The 2018 Questionnaire


The Questionnaire below was released on December 22nd December 2017, and will be valid for the 2018 calendar year.

Introduction

Why Audit Vendors?

  • When we do business with a vendor, it is not safe to assume we are doing business just with the party under contract. Vendors rely on other parties. If we are to rely on a chain, then all the links must be tested, not just the first link. We must also apply the same standard of testing to all the links, which is why we created this questionnaire.

Approaches Taken

  • Data-Risk Based. Not all vendors should be held to the same standard. The risk is proportionate to the sensitivity of the data they are accessing (and the volume of data). The controls vendors should have in place must be proportionate to their risk.
  • Integrated Security. Great security is not achieved by purchasing a product. It is achieved by thinking about security from the start; how a product is designed, how a product is tested, how it is patched and maintained, what steps have been taken to minimize a breach and what happens during a security incident. All of these and more are covered in this questionnaire.
  • Service Oriented. Many companies have multiple offerings of services and products. Rather than audit the company, we focus on just the services that are being delivered. Only the security policies and controls in the scope of the service under review are relevant.

How should a non-VSA member use this questionnaire?

  • Send this questionnaire to your vendors to assess their cybersecurity risk. They will return it directly to you,
  • Use this questionnaire to benchmark the cybersecurity risk of services you provide, and find areas to improve.

How should a VSA member use this questionnaire?

  • You have the same options as non-VSA members, or
  • You can leverage VSA to have independent third party auditors carry out your third party audits. This will greatly shorten the time and cost to vendor approval or rejection decisions.

How can I become a VSA member?

What is the VSA?

  • The VSA is a coalition of companies focused on measuring and reducing vendor risk, with the goal of making the internet safer for everyone. The VSA is a non-profit entity.

Special thanks to the 2017/2018 Working Group that created this document:

Service Overview

Please describe in detail the service to be examined


Vendor Business Information

  • Company Name
  • Responder Name
  • Responder Contact Information (Phone/Business Email Address)
  • Date of Response

Company Profile

  • Company Website URL
  • Service Website URL

Service Hosting

  • Is your service run from your own (a) data center, (b) the cloud, or (c) deployed-on premise only
  • Data Centre Location(s) (relative to services provided)
  • Which cloud providers do you rely on?
  • Have you researched your cloud providers best security practices?
  • Which data centers/countries/geographies are you deployed in?
  • On-premise solution only

Service Scope Question

  • Name of application or service being provided
  • Description of application or service
  • What technology languages/platforms/stacks/components are utilized in the scope of the application? (AWS? MySQL? Ruby on Rails? Go? Javascript?)

Supporting Documentation

  • Most recent Application Code Review or Penetration Testing Reports (carried out by independent third party)
  • Does the penetration test follow an industry approved methodology
  • Information Security Policies and Procedures
  • Most recent Application Code Review or Penetration Testing Reports (carried out by independent third party)
  • Does the penetration test follow an industry approved methodology
  • Information Security Policies and Procedures
  • Data Flow Diagram
  • Any other Documents supporting your responses in this questionnaire (Please provide a description for each document)
  • PCI, SOC2 type II or ISO27001 certification reports
  • Other Independent Audit report (please provide details)

Data Protection & Access Controls

Here we focus on security by design and process


Data Classification

  • Please describe the company/user data you require to provide your service: personal information, financial data, confidential/sensitive data, government data.
  • Please upload your data classification matrix including data definition, access restrictions and minimum controls specific for your service.

Encryption

  • Please upload your data encryption standard.
  • How do you encrypt customer data?

Data Access & Handling

  • Are your employees accessing data handed to you by us on a 'need to know' basis? (privileged access)
  • Do you have capabilities to anonymize data?
  • --If so, how is data anonymization implemented?
  • --If data anonymization is implemented, how is the anonymized data used within your organization?
  • Please describe your general rules management in relation to role provisioning, deprovisioning, and recertification.
  • Which groups of staff (individual contractors and full-time) have access to personal and sensitive data handed to you?
  • Do you keep sensitive data (as defined by your data classification matrix) in hard copy (e.g. paper copies)? If so, please describe.
  • Do you have a procedure for securely destroying hard copy sensitive data?
  • Do you support secure deletion (e.g. degaussing/cryptographic wiping) of archived or backed-up data?
  • Does customer data leave your production systems in any circumstance? If so, please describe.

Reporting

  • Which audit trails and logs are kept for systems and applications with access to customer data?

Third Party Data Processing

  • Do you use any sub-processors for data processing purposes? If so, please name them.
  • How do your sub-processors comply with your standards in relation to personal data processing?

EU Data Processing

This section is only applicable if your company/data centers are based in the US

  • For the provision of services, do you process EU citizens'/residents' personal data?
  • Are you currently Privacy Shield certified? If so, please link to your certification.
  • Do you plan on being Privacy Shield certified withing the next 12 months?

