Migration Document - Lite 2.11 to Lite 3.0

	A	B	C
1	2.11 Question ID	2.11 Question	Vendor Action
2	GNRL-01	Vendor Name
3	GNRL-02	Product Name
4	GNRL-03	Product Description
5	GNRL-04	Web Link to Product Privacy Notice
6	GNRL-05	Vendor Contact Name
7	GNRL-06	Vendor Contact Title
8	GNRL-07	Vendor Contact Email
9	GNRL-08	Vendor Contact Phone Number
10	GNRL-09	Vendor Data Zone
11	GNRL-10	Institution Data Zone
12	GNRL-11	Campus Security Analyst/Engineer
13	GNRL-12	Assessment Contact
14	DOCU-01	Have you undergone a SSAE 18 audit?	Update any existing response
15	DOCU-02	Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ?	Update any existing response
16	DOCU-03	Have you received the Cloud Security Alliance STAR certification?	Update any existing response
17	DOCU-04	Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, ISO 27001, etc.)	Update any existing response
18	DOCU-05	Are you compliant with FISMA standards?	New answer required, migrated to DOCU-05
19	DOCU-06	Does your organization have a data privacy policy?	Update any existing response; migrated to DOCU-07
20	COMP-01	Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships.	Update any existing response
21	COMP-02	Describe how long your organization has conducted business in this product area.	Removed; No longer relevant
22	COMP-03	Do you have existing higher education customers?	Removed; No longer relevant
23	COMP-04	Have you had a significant breach in the last 5 years?	New answer required; subset of COMP-02
24	COMP-05	Do you have a dedicated Information Security staff or office?	Update any existing response; migrated to COMP-03
25	COMP-06	Do you have a dedicated Software and System Development team(s)? (e.g. Customer Support, Implementation, Product Management, etc.)	Update any existing response; migrated to COMP-04
26	COMP-07	Use this area to share information about your environment that will assist those who are assessing your company data security program.	Update any existing response
27	HLAP-01	Do you support role-based access control (RBAC) for end-users?	Update any existing response; subset of new HLAP-01
28	HLAP-02	Do you support role-based access control (RBAC) for system administrators?	Update any existing response; subset of new HLAP-02
29	HLAP-03	Can employees access customer data remotely?	New answer required; subaet of new HLAP-03
30	HLAP-04	Can you provide overall system and/or application architecture diagrams including a full description of the data communications architecture for all components of the system?	Update any existing reponse; migrated to DOCU-06
31	HLAP-05	Does the system provide data input validation and error messages?	Update any existing response; migrated to HLAP-04
32	HLAP-06	Do you employ a single-tenant environment?	Update any existing response; subset of HLDA-01
33	HLAA-01	Can you enforce password/passphrase aging requirements?	Removed; out of scope for Lite
34	HLAA-02	Does your web-based interface support authentication, including standards-based single-sign-on? (e.g. InCommon)	Update any existing response; subset of HLAA-01 and HLAA-04
35	HLAA-03	Does your application support integration with other authentication and authorization systems? List which ones (such as Active Directory, Kerberos and what version) in Additional Info?	Update any existing response; subset of HLAA-01 and HLAA-03
36	HLAA-04	Does the system (servers/infrastructure) support external authentication services (e.g. Active Directory, LDAP) in place of local authentication?	Update any existing response; combined into HLAA-03
37	HLAA-05	Are audit logs available that include AT LEAST all of the following; login, logout, actions performed, and source IP address?	Update any existing response; migrated to HLAA-07
38	HLBC-01	Do you have a documented Business Continuity Plan (BCP)?	Update any existing response; subset of DOCU-09
39	HLBC-02	Is there a documented communication plan in your BCP for impacted clients?	Removed; out of scope for Lite
40	HLBC-03	Are all components of the BCP reviewed at least annually and updated as needed to reflect change?	Update any existing response; subset of DOCU-09
41	HLBC-04	Does your organization conduct an annual test of relocating to an alternate site for business recovery purposes?	Removed; out of scope for Lite
42	HLCH-01	Do you have a documented and currently followed change management process (CMP)?	Update any existing response; migrated to DOCU-11
