Vendor Security Assessment Template

An important piece of compliance, especially Soc II compliance, is understanding the security implications of each vendor you have, and ensuring regular review and renewal of agreements. With the Vendor Security Assessment template from Aptible you can ensure that each new vendor requested by your internal team has all the right questions answered. Using Concord you can even automate approval workflows to ensure that the right internal parties sign off on every new vendor considered.

Logo Conveyor
Created by

Conveyor

Conveyor is a platform that provides cloud-based companies what they need to prove they are trustworthy to their customers and ensure their vendors are trustworthy. Join the network and simplify building trust around data security.
 
 

 

Vendor Security Assessment

This template is meant as a starting point to initiate a security review of any vendor who will have access to your company’s data and/or systems. You may want to add additional queries, but as a basis these are the fundamental questions you should ask.

  1. Overview
    1. Company name:
    2. Company address:
    3. Company website:
    4. Security point of contact name, title, and contact information:
    5. Please describe the service you provide:
    6. How long has your company been in business and providing this solution?
  2. Risk and Governance
    1. Do you have a formalized and approved information security policy?
    2. Do you update your security policies and procedures at least annually? Please describe this process.
    3. Do you complete a risk assessment at least on an annual basis? Please describe this process.
    4. Do you have disciplinary or sanctions program for employees who violate security policies and procedures?
  3. Workforce Security
    1. Do you complete background checks on employees who will have access to sensitive information?
    2. Do you enforce employment agreements that cover confidentiality of sensitive information?
    3. Do you have a security and awareness training program? Please describe.
  4. Device Security
    1. Do you have a formal mobile device management program?
    2. Are employees able to access our data or system from BYOD devices? If yes, please describe any compensating controls in place to address this.
    3. Are you able to remotely wipe and lock mobile devices that accesses our system and data?
    4. Are mobile device hard drives encrypted?
    5. Is anti-virus installed on end points?
  5. Identity and Access Management
    1. How do you limit the use of shared accounts and logins?
    2. Do you require multi-factor authentication (MFA) for access to potentially sensitive data? Please describe how this is enforced.
    3. Do you have a password policy and requirements for users selecting and storing passwords? Please describe how this is enforced.
    4. How do you review user access and authorizations on a periodic basis?
    5. Do you use a centralized identity management solution such as Single Sign On?
  6. Application and Data Security
    1. Please describe your software development lifecycle and how security is addressed as a part of development.
    2. What is your change management process?
    3. Do you complete static code analysis? Please describe the process.
    4. Do you complete dynamic code analysis? Please describe the process.
    5. Are developers trained on secure coding techniques at least annually?
    6. How is sensitive data encrypted at rest?
    7. How is sensitive data encrypted in transit?
    8. Is penetration testing performed at least annually by a 3rd party? Please summarize the testing and response process.
    9. Do you perform vulnerability scanning? Please describe process, frequency, and tools used.
    10. Does the application we are evaluating support SAML 2.0 Single Sign On (SSO) for authenticating our uses? Please outline any prerequisites for using SSO, such as a specific licensing level (ie SSO is only available for enterprise customers).
    11. Does the application we are evaluating support multi-factor authentication (MFA)? If yes, what forms of MFA are supported (ie. Google Authenticator, hardware token, SMS)?
  7. Incident Preparedness
    1. Do you have a formal incident management policy? Please describe.
    2. Do you test your incident management policy at least annually? Please describe.
    3. Do you have a formalized business continuity plan? Please describe.
    4. Do you test you business continuity plan at least annually? Please describe.
    5. Do you test your backup or redundancy mechanisms at least annually? Please describe.
    6. How do you work towards having all information security events reported in a timely manner?
    7. Is there a preferred channel of communication for workforce personnel and external business partners to report security incidents?
  8. Data Privacy
    1. Do you have a privacy management program? Please describe.
    2. Do you enter into GDPR Data Processing Agreements?
    3. Do you complete Data Protection Impact Assessments as a part of your privacy program?
    4. Will you delete our data if we ask you to? Please describe this process.
    5. Do you make available a subvendor directory of vendors that store and process our data on your behalf? If yes, please share.
  9. Vendor Management
    1. Do you have a vendor management policy and process?
    2. Do you rely on any contractors or third parties for development services? If so, where are they based and what functions do they complete?
    3. Do you complete security reviews of vendors at least annually? Please describe.

Insert signature box for approvers here:

 

Negotiate and sign for free with Concord.
 
Download Template

Template Documents Disclaimer:

Please read the following carefully. These terms about the templates (“Template Documents”) library (“Template Documents Disclaimer”) govern your use of the Template Documents and supplement the Concord Free Account Terms or the Concord Commercial Terms, whichever may be applicable to you and which is hereby incorporated by reference. All Template Documents are provided on a nonexclusive license basis only for your personal or internal business use for noncommercial purposes, without any right to relicense, sublicense, distribute, assign or transfer such license.  Template Documents are provided without any representations or warranties, express or implied, as to their suitability, legal effect, completeness, timeliness, accuracy and/or appropriateness.  THE DOCUMENTS ARE PROVIDED “AS IS,” “AS AVAILABLE,” AND WITH “ALL FAULTS,” AND WE AND ANY PROVIDER OF THE DOCUMENTS DISCLAIM ANY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  The Template Documents may be inappropriate for your particular circumstances. Furthermore, state laws may require different or additional provisions to ensure the desired result. You should consult with legal counsel to determine the appropriate legal or business documents necessary for your particular transactions as the Template Documents are only samples and may not be applicable to a particular situation.

  Download
 
Request a Demo
 
Free Sign Up

Template Documents Disclaimer:

Please read the following carefully. These terms about the templates (“Template Documents”) library (“Template Documents Disclaimer”) govern your use of the Template Documents and supplement the Concord Free Account Terms or the Concord Commercial Terms, whichever may be applicable to you and which is hereby incorporated by reference. All Template Documents are provided on a nonexclusive license basis only for your personal or internal business use for noncommercial purposes, without any right to relicense, sublicense, distribute, assign or transfer such license.  Template Documents are provided without any representations or warranties, express or implied, as to their suitability, legal effect, completeness, timeliness, accuracy and/or appropriateness.  THE DOCUMENTS ARE PROVIDED “AS IS,” “AS AVAILABLE,” AND WITH “ALL FAULTS,” AND WE AND ANY PROVIDER OF THE DOCUMENTS DISCLAIM ANY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  The Template Documents may be inappropriate for your particular circumstances. Furthermore, state laws may require different or additional provisions to ensure the desired result. You should consult with legal counsel to determine the appropriate legal or business documents necessary for your particular transactions as the Template Documents are only samples and may not be applicable to a particular situation.