Title: Revision: 1.

3
Vendor Compliance Questionnaire
Page:
1 of 4

Vendor Compliance Questionnaire

Vendor Name:
Legal Name (if different than vendor
name)
Company Information
1. Mailing Address: (Street 1)
(Street 2)
(City)
(State)
(Zip Code)
(Country)
2. Please provide contact information for ✔ Email:
general inquiries related to this ✔ Phone:
engagement. URL:

Please provide contact information for

financial inquiries related to this ✔ Finance Dept Email:
engagement. ✔ Finance Dept Phone:
3. Describe your organization's background
and the types of services that you will
provide to DCL/ESILAB.
4. What is the size of your organization? 0 – 50 employees
50 – 100 employees
100+ employees
Data Management
1. How is data being shared to/from Secure File Transfer Protocol
DCL/ESILAB? Application Programming Interface
(API)
Data accessed via DCL/ESILAB Citrix
N/A – there is no data being shared
2. Do you have a documented Privacy Policy Yes, the policy was reviewed within the
in place? last year.
Yes, the policy was reviewed over a
*Please submit a copy of your current year ago.
Privacy Policy. No, there is no policy in place.
3. Do you have a documented and tested Yes, the policy was reviewed within the
Data Retention and Destruction Policy in last year.
place? Yes, the policy was reviewed over a
year ago.
*Please submit a copy of your current No, there is no policy in place.
Data Retention and Destruction Policy.
4. How long do you store client data if no 0 - 1 year
specific requirement is provided? 2 – 3 years

Proprietary
All printed copies are uncontrolled
Title: Revision: 1.3
Vendor Compliance Questionnaire
Page:
2 of 4

4 – 5 years
7+ years
Indefinitely
5. Do you have a documented and tested Yes, the policy was reviewed within the
Access Control Policy in place for granting, last year.
revoking, handling and documenting Yes, the policy was reviewed over a
access control? year ago.
No, there is no policy or plan in place.
6. Which of the following safeguards do you Written policies
have to limit resource access to client Role-based access limitations
data? Confidentiality agreements
Periodic privacy and security training
Removal of access upon contract
termination
Workstation/device security
Password enforcement
None
Other: None
Operations
1. Do you have a documented and tested Yes, the plan was reviewed within the
Incident Response Plan in place? last year.
Yes, the plan was reviewed over a year
*Please submit a copy of your current ago.
Incident Response Plan. No, there is no plan in place.
2. Have you ever experienced a Yes, over 1 year ago.
cybersecurity incident or data breach? Yes, less than 1 year ago.
No.
This includes network, systems, software,
etc.

If yes, please attach documentation of

breach and remediation steps taken.
3. Does your incident response plan include
a timely notification process to the client if
an incident has occurred?
4. Do you have a documented process or
plan in place for regularly testing,
assessing, and evaluating the effectiveness
of the technical and organizational
measures of your organization's
information security?
Business Continuity
Yes, there is a process in place;
incidents are shared within 24 hours.
Yes, there is a process in place;
incidents are shared within 48 hours.
No, there is no notification process in
place.
Yes, there is a process in place; annual
testing is conducted.
Yes, there is a process in place; annual
testing is not conducted.
No, there is no process or plan in place.

Proprietary
All printed copies are uncontrolled
Title: Revision: 1.3
Vendor Compliance Questionnaire
Page:
3 of 4

1. Do you have documented and tested
Business Continuity and/or Disaster
Recovery Plan in place?
*Please submit a copy of your current
Business Continuity and/or Disaster
Recovery Plan.
2. Do you have documented roles,
responsibilities and authorities that have
been communicated to all relevant parties
within your organization in case of a
disruptive incident?
Yes, the plan was reviewed within the
last year; attached is a copy.
Yes, the plan was reviewed over a year
ago; attached is a copy.
No, there is no plan in place.
Process is captured in the Business
Continuity Plan
Process Description:

Examples may include key decision maker

chart or operating model.
3. Do you have a designated Information Yes
Security Officer within your organization Name:
who is properly involved, and notified in a Email:
timely manner of all issues which relate to Phone:
the protection of data? No

If Yes, please provide the name and

contact information.
4. Please describe the process of notifying Process is captured in the Business
the DCL/ESILAB team and documenting Continuity Plan
any facts relating to a work outage, its Process Description:
effects and the remedial actions that are
to be taken.
Quality
1. What safeguards do you have in place to Centralized Quality Control Team
ensure the quality of your deliverables? Automated Quality Control
Clearly Documented Best Practices and
Procedures
None
Other:
Financial
1. How do you track your deliverables and Unit Tracking System
ensure the accuracy of your invoices? Manual Procedures
Rely on DCL/ESILAB Reporting
None
Other:
2. Who reviews your invoices before they are Name:
submitted? Email:
Phone:

Proprietary
All printed copies are uncontrolled
Title: Revision: 1.3
Vendor Compliance Questionnaire
Page:
4 of 4

Signature: Date:
Name: Title: Email:

If you have any questions or concerns regarding this questionnaire, please email

 Privacy Policy
 Data Retention and Destruction Policy
 Business Continuity Policy
 Disaster Recovery Policy
 Incident Response Plan

Proprietary
All printed copies are uncontrolled