43	HLCH-02	Will the institution be notified of major changes to your environment that could impact the institution's security posture?	Update any existing response; migrated to HLSY-02
44	HLCH-03	Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied?	New answer required; subset of new HLSY-01
45	HLCH-04	Do procedures exist to provide that emergency changes are documented and authorized (including after the fact approval)?	New answer required; subset of new HLSY-01
46	HLDA-01	Do you physically and logically separate institution's data from that of other customers?	New answer required; subset of new HLDA-01
47	HLDA-02	Is sensitive data encrypted in transport? (e.g. system-to-client)	Update any existing response; subset of HLDA-02
48	HLDA-03	Is sensitive data encrypted in storage (e.g. disk encryption, at-rest)?	Update any existing response; subset of HLDA-03
49	HLDA-04	Do backups containing institution data ever leave the institution's Data Zone, either physically or via network routing?	New answer required; subset of new HLDC-02, and GNRL-14
50	HLDA-05	Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures?	Update any existing response; migrated to HLDA-06
51	HLDA-06	Is any institution data visible in system administration modules/tools?	New answer required; subset of new HLDA-07
52	HLDB-01	Does the database support encryption of specified data elements in storage?	New answer required; subset of new HLDA-03
53	HLDB-02	Do you currently use encryption in your database(s)?	New answer required; subset of new HLDA-03
54	HLDC-01	Will any institution data leave the institution's Data Zone?	New answer required; subset of new HLDC-02 and GNRL-14
55	HLDC-02	Does your company own the physical data center where the institution's data will reside?	Update any existing response; migrated to HLDC-01
56	HLDC-03	Does the hosting provider have a SOC 2 Type 2 report available?	Update any existing response; migrated to HLDC-03
57	HLDC-04	Does the physical barrier fully enclose the physical space preventing unauthorized physical contact with any of your devices?	New answer required; subset of new HLDC-04
58	HLDR-01	Do you have a Disaster Recovery Plan (DRP)?	Update any existing response; subset of DOCU-10
59	HLDR-02	Are any disaster recovery locations outside the institution's Data Zone?	New answer required; subset of new HLDC-02 and GNRL-14
60	HLDR-03	Are all components of the DRP reviewed at least annually and updated as needed to reflect change?	Update any existing response; subset of DOCU-10
61	HLFI-01	Are you utilizing a web application firewall (WAF) and/or a stateful packet inspection (SPI) firewall?	Update any existing response; split into HLAP-05 and HLNT-02
62	HLFI-02	Do you have a documented policy for firewall change requests?	Update any existing response; subset of DOCU-11
63	HLFI-03	Are you employing any next-generation persistent threat (NGPT) monitoring?	Update any existing response; migrated to HLNT-04
64	HLFI-04	Do you monitor for intrusions on a 24x7x365 basis?	Update any existing response; migrated to HLIH-05
65	HLPH-01	Does your organization have physical security controls and policies in place?	Update any existing response; migrated to HDLC-04
66	HLPH-02	Are employees allowed to take home customer data in any form?	Update any existing response; subset of HLAP-03
67	HLPP-01	Can you share the organization chart, mission statement, and policies for your information security unit?	Update any existing response
68	HLPP-02	Are information security principles designed into the product lifecycle?	Update any existing response
69	HLPP-03	Do you have a formal incident response plan?	Update any existing response; migrated to HLIH-01
70	HLPP-04	Do you have a documented information security policy?	Update any existing response; migrated to HLPP-03
71	HLSY-01	Are systems that support this service managed via a separate management network?	New answer required; subset of HLNT-01
72	HLSY-02	Do you have a systems management and configuration strategy that encompasses servers, appliances, and mobile devices (company and employee owned)?	Update any existing response; migrated to HLSY-01
73	HLVU-01	Have your systems and applications had a third party security assessment completed in the last year?	Update any existing response; migrated to HLSY-04
74	HLVU-02	Are your systems and applications scanned for vulnerabilities [that are remediated] prior to new releases?	Update any existing response; migrated to HLSY-03
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100