporate assets and media?Vendor shall establish the procedure for user termination and returning of asset on termination of employment.
123HREmployee Awareness and TrainingDo you have an Information Security training curriculum? If yes, please describe.An information security awareness program should aim to make employees and, where relevant contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged during induction training
124HREmployee Awareness and TrainingHow often is the curriculum updated? Please describe.An information security awareness program should aim to make employees and, where relevant contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged during induction training
125HREmployee Awareness and TrainingDo you organize periodic trainings and awareness programs to convey the criticality of data being handled at the premises?Emphasis on the criticality of www.infosec-career.com specific information should be highlighted in the training sessions. The training sessions should be periodically conducted by the vendor. The programs in addition to focusing on the technical competencies should also focus on the security aspects of the www.infosec-career.com information being handled.
126HREmployee Awareness and TrainingDo you have appropriate metrics for measuring and monitoring the effectiveness of the www.infosec-career.com related trainings imparted to the members?Appropriate metrics should be available with the Vendor for the monitoring the effectiveness of the Awareness and Training Programs undertaken. Typical evidences would be the periodic tests conducted through quizzes and the employee responses in terms of scores.
127HREmployee Awareness and TrainingDo you have controls to ensure that employees complete required training? If yes, please describe.Appropriate tracking mechanism should be implemented to track the employees who has not attended and completed the training / awareness program.
128HREmployee Awareness and TrainingIs action taken on non-performers in the www.infosec-career.com related training sessions?Is the performance of the employees in the awareness sessions monitored and is ensued by appropriate actions for non-performers? Failure to do so might send wrong signals across the organization and might reflect in the work environment too.
129HRMalicious insider riskDoes your company have documented policies or procedures relating to segregations of duties, the use of dual controls, and employee tracking and observation protocols, including logging and supervision? If yes, please provide or describe.conflicting roles / duties should be identified and accordingly segregation of duties should be done
130Incident ManagementIncident NotificationDo you have a documented information security incident management policy or program that has been approved by management? If yes, please attach or describe it.Incident security policy should be well documented, approved, circulated to all concerns and should be at least reviewed on yearly basis.
131Incident ManagementIncident ManagementDo you have a process to notify clients of instances of non-compliance impacting them (including, but not limited to, privacy breaches and legal and regulatory-related incidents)? If yes, please describe.www.infosec-career.com should be informed of all security incidents at the Vendor premises.
132Incident ManagementIncident ManagementAre all users informed of formal procedures for reporting the different types of security incident? Is escalation matrix readily available with users?The vendor should inform the formal procedure of security incident reporting mechanism and escalation matrix for the same to all users
133Incident ManagementLearning from IncidentsDo you document and test your information security incident management and response procedures at least annually?Adequate incident management procedure should be in place.
134Incident ManagementLearning from IncidentsDo you have an information security incident management process that tracks, analyzes, and determines details, including root cause and corrective actions for all reported incidents?Adequate incident management procedure should be in place.
135Incident ManagementLearning from IncidentsDo you conduct a postmortem review after an information security incident to identify the root cause and decrease the likelihood of a similar incident in the future?Adequate incident management procedure should be in place.
136Information Security Management SystemsISMS DocumentationDo you have a documented information security policy or program that has been approved by management? If yes, please attach or describe it.Approved Information Security Policy should be in placed
137Information Security Management SystemsISMS DocumentationDo you publish and communicate your information security policy or programs to employees and contractors? If yes, please describe how you communicate them.Information Security Policy should be available to all concerned stakeholders, any changes / revisions should be communicated to stakeholders.
138Information Security Management SystemsISMS Documentation Do you publish and communicate information security policies and standards to your Third Parties? If yes, please describe how you communicate them.Information Security Policy should be available to all concerned stakeholders, any changes / revisions should be communicated to stakeholders.
