A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | 2.11 Question ID | 2.11 Question | Vendor Action | |||||||||||||||||||||||
2 | GNRL-01 | Vendor Name | ||||||||||||||||||||||||
3 | GNRL-02 | Product Name | ||||||||||||||||||||||||
4 | GNRL-03 | Product Description | ||||||||||||||||||||||||
5 | GNRL-04 | Web Link to Product Privacy Notice | ||||||||||||||||||||||||
6 | GNRL-05 | Vendor Contact Name | ||||||||||||||||||||||||
7 | GNRL-06 | Vendor Contact Title | ||||||||||||||||||||||||
8 | GNRL-07 | Vendor Contact Email | ||||||||||||||||||||||||
9 | GNRL-08 | Vendor Contact Phone Number | ||||||||||||||||||||||||
10 | GNRL-09 | Vendor Data Zone | ||||||||||||||||||||||||
11 | GNRL-10 | Institution Data Zone | ||||||||||||||||||||||||
12 | GNRL-11 | Campus Security Analyst/Engineer | ||||||||||||||||||||||||
13 | GNRL-12 | Assessment Contact | ||||||||||||||||||||||||
14 | DOCU-01 | Have you undergone a SSAE 18 audit? | Update any existing response | |||||||||||||||||||||||
15 | DOCU-02 | Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ? | Update any existing response | |||||||||||||||||||||||
16 | DOCU-03 | Have you received the Cloud Security Alliance STAR certification? | Update any existing response | |||||||||||||||||||||||
17 | DOCU-04 | Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, ISO 27001, etc.) | Update any existing response | |||||||||||||||||||||||
18 | DOCU-05 | Are you compliant with FISMA standards? | New answer required, migrated to DOCU-05 | |||||||||||||||||||||||
19 | DOCU-06 | Does your organization have a data privacy policy? | Update any existing response; migrated to DOCU-07 | |||||||||||||||||||||||
20 | COMP-01 | Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships. | Update any existing response | |||||||||||||||||||||||
21 | COMP-02 | Describe how long your organization has conducted business in this product area. | Removed; No longer relevant | |||||||||||||||||||||||
22 | COMP-03 | Do you have existing higher education customers? | Removed; No longer relevant | |||||||||||||||||||||||
23 | COMP-04 | Have you had a significant breach in the last 5 years? | New answer required; subset of COMP-02 | |||||||||||||||||||||||
24 | COMP-05 | Do you have a dedicated Information Security staff or office? | Update any existing response; migrated to COMP-03 | |||||||||||||||||||||||
25 | COMP-06 | Do you have a dedicated Software and System Development team(s)? (e.g. Customer Support, Implementation, Product Management, etc.) | Update any existing response; migrated to COMP-04 | |||||||||||||||||||||||
26 | COMP-07 | Use this area to share information about your environment that will assist those who are assessing your company data security program. | Update any existing response | |||||||||||||||||||||||
27 | HLAP-01 | Do you support role-based access control (RBAC) for end-users? | Update any existing response; subset of new HLAP-01 | |||||||||||||||||||||||
28 | HLAP-02 | Do you support role-based access control (RBAC) for system administrators? | Update any existing response; subset of new HLAP-02 | |||||||||||||||||||||||
29 | HLAP-03 | Can employees access customer data remotely? | New answer required; subaet of new HLAP-03 | |||||||||||||||||||||||
30 | HLAP-04 | Can you provide overall system and/or application architecture diagrams including a full description of the data communications architecture for all components of the system? | Update any existing reponse; migrated to DOCU-06 | |||||||||||||||||||||||
31 | HLAP-05 | Does the system provide data input validation and error messages? | Update any existing response; migrated to HLAP-04 | |||||||||||||||||||||||
32 | HLAP-06 | Do you employ a single-tenant environment? | Update any existing response; subset of HLDA-01 | |||||||||||||||||||||||
33 | HLAA-01 | Can you enforce password/passphrase aging requirements? | Removed; out of scope for Lite | |||||||||||||||||||||||
34 | HLAA-02 | Does your web-based interface support authentication, including standards-based single-sign-on? (e.g. InCommon) | Update any existing response; subset of HLAA-01 and HLAA-04 | |||||||||||||||||||||||
35 | HLAA-03 | Does your application support integration with other authentication and authorization systems? List which ones (such as Active Directory, Kerberos and what version) in Additional Info? | Update any existing response; subset of HLAA-01 and HLAA-03 | |||||||||||||||||||||||
36 | HLAA-04 | Does the system (servers/infrastructure) support external authentication services (e.g. Active Directory, LDAP) in place of local authentication? | Update any existing response; combined into HLAA-03 | |||||||||||||||||||||||
37 | HLAA-05 | Are audit logs available that include AT LEAST all of the following; login, logout, actions performed, and source IP address? | Update any existing response; migrated to HLAA-07 | |||||||||||||||||||||||
38 | HLBC-01 | Do you have a documented Business Continuity Plan (BCP)? | Update any existing response; subset of DOCU-09 | |||||||||||||||||||||||
39 | HLBC-02 | Is there a documented communication plan in your BCP for impacted clients? | Removed; out of scope for Lite | |||||||||||||||||||||||
40 | HLBC-03 | Are all components of the BCP reviewed at least annually and updated as needed to reflect change? | Update any existing response; subset of DOCU-09 | |||||||||||||||||||||||
41 | HLBC-04 | Does your organization conduct an annual test of relocating to an alternate site for business recovery purposes? | Removed; out of scope for Lite | |||||||||||||||||||||||
