Security Assessment Checklist
Security Assessment Checklist
GRC Checklist
When evaluating potential vendors or making annual review of existing ones, the following are areas of security assessment to consider:
Information Security Policy
- Is there an established information security policy reviewed at least on an annual basis?
- Does it contain incident management?
- Is there an exception process?
- Are there clear security responsibilities, controls, and reporting?
Asset Management
- Is there a formal assessment management structure in place to ensure that information security, privacy controls, and data protection are designed appropriately and effective?
- Is the program approved by senior management and communicated to appropriate employees?
- Is everything that processes data included in the management plan (hardware, data, applications, databases, etc.)?
Human Resources Security
- Do new employees receive training on information security, confidentiality, and acceptable use before they have access to company resources?
- Are privileges and access rights assessed and adjusted with role changes or termination of employment?
Physical and Environmental Security for Data stored on-site
- Is physical access to the server room on an “as needed” basis?
- Is there electronic access control with multi-factor authentication?
- Is there continuous monitoring of electric power, HVAC, and other environmental factors?
- If the service is hosted by a IaaS vendor like AWS do you know which vendor it is and how they handle physical and environmental security?
Access Control
- Is multi-factor authentication required for all access to company resources?
- Does the vendor’s authentication capability align with your company policy (ie. password complexity, Single-sign-on, change interval)?
Incident Management and Communications
- Does the vendor’s incident management program address unauthorized access, a network or system attack, loss of service availability, and data breach detection and response?
- Does incidence response include a plan for detection, investigation, containment, and remediation?
- Does the incident management program include timely notifications to customers and appropriate coordination with law enforcement and regulatory agencies?
Business Resiliency
- Does the vendor have business continuity plans and procedures to resume business operations in the event of service disruption or supply chain failures?
- If your vendor hosts with a 3rd-party IaaS vendor such as AWS, do they utilize the availability features of that vendor for high availability and failover to other regions?
Compliance
- Does the vendor comply with regulatory mandates and industry-accepted best practices?
- What certifications do they have and maintain? What intentions do they have for future audits and certifications? (i.e. SOC2, ISO, etc)
- In the case of an existing vendor, have they complied with contractual requirements?
End User Device Security
- Is there an effective policy in place for all devices that access data (laptops, desktops, tablets, mobile phones) to include passcode requirements, encryption, tracking mobile devices, and remote wipe capabilities?
- Do users sign an agreement regarding obligations and rights to these devices as part of the onboarding process?
- Are there consequences for non-compliance with policies?
Privacy
- Does the vendor have a privacy program to protect the privacy of data during collection and/or creation, processing, transferring, storage, retention, and destruction?
- Does the program identify WHERE data be at any time, including being stores, accessed, or transferred. If it is possible that the data will cross international borders, have data security and privacy regulations for those countries been identified and addressed?
Threat Management
- Is there ongoing vulnerability and penetration testing to mimic the actions of an attacker and to test the overall strength of defense systems?
- Are events that impact network and security logged and analyzed on a routine basis?
