| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Owner | 2.11 Question ID | 2.11 Question | Vendor Action | OPTIONS | ||||||||||||||||||||||
2 | GNRL-01 | Vendor Name | |||||||||||||||||||||||||
3 | GNRL-02 | Product Name | |||||||||||||||||||||||||
4 | GNRL-03 | Product Description | |||||||||||||||||||||||||
5 | GNRL-04 | Web Link to Product Privacy Notice | |||||||||||||||||||||||||
6 | GNRL-05 | Vendor Contact Name | |||||||||||||||||||||||||
7 | GNRL-06 | Vendor Contact Title | |||||||||||||||||||||||||
8 | GNRL-07 | Vendor Contact Email | |||||||||||||||||||||||||
9 | GNRL-08 | Vendor Contact Phone Number | |||||||||||||||||||||||||
10 | GNRL-09 | Vendor Data Zone | |||||||||||||||||||||||||
11 | GNRL-10 | Institution Data Zone | |||||||||||||||||||||||||
12 | GNRL-11 | Institution's Security Analyst/Engineer | |||||||||||||||||||||||||
13 | GNRL-12 | Assessment Contact | |||||||||||||||||||||||||
14 | Charlie | QUAL-01 | Does your product process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act? | Update any existing response | |||||||||||||||||||||||
15 | Charlie | QUAL-02 | Does the vended product host/support a mobile application? (e.g. app) | Removed; No longer relevant | |||||||||||||||||||||||
16 | Charlie | QUAL-03 | Will institution data be shared with or hosted by any third parties? (e.g. any entity not wholly-owned by your company is considered a third-party) | Update any existing response; migrated to QUAL-02 | |||||||||||||||||||||||
17 | Charlie | QUAL-04 | Do you have a Business Continuity Plan (BCP)? | Update any existing response; migrated to QUAL-03 | |||||||||||||||||||||||
18 | Charlie | QUAL-05 | Do you have a Disaster Recovery Plan (DRP)? | Update any existing response; migrated to QUAL-04 | |||||||||||||||||||||||
19 | Charlie | QUAL-06 | Will data regulated by PCI DSS reside in the vended product? | Update any existing response; migrated to QUAL-05 | |||||||||||||||||||||||
20 | Charlie | QUAL-07 | Is your company a consulting firm providing only consultation to the Institution? | Update any existing response; migrated to QUAL-06 | |||||||||||||||||||||||
21 | Charlie | DOCU-01 | Have you undergone a SSAE 18 audit? | Update any existing response | |||||||||||||||||||||||
22 | Charlie | DOCU-02 | Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ? | Update any existing response | |||||||||||||||||||||||
23 | Charlie | DOCU-03 | Have you received the Cloud Security Alliance STAR certification? | Update any existing response | |||||||||||||||||||||||
24 | Charlie | DOCU-04 | Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, ISO 27001, etc.) | Update any existing response | |||||||||||||||||||||||
25 | Charlie | DOCU-05 | Are you compliant with FISMA standards? | New answer required | |||||||||||||||||||||||
26 | Charlie | DOCU-06 | Does your organization have a data privacy policy? | Update any existing response; migrated to DOCU-07 | |||||||||||||||||||||||
27 | Charlie | COMP-01 | Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships. | Update any existing response | |||||||||||||||||||||||
28 | Charlie | COMP-02 | Describe how long your organization has conducted business in this product area. | Removed; No longer relevant | |||||||||||||||||||||||
29 | Charlie | COMP-03 | Do you have existing higher education customers? | Removed; No longer relevant | |||||||||||||||||||||||
30 | Charlie | COMP-04 | Have you had a significant breach in the last 5 years? | Update any existing response; reworded and migrated to COMP-02 | |||||||||||||||||||||||
31 | Charlie | COMP-05 | Do you have a dedicated Information Security staff or office? | Update any existing response; migrated to COMP-03 | |||||||||||||||||||||||
32 | Charlie | COMP-06 | Do you have a dedicated Software and System Development team(s)? (e.g. Customer Support, Implementation, Product Management, etc.) | Update any existing response; migrated to COMP-04 | |||||||||||||||||||||||
33 | Charlie | COMP-07 | Use this area to share information about your environment that will assist those who are assessing your company data security program. | Update any existing response; migrated to COMP-05 | |||||||||||||||||||||||
34 | Charlie | THRD-01 | Describe how you perform security assessments of third party companies with which you share data (i.e. hosting providers, cloud services, PaaS, IaaS, SaaS, etc.). Provide a summary of your practices that assures that the third party will be subject to the appropriate standards regarding security, service recoverability, and confidentiality. | Update any existing response; question reworded | |||||||||||||||||||||||