42 | HLCH-01 | Do you have a documented and currently followed change management process (CMP)? | Update any existing response; migrated to DOCU-11 | |||||||||||||||||||||||
43 | HLCH-02 | Will the institution be notified of major changes to your environment that could impact the institution's security posture? | Update any existing response; migrated to HLSY-02 | |||||||||||||||||||||||
44 | HLCH-03 | Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied? | New answer required; subset of new HLSY-01 | |||||||||||||||||||||||
45 | HLCH-04 | Do procedures exist to provide that emergency changes are documented and authorized (including after the fact approval)? | New answer required; subset of new HLSY-01 | |||||||||||||||||||||||
46 | HLDA-01 | Do you physically and logically separate institution's data from that of other customers? | New answer required; subset of new HLDA-01 | |||||||||||||||||||||||
47 | HLDA-02 | Is sensitive data encrypted in transport? (e.g. system-to-client) | Update any existing response; subset of HLDA-02 | |||||||||||||||||||||||
48 | HLDA-03 | Is sensitive data encrypted in storage (e.g. disk encryption, at-rest)? | Update any existing response; subset of HLDA-03 | |||||||||||||||||||||||
49 | HLDA-04 | Do backups containing institution data ever leave the institution's Data Zone, either physically or via network routing? | New answer required; subset of new HLDC-02, and GNRL-14 | |||||||||||||||||||||||
50 | HLDA-05 | Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures? | Update any existing response; migrated to HLDA-06 | |||||||||||||||||||||||
51 | HLDA-06 | Is any institution data visible in system administration modules/tools? | New answer required; subset of new HLDA-07 | |||||||||||||||||||||||
52 | HLDB-01 | Does the database support encryption of specified data elements in storage? | New answer required; subset of new HLDA-03 | |||||||||||||||||||||||
53 | HLDB-02 | Do you currently use encryption in your database(s)? | New answer required; subset of new HLDA-03 | |||||||||||||||||||||||
54 | HLDC-01 | Will any institution data leave the institution's Data Zone? | New answer required; subset of new HLDC-02 and GNRL-14 | |||||||||||||||||||||||
55 | HLDC-02 | Does your company own the physical data center where the institution's data will reside? | Update any existing response; migrated to HLDC-01 | |||||||||||||||||||||||
56 | HLDC-03 | Does the hosting provider have a SOC 2 Type 2 report available? | Update any existing response; migrated to HLDC-03 | |||||||||||||||||||||||
57 | HLDC-04 | Does the physical barrier fully enclose the physical space preventing unauthorized physical contact with any of your devices? | New answer required; subset of new HLDC-04 | |||||||||||||||||||||||
58 | HLDR-01 | Do you have a Disaster Recovery Plan (DRP)? | Update any existing response; subset of DOCU-10 | |||||||||||||||||||||||
59 | HLDR-02 | Are any disaster recovery locations outside the institution's Data Zone? | New answer required; subset of new HLDC-02 and GNRL-14 | |||||||||||||||||||||||
60 | HLDR-03 | Are all components of the DRP reviewed at least annually and updated as needed to reflect change? | Update any existing response; subset of DOCU-10 | |||||||||||||||||||||||
61 | HLFI-01 | Are you utilizing a web application firewall (WAF) and/or a stateful packet inspection (SPI) firewall? | Update any existing response; split into HLAP-05 and HLNT-02 | |||||||||||||||||||||||
62 | HLFI-02 | Do you have a documented policy for firewall change requests? | Update any existing response; subset of DOCU-11 | |||||||||||||||||||||||
63 | HLFI-03 | Are you employing any next-generation persistent threat (NGPT) monitoring? | Update any existing response; migrated to HLNT-04 | |||||||||||||||||||||||
64 | HLFI-04 | Do you monitor for intrusions on a 24x7x365 basis? | Update any existing response; migrated to HLIH-05 | |||||||||||||||||||||||
65 | HLPH-01 | Does your organization have physical security controls and policies in place? | Update any existing response; migrated to HDLC-04 | |||||||||||||||||||||||
66 | HLPH-02 | Are employees allowed to take home customer data in any form? | Update any existing response; subset of HLAP-03 | |||||||||||||||||||||||
67 | HLPP-01 | Can you share the organization chart, mission statement, and policies for your information security unit? | Update any existing response | |||||||||||||||||||||||
68 | HLPP-02 | Are information security principles designed into the product lifecycle? | Update any existing response | |||||||||||||||||||||||
69 | HLPP-03 | Do you have a formal incident response plan? | Update any existing response; migrated to HLIH-01 | |||||||||||||||||||||||
70 | HLPP-04 | Do you have a documented information security policy? | Update any existing response; migrated to HLPP-03 | |||||||||||||||||||||||
71 | HLSY-01 | Are systems that support this service managed via a separate management network? | New answer required; subset of HLNT-01 | |||||||||||||||||||||||
72 | HLSY-02 | Do you have a systems management and configuration strategy that encompasses servers, appliances, and mobile devices (company and employee owned)? | Update any existing response; migrated to HLSY-01 | |||||||||||||||||||||||
73 | HLVU-01 | Have your systems and applications had a third party security assessment completed in the last year? | Update any existing response; migrated to HLSY-04 | |||||||||||||||||||||||
74 | HLVU-02 | Are your systems and applications scanned for vulnerabilities [that are remediated] prior to new releases? | Update any existing response; migrated to HLSY-03 | |||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |