To whom it may concern: 8^)
In addition to the cybersecurity questionnaire, do you obtain or require proof of current cybersecurity and/or security awareness certification?
In addition to the onboarding process, we no longer renew or provide credentials for identified named consultants, release engineers, developers, etc to our environments without having a copy of their recently completed cybersecurity training certification or require they take one from our vendor (and pass on the cost or get a credit as required).
As risk and threat awareness spreads in the industry, this program has been working well and we haven't had to enforce having the service provider's employees take our own cybersecurity training vendor's course. We accept a screenshot by the identified security or staff manager (typically they provide a screenshot from a training portal for each identified contact).
Good luck. Larry
Original Message:
Sent: 03-11-2020 02:04 PM
From: Anonymous Member
Subject: Vendor Security Questionnaires
This message was posted by a user wishing to remain anonymous
At my present company we have had issues with new vendor applications/software coming into our environment and not vetted properly which caused a audit finding to be issued by Internal audit. I have been tasked to come up with a new Vendor questionnaire that includes questions that would allow InfoSec to know who has Access to all new applications/software. This questionnaire should include Application access, Application Administration, Access Monitoring, Activity Logging/Auditing. Does anyone have anything that they might be able to share with me that can help in my creation process?