139Information Security Management SystemsISMS DocumentationDo you review your information security policies and standards annually and update them as needed? If yes, please describe the process.Information Security Policy should be reviewed, updated and approved at-least annually
140Information Security Management SystemsISMS DocumentationHave you appointed an owner to manage and maintain your information security policies, standards, and initiatives, as well as related activities? If yes, please provide the name and position/title of the owner.Individual / team should be identified to manage information security program
141Information Security Management SystemsISMS DocumentationDo you have a documented process to approve exceptions to the established security policies? If yes, please describe the process.Exception management process should be documented and implemented
142Information Security Management SystemsSODDo you have an mechanism to segregate the duties of information security roles from operational roles?conflicting roles / duties should be identified and accordingly segregation of duties should be done
143Information Security Management SystemsComplianceAre processes in place to ensure compliance with local, state, and national information security regulations?Compliance requirement with regulatory / laws / contractual obligations should be identified and all processes should be in line with these requirements
144Information Security Management SystemsComplianceDo you have documented information security risk assessment, remediation, and acceptance policy(ies) or program(s) approved by management? If yes, please attach or describe it.Information security program should be approved and implemented
145Information Security Management SystemsComplianceDo you monitor the results of your information security risk assessment programs and address gaps, threats and vulnerabilities in a timely manner?Tracking of gaps, identified during various assessment should be done and implementation should be monitored
146Logging and MonitoringLogging RequirementsDo you have a documented logging and monitoring policy or program that has been approved by management? If yes, please provide or describe.The provider should ensure that there are adequate requirements for the logging of events on the service. Requirements should be defined and documented.
147Logging and MonitoringLogging RequirementsHave you enabled logging for applications, OS platforms, and network devices in accordance with security best practices to track user activity?logging should be enabled for all available environment / devise / application
148Logging and MonitoringLogging RequirementsDo you periodically review the event logs (e.g. unsuccessful logons, access violations, privileged access)? If yes, please describe.A process for regular review of security logs must be established to identify relevant information contained within, alarms for preventative and corrective actions, and significant security incidents.
149Logging and MonitoringProtection of LogsAre information systems audit tools (e.g. software, data or log files used for security, audit, compliance) protected and separated from development and operational systems and not held in tape libraries or user areas?Information Systems audit tools should be protected by appropriate access control and security controls
150Logging and MonitoringProtection of LogsAre security audit logs copied to a separate and secure environment?Audit logging procedure should be documented and Administrator logs should not be accessed / altered / deleted by themselves.
151Logging and MonitoringLogging RequirementsHow long do you retain system event and audit logs, both in on-line and off-line storage?Audit log should be stored as per contractual / legal / regulatory requirements
152Logging and MonitoringMonitoring of LogsAre you correlating log information from divergent devices, such as firewalls, IDS, and system logs? If yes, how are you aggregating and correlating the information?Unsuccessful attempts to gain access to systems and applications should also be logged and analyzed for irregularities. Patterns in the logs can be used to detect and plug unauthorized attempts.
153Logging and MonitoringLogging RequirementsDo systems and network devices utilize a common time synchronization service?There should be time synchronization between network elements for logs to be used for incident management.
154Logging and MonitoringMonitoring of LogsDo you have a control or process to review or detect unauthorized changes to files/logs/systems/web pages on production systems (e.g. file integrity monitoring software)? If yes, please describe.Log monitoring should be done for critically identified commands / events for various systems
155Logging and MonitoringMonitoring of LogsDo you set thresholds for normal activity on systems, networks, databases, and applications to better monitor and detect suspicious or abnormal activity and behaviors?Threshold limits should be set for at-lease critically identified commands / events / activities
156Logging and MonitoringMonitoring of LogsDo you monitor for security incidents on a 24/7 basis?do you have team to monitor alerts / incidents raised round the clock
157Logical Access ControlUser Account ManagementDo you have a documented access control policy or program that has been approved by management? If yes, please provide or describe.Access control policy should be approved by top management and all accesses should be regulated as per the approved policy.
158Logical Access ControlUser Account ManagementIs the access to systems and data on a "need-to-do" basis?The access to applications and systems should be provided on a "need to do" basis to avoid unauthorized/unrestricted access to www.infosec-career.com data.
159Logical Access ControlUser Account ManagementIs there a well defined process for creation of New user accounts?New user accounts in the Operating System and the Application should be created at the directive of the HR and the SPOC should be apprised of the same. The administrators should obtain necessary approvals before user account creation and allocation of privileges to the users.
160Logical Access ControlUser Account Managementis there formal user registration process include using unique user ID’s so that users can be linked to and made responsible for their actions and the use of group ID’s should only be permitted where they are suitable for the work carried out.All user id must be unique to define accountability and group id must be assigned to a user as an owner
161Logical Access ControlUser Account ManagementDo all accounts (e.g. user, service, privileged, test) have a designated owner?Ownership of the all logical accounts should be defined and documented.
162Logical Access ControlUser Account ManagementDo you identify all system users by a unique User ID?Sharing of user ids between users obviates accountability for the communication.
163Logical Access ControlUser Account ManagementAre there procedures to verify or identity a user prior to providing a new, replacement or temporary passwordProcedure to verify or identify user prior to handing over the temporary password if user is calling over phone for password change or reset.