35 | Charlie | THRD-02 | Provide a brief description for why each of these third parties will have access to institution data. | Update any existing response | |||||||||||||||||||||||
36 | Charlie | THRD-03 | What legal agreements (i.e. contracts) do you have in place with these third parties that address liability in the event of a data breach? | Update any existing response | |||||||||||||||||||||||
37 | Charlie | THRD-04 | Describe or provide references to your third party management strategy or provide additional information that may help analysts better understand your environment and how it relates to third-party solutions. | Update any existing response; question reworded | |||||||||||||||||||||||
38 | Charlie | CONS-01 | Will the consulting take place on-premises? | Update any existing response | |||||||||||||||||||||||
39 | Charlie | CONS-02 | Will the consultant require access to Institution's network resources? | Update any existing response | |||||||||||||||||||||||
40 | Charlie | CONS-03 | Will the consultant require access to hardware in the Institution's data centers? | Update any existing response | |||||||||||||||||||||||
41 | Charlie | CONS-04 | Will the consultant require an account within the Institution's domain (@*.edu)? | Update any existing response | |||||||||||||||||||||||
42 | Charlie | CONS-05 | Has the consultant received training on [sensitive, HIPAA, PCI, etc.] data handling? | Update any existing response | |||||||||||||||||||||||
43 | Charlie | CONS-06 | Will any data be transferred to the consultant's possession? | Update any existing response | |||||||||||||||||||||||
44 | Charlie | CONS-07 | Is it encrypted (at rest) while in the consultant's possession? | Update any existing response | |||||||||||||||||||||||
45 | Charlie | CONS-08 | Will the consultant need remote access to the Institution's network or systems? | Update any existing response | |||||||||||||||||||||||
46 | Charlie | CONS-09 | Can we restrict that access based on source IP address? | Update any existing response | |||||||||||||||||||||||
47 | Charlie | APPL-01 | Do you support role-based access control (RBAC) for end-users? | New answer required; question context and wording changed | |||||||||||||||||||||||
48 | Charlie | APPL-02 | Do you support role-based access control (RBAC) for system administrators? | New answer required; question context and wording changed | |||||||||||||||||||||||
49 | Charlie | APPL-03 | Can employees access customer data remotely? | New answer required; part of DATA-24 | |||||||||||||||||||||||
50 | Charlie | APPL-04 | Can you provide overall system and/or application architecture diagrams including a full description of the data communications architecture for all components of the system? | Update any existing response; migrated to DOCU-06 | |||||||||||||||||||||||
51 | Charlie | APPL-05 | Does the system provide data input validation and error messages? | Update any existing response; migrated to APPL-03 | |||||||||||||||||||||||
52 | Charlie | APPL-06 | Do you employ a single-tenant environment? | Update any existing response; migrated to DATA-01 | |||||||||||||||||||||||
53 | Charlie | APPL-07 | What operating system(s) is/are leveraged by the system(s)/application(s) that will have access to institution's data? | New answer required; question context and wording changed | |||||||||||||||||||||||
54 | Charlie | APPL-08 | Have you or any third party you contract with that may have access or allow access to the institution's data experienced a breach? | Update any existing response; migrated to THRD-03 | |||||||||||||||||||||||
55 | Charlie | APPL-09 | Describe or provide a reference to additional software/products necessary to implement a functional system on either the backend or user-interface side of the system. | New answer required; question context and wording migrated to APPL-06 | |||||||||||||||||||||||
56 | Charlie | APPL-10 | Describe or provide a reference to the overall system and/or application architecture(s), including appropriate diagrams. Include a full description of the data communications architecture for all components of the system. | Update any existing response; migrated to DOCU-06 | |||||||||||||||||||||||
57 | Charlie | APPL-11 | Are databases used in the system segregated from front-end systems? (e.g. web and application servers) | New answer required; question context and wording migrated to DATA-04 | |||||||||||||||||||||||
58 | Charlie | APPL-12 | Describe or provide a reference to all web-enabled features and functionality of the system (i.e. accessed via a web-based interface). | Removed; assessment needs represented within other questions and/or guidance | |||||||||||||||||||||||
