Instructions

Please use this spreadsheet to bulk import Vendor Management questions and answers into Certification Automation. It's broken down in to three tabs:
Instruction tab: Outlines each field included in the import, what they're for and different scenarios that can be handled.
Upload tab: Enter your questions and answer information here to import to Certification Automation.
Reference Info tab: Lists of your content and Certification Automation content that can be leveraged when filling in the Upload tab.

Field Descriptions
Name
Question ID
Question
Answer
Answer Details
All other columns

Entering Content
Scenario
Add new question
Update existing question
Answers and answer details

_x000D_ Proprietary/Internal
#
eet to bulk import Vendor Management questions and answers into Certification Automation. It's broken down in to three tabs:
each field included in the import, what they're for and different scenarios that can be handled.
uestions and answer information here to import to Certification Automation.
of your content and Certification Automation content that can be leveraged when filling in the Upload tab.

Description
Optional - A unique ID associated to a question. If it's blank then a unique ID is generated (ex: VQ-001)
Required - What question would you like to ask the vendor.
Optional – drop of possible answer options.
Optional – Text details to give further clarification of the answer.
Will not impact the import but will not be imported into Certification Automation.

What To Fill Out

Enter a unique question ID, or leave blank, and provide the question text.
Enter an existing question ID and update the question text.
Fill out answers column and answer details columns.

_x000D_ Proprietary/Internal
#
 Basic Question Information
- Optional field
- max 32 char
Question ID
VQ-001
VQ-002
VQ-003

VQ-004
VQ-005

VQ-006

VQ-007
VQ-008

VQ-009

VQ-010

VQ-011

VQ-012

VQ-013
VQ-014
VQ-015
VQ-016

VQ-017
VQ-018
VQ-019

VQ-020

_x000D_ Proprietary/Internal
#
VQ-021

VQ-022

VQ-023
VQ-024

VQ-025

VQ-026

VQ-027
VQ-028

VQ-029
VQ-030
VQ-031
VQ-032

VQ-033
VQ-034

VQ-035

VQ-036
VQ-037
VQ-038

VQ-039

VQ-040

_x000D_ Proprietary/Internal
#
 Basic Question Information
- Required field
- max 1500 char
Question
Description of your product or service
Data protection
Does role (controller,
your organization joint-controller,
have a security processor
and privacy or sub-processor
program of sensitive
and policies? Please data?)
provide a copy of
these.
Do you have a designated security/privacy lead who manages your security program? Provide contact
information.
Provide contact details for security and privacy related inquiries.
Do you have publicly published privacy and security policies? Provide public links to your Privacy and
Security policies.
List any security or privacy certifications or frameworks that you have or can attest to.
Please attach a copy of the below
1. Most recent SOC 1 or SOC 2 attestation report
2. ISO Certificate and Statement of Applicability
3. Consensus Assessments Initiative Questionnaire (CAIQ)
4. Penetration testing (redacted version)
5. A copy of policies and procedures followed at your organization
6. PCI DSS Compliant certificate
7. Any other security or privacy certifications or frameworks compliance report, as applicable

Do you have a security awareness training program for organization members?

Do you have a data access control policy with monitoring? List the roles in the organization who have
access to sensitive data.
Do you have a 3rd party vendor assessment and data access policy?Please provide a copy of these.
List the roles of any 3rd party to the organization who may have access to sensitive data and under what
circumstances.

Do you have a customer information policy? Please provide a copy of the policy.

Do you have an information security/sensitivity policy? How do you determine what is sensitive data and
how is each level of information handled? Please provide a copy of the policy.
Is sensitive data encrypted in transit? Do you have an encryption protocol policy? Please provide a copy
of the policy.
Is sensitive data encrypted at rest? What encryption protocols are utilized?
Is any vendor software required to be installed on customer systems?
What are the update mechanisms for vendor software?
Do you manage your own datacenter and servers? Identify the physical precautions used to protect the
data center.
Do you have a passwords policy? Please provide a copy of the policy.
Do
Do you
you have
have aa system access control
server software updatepolicy with
policy? monitoring?
Describe Pleaseand
the update provide a copy
patching of the policy.
mechanisms for
operating systems and software to ensure that these are kept up to date.Please provide a copy of the
policy.

_x000D_ Proprietary/Internal
#
Do you have a vulnerability scanning policy? Describe vulnerability assessments implemented and their
frequency. Please provide a copy of the policy.
Describe how your organization enables data subjects’ rights of access, rectification, erasure, blocking
and objection.
Do you have a server security policy and how is data integrity maintained? Please provide a copy of the
policy.
Describe the server logs that your organization keeps and monitoring and auditing on an ongoing basis.
Do you use an independent certification authority to monitor and or audit logs in order to ensure that
measures areaimplemented
Do you have in an ongoing
customer information basis? policy? Describe your policy and the conditions for
possession
returning sensitive data and destroying the data once the service is terminated. Please provide a copy of
the policy.
Can you commit to keeping customer information at a strict minimum amount of time after customer
stops use?
Do you have a procedure for returning personal data in a format allowing data portability?
Do you retain customer information in backups after a customer has deleted (or requested deletion of)
the data?
Do you have an equipment disposal policy? Please provide a copy of the policy.
How do you enforce organization policies in your security and privacy program?
Do you have policies in place to ensure and assess compliance by your partners or 3rd party vendors?
Can you provide evidence for your security and privacy program to demonstrate that policies and
controls are appropriate?
Can you provide evidence for implementation of your security and privacy controls?
Do you have an incident response policy? How does your organization define a security incident and
personal information data breach. Please provide a copy of the policy.
Describe how customers will be informed of personal data and data security breaches affecting a
customer’s data processed by you and your subcontractors and within what timeframe.
Do you have a business continuity plan?
Can customer data be retrieved in the event of a disaster or your organization closes?
Do you have a standard SLA (service level agreement) policy? What are the SLA details? Please
provide a copy of the policy.
Do you have a process to restore your service in the event of catastrophic failure? Describe the process
and expected recovery times.

_x000D_ Proprietary/Internal
#
 Advanced Question Information
- Optional field - Optional field
- yes/no/na are possible answers - max 7000 char
Answer Answer Details

_x000D_ Proprietary/Internal
#
 Reference Info
Reference Information

Answer
yes
no
na

_x000D_ Proprietary/Internal
#
Page 8