Scribd Logo
Upload

Welcome to Scribd!

  • Checklist - Vendor Risk Assessment Template

    Uploaded by

    phoenix.risesagain143
    18 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views4 pages

    Checklist - Vendor Risk Assessment Template

    Uploaded by

    phoenix.risesagain143

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Vendor Risk Assessment

    Template
    A vendor risk assessment questionnaire (also known as a third-party
    risk assessment questionnaire) is designed to help your organization
    identify potential weaknesses among your third-party vendors and
    partners that could result in a data breach, data leak or other type of
    cyber attack.

    Vendor security assessment questionnaires are one part of verifying


    that your service providers are following appropriate information
    security practices and can help with incident response planning and
    disaster recovery.

    We have broken down the risk assessment questionnaire template


    into four sections of questions:

    1. Information security and private questions


    2. Physical and data center security questions
    3. Web application security questions
    4. Infrastructure security questions

    www.upguard.com 1
    Information Security and Physical and Data Center
    Privacy Questions Security Questions

     Does your organization process  Are you in a shared office?


    personally identifiable information  Do you review physical and
    (PII) or protected health information environmental risks?
    (PHI)?
     Do you have procedures in place for
     Does your organization have a business continuity in the event that
    security program? your office is inaccessible?
     If so, what standards and guidelines  Do you have a written policy for
    does it follow? physical security requirements for
     Does your information security your office?
    and privacy program cover all  Is your network equipment
    operations, services and systems physically secured?
    that process sensitive data?
     What data center providers do you
     Who is responsible for managing use if any?
    your information security and
    privacy program?  How many data centers store
    sensitive data?
     What controls do you employ as
    part of your information security  What countries are data centers
    and privacy program? located in?

     Please provide a link to your public  Are there any additional details you
    information security and/or privacy would like to provide about your
    policy physical and data center security
    program?
     Are there any additional details you
    would like to provide about your
    information security and privacy
    program?
     What regulation and other
    requirements does you organization
    have to comply with?

    www.upguard.com 2
    Web Application Security Infrastructure Security
    Questions Questions

     What is the name of your  Do you have a written network


    application? And what does it do? security policy?
     Do you have a bug bounty  Do you use a VPN?
    program or other way to report  Do you employ server hardening?
    vulnerabilities?
     How do you keep your server
     Does your application have a valid operating systems patched?
    SSL certificate to prevent man-in-
    the-middle attacks?  Do you log security events?

     Does your application require login  What operating systems are used
    credentials? on your servers?

     How do users get their initial  Do you backup your data?


    password?  How do you store backups?
     Do you have minimum password  Do you test backups?
    security standards?
     Who manages your email
     How do you store passwords? infrastructure?
     Do you offer single sign-on (SSO)?  How do they prevent email
     How can users recover their spoofing? e.g. DMARC
    credentials?  How do you protect employee
     Does your application employ a devices from ransomware and other
    defense in depth strategy? If so, types of malware?
    what?  What operating systems do
     How do you regularly scan CVE for employee devices use?
    known vulnerabilities?  Are employee devices encrypted?
     How do you do quality assurance?  Do you employ a third-party to test
     Do you employ pentesting? your infrastructure security?

     Who can we contact for more  Who can we contact in relation to


    information related to your web infrastructure security?
    application security?

    www.upguard.com 3
    Questions? We have answers
    We're here to help, shoot us an email at
    sales@upguard.com

    Know your vendors. Secure yourself.


    Looking for a better, smarter way to protect
    your data and prevent breaches?

    UpGuard offers a full suite of products for


    security, risk and vendor management teams.

    Trusted by hundreds of companies worldwide

    www.upguard.com 650 Castro Street, Suite 120-387, Mountain View CA 94041 United States

    +1 888-882-3223
    ©2022 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard
    logo are registered trademarks of UpGuard, Inc. All other products or
    services mentioned herein are trademarks of their respective companies.
    Information subject to change without notice.

    You might also like