59 | Charlie | APPL-13 | Are there any OS and/or web-browser combinations that are not currently supported? | New answer required; question context and wording migrated to APPL-07 | |||||||||||||||||||||||
60 | Charlie | APPL-14 | Can your system take advantage of mobile and/or GPS enabled mobile devices? | Removed; assessment needs represented within other questions and/or guidance | |||||||||||||||||||||||
61 | Charlie | APPL-15 | Describe or provide a reference to the facilities available in the system to provide separation of duties between security administration and system administration functions. | Update any existing response; migrated to APPL-10 | |||||||||||||||||||||||
62 | Charlie | APPL-16 | Describe or provide a reference that details how administrator access is handled (e.g. provisioning, principle of least privilege, deprovisioning, etc.) | Update any existing response; migrated to APPL-11 | |||||||||||||||||||||||
63 | Charlie | APPL-17 | Describe or provide references explaining how tertiary services are redundant (i.e. DNS, ISP, etc.). | New answer required; question context and wording migrated to BCPL-10 and DCTR-14 | |||||||||||||||||||||||
64 | Charlie | AAAI-01 | Can you enforce password/passphrase aging requirements? | Update any existing response; migrated to AAAI-03 | |||||||||||||||||||||||
65 | Charlie | AAAI-02 | Can you enforce password/passphrase complexity requirements [provided by the institution]? | Update any existing response; migrated to AAAI-04 | |||||||||||||||||||||||
66 | Charlie | AAAI-03 | Does the system have password complexity or length limitations and/or restrictions? | Update any existing response; migrated to AAAI-05 | |||||||||||||||||||||||
67 | Charlie | AAAI-04 | Do you have documented password/passphrase reset procedures that are currently implemented in the system and/or customer support? | Update any existing response; migrated to AAAI-06 | |||||||||||||||||||||||
68 | Charlie | AAAI-05 | Does your web-based interface support authentication, including standards-based single-sign-on? (e.g. InCommon) | New answer required; question context and wording migrated to AAAI-01 | |||||||||||||||||||||||
69 | Charlie | AAAI-06 | Are there any passwords/passphrases hard coded into your systems or products? | Update any existing response; migrated to AAAI-14 | |||||||||||||||||||||||
70 | Charlie | AAAI-07 | Are user account passwords/passphrases visible in administration modules? | New answer required; question context and wording migrated to AAAI-15 | |||||||||||||||||||||||
71 | Charlie | AAAI-08 | Are user account passwords/passphrases stored encrypted? | New answer required; question context and wording migrated to AAAI-15 | |||||||||||||||||||||||
72 | Charlie | AAAI-09 | Does your application and/or user-frontend/portal support multi-factor authentication? (e.g. Duo, Google Authenticator, OTP, etc.) | New answer required; question context and wording migrated to AAAI-12 | |||||||||||||||||||||||
73 | Charlie | AAAI-10 | Does your application support integration with other authentication and authorization systems? List which ones (such as Active Directory, Kerberos and what version) in Additional Info? | New answer required; question context and wording migrated to AAAI-16 | |||||||||||||||||||||||
74 | Charlie | AAAI-11 | Will any external authentication or authorization system be utilized by an application with access to the institution's data? | New answer required; question context and wording migrated to AAAI-16 | |||||||||||||||||||||||
75 | Charlie | AAAI-12 | Does the system (servers/infrastructure) support external authentication services (e.g. Active Directory, LDAP) in place of local authentication? | New answer required; question context and wording migrated to AAAI-02 | |||||||||||||||||||||||
76 | Charlie | AAAI-13 | Does the system operate in a mixed authentication mode (i.e. external and local authentication)? | Removed; assessment needs represented within other questions and/or guidance | |||||||||||||||||||||||
77 | Charlie | AAAI-14 | Will any external authentication or authorization system be utilized by a system with access to institution data? | Removed; assessment needs represented within other questions and/or guidance | |||||||||||||||||||||||
78 | Charlie | AAAI-15 | Are audit logs available that include AT LEAST all of the following; login, logout, actions performed, and source IP address? | Update any existing response; migrated to AAAI-17 | |||||||||||||||||||||||
