Risk Assessments

 View Only

On-Premise vs. Cloud - Risk Assessment Questionnaire

  • 1.  On-Premise vs. Cloud - Risk Assessment Questionnaire

    This message was posted by a user wishing to remain anonymous
    Posted 11-23-2020 12:06 PM
    This message was posted by a user wishing to remain anonymous

    Hello. I work for a FinTech company and I am fairly new to vendor risk management.  My company has around 200 vendors and we have an initial, general due diligence request form that I want to simplify for On-Prem vendors.  Can anyone speak to this and how their questions/document requests differ? I don't want to waste the vendor's time or mine asking for items or answers to questions that are not relevant for on-premise software.  Thanks.
    Sharing our general question/Document Requests:

    Questions/Document Requests:
    1. Detailed explanation of the product/services/software to be provided: 
    2. Most recent SOC, PCI DSS, Penetration Test and/or other related third party audit report(s). 
    3. Copy of your business continuity plan and disaster recovery plan. 
    4. Most recent balance sheet, profit and loss statement or annual report. If you are a privately held entity and will not provide financial statements for our review, please provide a letter from your CPA firm attesting to financial stability.  
    5. Most recent certificate of insurance
    6. Company information security history including any data breaches, if any, in company history
    Please provide any policies and/or documentation which describe how your company or organization:
    1. Ensures the security and confidentiality of customer or member non-public records and information.
    2. Protects against any anticipated threats or hazards to the security or integrity of such records.
    3. Protects against unauthorized access to or use of such records that could result in substantial harm to the customer or member.
     
    DATA SENSITIVITY
    What is the nature of data stored/shared? Please select one option from the choices below.
    1. No data exchanged with other parties
    2. Only demographic information and protected financial information
    3. Only names, addresses and phone numbers
    4. Non‐public private information (NPI), for example SSN, medical, financial, proprietary, and private information about real individuals

    If you exchange any data with *******, please answer the following questions:
    1. Is any data stored or transmitted out of the United States?
    2. Is data encrypted in transit? What is the encryption mechanism?
    3. Is data at rest encrypted? What is the encryption mechanism?
    4. How are databases monitored for suspicious activity?
    5. Are 3rd parties involved in handling of NPI/PII and transactional data? If yes, what due diligence is done on 3rd parties to ensure that the data is safely handled and protected?
    6. Which protocol is used to securely exchange data with your partners?