164Logical Access ControlUser Account ManagementAre users required to authenticate prior to changing their password?Procedure to verify or identify user prior to handing over the temporary password if user is calling over phone for password change or reset.
165Logical Access ControlUser Account ManagementHow are temporary passwords communicated to users?
Is a secure password distribution mechanism in place?
Process for communicating temporary passwords to requested user.
166Logical Access ControlUser Account ManagementDoes a System shall prompt for forceful changing of password after the first loginChanging of password on first logon ensures that confidentiality of password is maintained
167Logical Access ControlUser Account ManagementIs there a well-defined process for removing the user account and access rights at the time of an employee leaving the vendor facility?There should be established process to handle employee termination and the deletion of user accounts and access profiles. User accounts existing in the systems after the termination of the employee could be misused.
168Logical Access ControlUser Account ManagementIs there a periodic audit of the user access profile by the system administrator?The user access profile of the vendor should be periodically monitored and updated.
169Logical Access ControlUser Account ManagementIs there an automatic lockout for predefined number of unsuccessful attempts?Unrestricted systems and applications are prone to Brute-force attack to gain access into the system to gain unauthorized access to application and data.
170Logical Access ControlUser Account ManagementAfter how many consecutive failed log-in attempts are user IDs disabled?Failed log-in attempts should be defined to avoid rainbow / dictionary attack on user accounts
171Logical Access ControlUser Account ManagementAre different accounts and passwords used for applications and OS level access?The www.infosec-career.com specific applications should be managed by different user IDs and passwords.
172Logical Access ControlUser Account ManagementDo you have established password requirements? If yes, please attach or describe.Password policies mandate the requirement of a strong password policy for gaining system access.
173Logical Access ControlUser Account ManagementDoes the system prompt the change of user passwords at predefined intervals?User Passwords should be changed at periodic intervals and must be managed by system administrators.
174Logical Access ControlUser Account ManagementDo you enforce a password management policy for access to all platforms, applications, and databases?Password policies, common for all platform, should be defined, approved and implemented.
175Logical Access ControlUser Account ManagementDo you have a policy regarding the storing and/or sharing of access credentials? If yes, please describe.Access credentials, if stored / shared, can be misused and accountability cannot be established in case of any security breach.
176Logical Access ControlUser Account ManagementDo you prevent passwords from being displayed in clear text during user authentication or in electronic/printed reports?User access credentials should not be explicitly displayed at the user work-stations as they could provide easier way to gain access for other personnel.
177Logical Access ControlUser Account ManagementPlease indicate how long the initial/temporary password will last before it expires if not used.Temporary passwords should be communicated securely and it should have defined life period after which it cannot be used. Also it should be allowed to use only one time .
178Logical Access ControlUser Account Management Do you have processes and controls for privileged access?Privileged accesses should be granted after due authorization and it should be monitored and tracked.
179Logical Access ControlUser Account ManagementDo the users have unrestricted access to auxiliary devices like printers and scanners? Access to auxiliary devices like printers, copiers etc. should be controlled with the help of passwords.
180Logical Access ControlUser Account ManagementDo you conduct a periodic access-level review that includes entitlements? If yes, please describe.User access review should be performed periodically
181Logical Access ControlUser Account ManagementDo you have a segregated administration function to manage privileged accounts? If yes, please describe.administration function to manage privileged accounts should be segregated and access should be with few identified individuals only
182Logical Access ControlUser Account ManagementAre there any instances in which employees would use a shared account? If yes, please explain.Accountability could not be established, if shared user accounts are being used
183Logical Access ControlLogging RequirementsAre unsuccessful attempts to gain access to the work stations being logged and periodically analyzed by the system administrator?Unsuccessful attempts to gain access to systems and applications should also be logged and analyzed for irregularities. Patterns in the logs can be used to detect and plug unauthorized attempts.
184Logical Access ControlLogging RequirementsAre the system administrator activities on firewall and other network elements being logged and monitored?Logging should be defined for administrator activities on firewall and other critical network elements like routers. The changes should be traceable to a business requirement / change request.
185Logical Access ControlLogging RequirementsAre the timings between network devices synchronized for the logs to be useful?There should be time synchronization between network elements for logs to be used for incident management.
186Logical Access ControlUser Account ManagementWhat is the process for dormant id deactivation?
Are inactive accounts disabled and/or deleted for all systems (including, but not limited to, servers, routers, databases, switches, firewalls)? If yes, please describe.
Users id should be reviewed and monitored on periodically basis. Dormant id deactivation procedure should be defined and dormant id should be deleted from the system and documented.
187Logical Access ControlLogging RequirementsDo employees/contractors ever use their own PCs not managed by your company to store confidential data or connect to your network? Does the company allow BYOD?1-Specify What Devices Are Permitted.
2-Establish a Stringent Security Policy for all Devices.
3-Define a Clear Service Policy for Devices Under BYOD Criteria.
4-Make It Clear Who Owns What Apps and Data
5-Decide What Apps Will Be Allowed or Banned.
6-Integrate Your BYOD Plan With Your Acceptable Use Policy.
7-Set Up an Employee Exit Strategy.
188Media HandlingManagement of Removable Computer MediaDo you have a documented policy or program for use and management of removable media? If yes, please describe it.Clear guidelines should be documented in form of policy for media handling and should be available to all concerns
189Media HandlingManagement of Removable Computer MediaIs an authorization required for all media to be removed from the organization?Appropriate authorization should be taken for all media to be removed from the organization
190Media HandlingManagement of Removable Computer MediaDo you have documented requirements for securely storing removable media? If yes, please describe it.Clear guidelines should be documented in form of policy for media handling and should be available to all concerns
191Media HandlingManagement of Removable Computer MediaDo you have controls to safeguard and retrieve any physical www.infosec-career.com's documents during storage? Please describe the controls.www.infosec-career.com document should be not be retrieved without prior approval from appropriate authority
192Media HandlingManagement of Removable Computer MediaDo you retain a Third Party to deliver media to an off-site facility? If yes, please describe what kind of security controls are identified and implemented.Security controls like, encryption of data, shock proof and fire proof media case should be used.
193Media HandlingManagement of Removable Computer MediaDo you have documented procedures for the disposal, destruction, and/or re-use of physical media, removable media, and paper documents? If yes, please describe.Clear guidelines should be documented in form of policy for media handling and should be available to all concerns
194Media HandlingManagement of Removable Computer MediaIs the record of all authorized removals maintained?Records for authorization should be maintained for all media to be removed from the organization
195Media HandlingManagement of Removable Computer MediaDoes vendor performs classification of information according to the www.infosec-career.com's classification scheme?information classification must be in line with www.infosec-career.com information classification policy
196Media HandlingManagement of Removable Computer MediaDoes backup media tapes move to offsite location?Offsite movement of backup tapes ensure availability of data in adverse situation
197Media HandlingManagement of Removable Computer MediaIs the formal procedures established for media tape movement to offsite locationAdequate media tape movement procedure should be in place.
198Media HandlingManagement of Removable Computer MediaIs the disposal of sensitive items logged to maintain an audit trail?Appropriate media disposal procedures should be followed.
199Media HandlingManagement of Removable Computer MediaIs www.infosec-career.com data sent or received via physical media and How is physical media tracked?Media handling officer should monitored or track the process of media while carrying the media during business hour. Physical media handling standard policy should be defined and documented.
200Media HandlingManagement of Removable Computer MediaIs the movement of removable storage media / physical documents secured as agreed with the www.infosec-career.com?The standards policy and procedures should be defined and documented to restricted end users who have legitimate business requirements to connect portable removable media within internal networks.
201Media HandlingManagement of Removable Computer MediaAre the servers processing www.infosec-career.com data hardened as per policy?All the servers processing www.infosec-career.com data should be hardened and secure as per the www.infosec-career.com policy.
202Network SecurityInternet AccessIs the internet access to users controlled by a central gateway and routed through a proxy server?Access should be routed through a proxy server so that the machines in the www.infosec-career.com user segment are anonymous and their IP's are not visible to external parties.
203Network SecurityInternet AccessIs the internet access secure through a firewall?Any access to or from the vendor network should be restricted through a firewall. The firewall should be adequately configured to prevent unauthorized access to the network.
204Network SecurityInternet AccessAre your network devices configured to prevent communications from unapproved networks (e.g. the network devices deny all access by default, and only allow the minimum communication needed to support business and security objectives)?The firewall should be adequately configured to prevent unauthorized access to the network.
205Network SecurityInternet AccessDo you have a dedicated group or individual(s) to administer the firewall rules? If yes, please identify the individuals, and describe how you grant permissions to access the firewall.There must be firewall administrator responsible for secure configurations and managing the changes made in the firewall.
206Network SecurityNetwork SegregationDo you use firewalls to define a logical network perimeter, security zones, and enclaves?Network zone should be segregated using firewall to protect unauthorized access
207Network SecurityNetwork SegregationDo you have a process to certify and authorize firewall rules on a periodic basis? If yes, please describe your process.All firewall rules should be implemented on the firewall only after the defined approval process
208Network SecurityRemote AccessAre remote access (via Internet, Intranet, Extranet, etc.) connections to the network allowed? If yes, please describe the controls you use to secure network connectivity (e.g. firewall terminations, VPNs).Remote access should be granted to only authorized and identified personal after due approval persons
209Network SecurityRemote AccessDo you allow Third Parties to connect remotely to your environment? If yes, please describe your solution for Third Party remote access.Vendor / third parties should only granted remote access on need-to-know & need-to-have basis after due approval process
210Network SecurityRemote AccessDoes the remote access client prohibit split tunneling, thus preventing the device from accessing two separate networks simultaneously?Split tunneling should not be allowed, it may lead to malware infection or data leakage issue.
211Network SecurityRemote AccessIs multi-factor authentication required for remote network access?passwords can be shared by remote users and it can be misused, to avoid that 2-factor authentication should be used.
212Network SecurityRemote AccessAre all your remote access sessions recorded in an audit log? If yes, please describe.To establish audit trail, all remote sessions should be recorded
213Network SecurityRemote AccessHave you defined and configured remote access time limits and inactivity time limits? If yes, please describe.Idle remote connection should be terminated after predefined inactivity time limit
214Network SecurityRemote AccessDo you require your remote or non-console administrative access to systems (e.g. servers, network and wireless devices) go through an encrypted session?Remote connection should be accesses thorough only encrypted channels to maintain the confidentiality and integrity of data.
215Network SecurityNetwork SegregationDo you have a current network diagram depicting the environment of services provided? Please indicate if your network diagram includes firewalls, routers, network servers, applications, critical databases, and workstations. Please provide a copy of your current network diagram.High level & Low level network diagram should be readily available with concerned team, which can be used for trouble shooting.
216Network SecurityNetwork SegregationDo you have a data flow diagram that defines and documents all data interfaces (including remote and third parties) for secure data transmissions? Please provide a copy of your current data flow diagram.High level & Low level data flow diagram should be readily available with concerned team, which can be used for trouble shooting.
217Network SecurityNetwork SegregationAre system components that store or process data (such as a database and application servers) in an internal network zone, segregated from the DMZ and other untrusted networks?Access to internal network should be restricted using LAN segregation to avoid any unauthorized access / intrusion from outside to internal critical component / servers / database / application.
218Network SecurityWireless SecurityDo you have a documented wireless communications and wireless networks policy or program that has been approved by management? If yes, please provide or describe.Wireless policy should be well documented, approved and available with the concern for implementation.
219Network SecurityWireless SecurityAre your wireless network segments segregated from the network using VLANs or other appropriate technologies?Wireless network segments should be segregated to protect sensitive LAN zones (e.g. Production/UAT/Development)
220Network SecurityWireless SecurityWhich wireless protocols do you use at your organization, and how are they configured?Secure protocols should be used to protect wireless device from getting compromise
221Network SecurityWireless SecurityDo you ensure that only authorized users are allowed to access wireless devices? If yes, please describe how the users are monitored and tracked.Authorized users list should be available with wireless admin and only these users should be able to access the wireless network.
222Network SecurityNetwork SegregationIs the network used for providing service to www.infosec-career.com, logically and physically segregatedThe www.infosec-career.com environment at the service provider premises must be compartmentalized, separating it from the rest of the provider’s environment to ensure no penetration is possible from other client environments or from the provider’s wider network.
223Network SecuritySecure Configuration and Patch ManagementIs FTP / SFTP to users granted on a need only basis and is restricted?The FTP facility should be provided based on business requirement and not be made available to all users.
224Network SecuritySecure Configuration and Patch ManagementAre the FTP sessions for communication with www.infosec-career.com encrypted?The FTP sessions with www.infosec-career.com should be encrypted as the communication could be sniffed.
225Network SecuritySecure Configuration and Patch ManagementIs there a process for implementing security patches?All network elements should be updated with the latest patches and application of patches should be established.
226Network SecurityAuthorized devicesDoes your company have a policy or documented controls over devices that connect to the network, so that only authorized devices are allowed to connect to the network or to devices that connect to the network?security controls like, port mapping, should be used to allow white listed / authorized devices to connect network




Click here for Downloadable Version