79 | Charlie | AAAI-16 | Describe or provide a reference to the a) system capability to logsecurity/authorization changes as well as user and administrator security events(i.e. physical or electronic)(e.g. login failures, access denied, changes accepted), and b) all requirements necessary to implement logging and monitoring on the system. Include c) information about SIEM/log collector usage. | Update any existing response; migrated to AAAI-18 | |||||||||||||||||||||||
80 | Charlie | AAAI-17 | Describe or provide a reference to the retention period for those logs, how logs are protected, and whether they are accessible to the customer (and if so, how). | Update any existing response; migrated to AAAI-19 | |||||||||||||||||||||||
81 | Josh | BCPL-01 | Describe or provide a reference to your Business Continuity Plan (BCP). | Removed; no longer relevant | |||||||||||||||||||||||
82 | Josh | BCPL-02 | May the Institution review your BCP and supporting documentation? | Removed; no longer relevant | |||||||||||||||||||||||
83 | Josh | BCPL-03 | Is an owner assigned who is responsible for the maintenance and review of the Business Continuity Plan? | Now BCPL-01 Update as necessary | |||||||||||||||||||||||
84 | Josh | BCPL-04 | Is there a defined problem/issue escalation plan in your BCP for impacted clients? | Now BCPL-02 Update as necessary | |||||||||||||||||||||||
85 | Josh | BCPL-05 | Is there a documented communication plan in your BCP for impacted clients? | Now BCPL-03 Update as necessary | |||||||||||||||||||||||
86 | Josh | BCPL-06 | Are all components of the BCP reviewed at least annually and updated as needed to reflect change? | Now BCPL-04 Update as necessary | |||||||||||||||||||||||
87 | Josh | BCPL-07 | Has your BCP been tested in the last year? | Now BCPL-08 Update as necessary | |||||||||||||||||||||||
88 | Josh | BCPL-08 | Does your organization conduct training and awareness activities to validate its employees understanding of their roles and responsibilities during a crisis? | Now BCPL-06 Update as necessary | |||||||||||||||||||||||
89 | Josh | BCPL-09 | Are specific crisis management roles and responsibilities defined and documented? | Now BCPL-05 Update as necessary | |||||||||||||||||||||||
90 | Josh | BCPL-10 | Does your organization have an alternative business site or a contracted Business Recovery provider? | Now BCPL-07 Update as necessary | |||||||||||||||||||||||
91 | Josh | BCPL-11 | Does your organization conduct an annual test of relocating to an alternate site for business recovery purposes? | Now BCPL-08 Update as necessary | |||||||||||||||||||||||
92 | Josh | BCPL-12 | Is this product a core service of your organization, and as such, the top priority during business continuity planning? | Now BCPL-09 Update as necessary | |||||||||||||||||||||||
93 | Josh | CHNG-01 | Do you have a documented and currently followed change management process (CMP)? | New wording: Update as necessary | |||||||||||||||||||||||
94 | Josh | CHNG-02 | Indicate all procedures that are implemented in your CMP. a.) An impact analysis of the upgrade is performed. b.) The change is appropriately authorized. c.) Changes are made first in a test environment. d.) The ability to implement the upgrades/changes in the production environment is limited to appropriate IT personnel. | New wording: Update as necessary | |||||||||||||||||||||||
95 | Josh | CHNG-03 | Will the Institution be notified of major changes to your environment that could impact the Institution's security posture? | Update any existing response | |||||||||||||||||||||||
96 | Josh | CHNG-04 | Do clients have the option to not participate in or postpone an upgrade to a new release? | Update any existing response | |||||||||||||||||||||||
97 | Josh | CHNG-05 | Describe or provide a reference to your solution support strategy in relation to maintaining software currency. (i.e. how many concurrent versions are you willing to run and support?) | New wording: Update as necessary | |||||||||||||||||||||||
98 | Josh | CHNG-06 | Identify the most current version of the software. Detail the percentage of live customers that are utilizing the proposed version of the software as well as each version of the software currently in use. | Removed; no longer relevant | |||||||||||||||||||||||
99 | Josh | CHNG-07 | Does the system support client customizations from one release to another? | Now CHNG-06 Update as necessary | |||||||||||||||||||||||
100 | Josh | CHNG-08 | Does your organization ensure through policy and procedure (that is currently implemented) that only application software verifiable as authorized, tested, and approved for production, and having met all other requirements and reviews necessary for commissioning, is placed into production? | Removed; no longer relevant |