Vendor Security Questionnaire

Contact Information

Company Name: _____________________________________________________________________

Respondent Name: _________________________________ Phone: _________________________

Respondent Business Email Address: ______________________________________________________

Respondent Title: ______________________________________________________________________

Incident Response Contact Name: _________________________________________________________

Incident Response Contact Title: ___________________________________________________________

Incident Response Contact Phone: _________________________________________________________

Incident Response Contact Email Address: ___________________________________________________

Basics & Email Security

Does your organization have a written privacy policy or privacy notice reviewed by an attorney and updated at least annually?

Yes No

Does your organization have any documented information security policies and procedures in place that are updated annually (if so, please include them with your response to this questionnaire)?

Yes No

Does your business have a written business continuity plan that is available in the event of a complete system outage?

Yes No

How frequently is this plan tested?
- Weekly b. Monthly c. Bimonthly d. Quarterly e. Annually

Does your organization employ any Intrusion Detection and/or Prevention solutions or Endpoint Detection and Response Solutions such as antivirus software or Sentinel One?

Yes No

Do you employ SPF records?

Yes No

Do you utilize DKIM?

Yes No

Do you utilize DMARC?

Yes No

How do you encrypt customer data (in transit, at rest, etc.)? Please upload any relevant documentation regarding this question. ___________________________________________________________________________________________________________________________________________________________________________________

How are employees/contractors/customers forced to authenticate, if at all (describe use of 2FA, MFA, requirements for password complexity, password hashing, single-sign-on, etc.)? ______________________________________________________________________________________________________________________________________________________________________________________________________________________

Is 2FA or MFA required for employees/contractors to log into all production systems?

Yes No N/A

Security Frameworks and Supply Chains:

Which, if any, security frameworks are you using (i.e. NIST Cybersecurity Framework 1.1 or 2.0, PCI-DSS, SOC, etc.)? ______________________________________________________________________________________________________________________________________________________________________________________________________________________

If using a security framework, does your organization employ the use of independent third-party auditors to assess whether you are in compliance with the specific framework?

Yes No

How frequently do you evaluate your adherence to your organization’s security frameworks or documented policies and procedures? ________________________________________________

If you’re not using any security frameworks, how does your organization evaluate the security of your environment, products, services, etc.? ___________________________________________________________________________________________________________

Have you evaluated the security of your supply chain vendors (those who provide products and/or services to you)?

Yes No

Do you actively monitor threat intelligence feeds, cybersecurity resources, and/or vulnerability reports that pertain to you or your supply chain vendors’ systems, products, and/or services?

Yes No

Service Scope

Name of application or service being provided: _______________________________________
What technology languages/platforms/stacks/components are utilized in the scope of the application or service provided (i.e. JavaScript, Python, AWS, Azure, Go, etc.)? ______________________________________________________________________________________________________________________________________________________________________________________________________________________

Is your service run from:

a.) your own data center

b.) the public cloud

c.) hybrid (on-prem and cloud)

d.) on-prem only?

4. Which cloud providers do you rely on if any? __________________________________________

What forms of Non-Public Personal Information (NPPI) do you collect from <COMPANY NAME>, it’s employees, and/or customers (i.e. Social Security Numbers, Addresses, Phone Numbers?)

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Data Backups and NPPI

Do you restrict access to NPPI (Non-Public Personal Information) or any other sensitive data using Identity and Access controls? If so, please describe here. ______________________________________________________________________________________________________________________________________________________________________________________________________________________

Do you inform consumers before collecting NPPI as to what information will be collected and the purposes that this information will be used for?

Yes No

Do you have a means to provide a copy of the collected NPPI free of charge to any consumer requesting it within 45 calendar days of receiving the request? If so, please describe this mechanism.

Yes No

Do you have a means to delete all the collected NPPI free of charge to any consumer requesting it? If so, please describe this mechanism.

Yes No

Do you sell or disclose for business purposes any NPPI collected from <COMPANY NAME>, its employees, or any of its customers?

Yes No

Which groups (or how many) employees have access to NPPI or any other sensitive data? ___________________________________________________________________________________________________________

In the event of an information security breach involving NPPI, do you agree to disclose this event immediately (unless delayed for criminal investigation)?

Yes No

Are backups made of any data collected from <COMPANY NAME>, its employees, or customers?

Yes No

If yes to #4, do the backups contain any NPPI?

Yes No N/A

If yes to # 4, how are the backups stored and encrypted?

Authentication & Infosec Details

Does your organization have an established SIEM, SOC, or employ a third-party vendor to provide these services?

Yes No

Please describe any dedicated information security team’s structure, composition, and reporting structure (if any). ______________________________________________________________________________________________________________________________________________________________________________________________________________________

Please describe your process for evaluating risk, or risk management procedures, used at your organization including which frameworks these policies align with (i.e. NIST CSF, ISO-27001, etc.).

Are disciplinary policies established for employees who have violated security policies and procedures?

Yes No N/A

Are employees required to sign any confidentiality agreements, acceptable use policies, or any other information security policies to acknowledge their understanding of their requirements?

Yes No N/A

Are employees trained on how to handle NPPI, phishing emails, malicious or suspected malicious events on a regular basis? If so, please describe the method and frequency of training.

Yes No

____________________________________________________________________________________________________________________

Are background checks performed on any employees who might handle NPPI?

Yes No

Does your organization have an active cybersecurity insurance policy?

Yes No

Truth & Tech