Authentication

  • Do you have an internal password policy?
  • Do you have complexity or length requirements for passwords?
  • How are passwords hashed?
  • Do employees/contractors have ability to remotely connect to your production systems? (i.e. VPN)
  • PDo you require multi-factor authentication (MFA) for employee user authentication to access your network (local or remote)?
  • Is MFA required for employees/contractors to log in to production systems?
  • Do you require MFA for administration of your service (local or remote)?
  • Do you support SSO/SAML for customer access?

Policies & Standards

Here we cover documentation and governance:


Management Program

  • Do you have a formal Information Security Program (InfoSec SP) in place?
  • Do you review your Information Security Policies at least once a year?
  • Do you have a Information security risk management program (InfoSec RMP)?
  • Do you have management support or a security management forum to evaluate and take action on security risks?
  • Do you have a dedicated information security team? If so, what is the composition and reporting structure?

Policy Execution

  • Please ensure your documented information security policy has been uploaded in section in 'Service Overview'
  • Do your information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, etc.)?
  • Do you have a policy exception process?
  • Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?

Background Checks

  • Are all employment candidates, contractors and involved third parties subject to background verification (as allowed by local laws, regulations, ethics and contractual constraints)?

Confidentiality

  • Are all personnel required to sign Confidentiality Agreements to protect customer information, as a condition of employment?

Acceptable Use

  • Are all personnel required to sign an Acceptable Use Policy? Please attach

Job Changes and Termination

  • Are documented procedures followed to govern change in employment and/or termination including for timely revocation of access and return of assets?

Proactive Security

What controls are in place to prevent attacks:


Independent Third-Party Penetration Testing

  • Do you perform network security testing? If so, what is the cadance? Explain your methodology
  • Do you perform application security testing? If so, what is the cadance? Explain your methodology

Vulnerability Management & Patching

Network/Host Vulnerability Management

  • Please summarise or attach your network vulnerability management processes and procedures?
  • Which tools do you use for vulnerability managment?

Application Vulnerability Management

  • Please summarise or attach your application vulnerability management processes and procedures?
  • What tools do you use for application vulnerability management?

Production Patching

  • How do you regularly evaluate patches and updates for your infrastructure?

Bug Bounty

  • Do you have an established bug bounty program?

Endpoint Security - End User

  • Are all endpoint laptops that connect directly to production networks centrally managed?
  • Describe standard employee issued device security configuration/features. (Login Password, antimalware, Full Disk Encryption, Administrative Privileges, Firewall, Auto-lock, etc.)
  • Does sensitive or private data ever reside on endpoint devices? How is this policy enforced?

Endpoint Security - Production Server

  • How do you limit data exfiltration from production endpoint devices?
  • What systems do you have in place that mitigate classes of web application vulnerabilities? (e.g.: WAF, proxies, etc)
  • Do you have breach detection sytems and/or anomaly detection with alerting?

Infrastructure Security

Configuration Management

  • Are the hosts where the service is running uniformly configured?
  • Are changes to the production environment reviewed by at least two engineers/operations staff?

Secrets Management

  • Describe your secrets management strategy:(auth tokens, passwords, API credentials, certificates)

Logs

  • Are all security events (authentication events, SSH session commands, privilege elevations) in production logged?

Network Security

  • Is the production network segmented in to different zones based on security levels?
  • What is the process for making changes to network configuration?
  • Is all network traffic over public networks to the production infrastructure sent over
    cryptographically sound encrypted connections? (TLS, VPN, IPSEC, etc). If there are plaintext connections, what is sent unencrypted?

Cryptography

Cryptographic Design

Please ensure you uploaded your encryption standard as per 'Data Protection & Access Controls' Tabi
  • What cryptographic frameworks are used to secure data in transit over public networks?
  • What cryptographic frameworks are used to secure data at rest?
  • What cryptographic frameworks are used to store passwords?
  • Are any non-standard crypographic frameworks/implementations used? If so, have any non-standard cryptographic frameworks been reviewed by an independent 3rd party?

Key Management

  • How are crytographic keys(key management system, etc) managed within your system?

Security Awareness

  • Describe your security awareness program for personnel

Reactive Security

When an issue is found, how do you react:


Threat Intelligence

  • How do you keep aware of security vulnerabilities and threats that affect your service?

Monitoring

  • How do you log and alert on relevant security events? (this includes the network and application layer)?

Incident Response

  • Do you have a formalized Security Incident Response Program?
  • How is your Incident Response Plan tested? Include cadance

Incident Communication

  • Do you have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems? What are your SLAs for notification?

Software Supply Chain

When is your software tested for security issues:


<

Secure SDLC (Software Development Lifecycle)

  • How do you to ensure code is being developed securely?
  • Describe how threat modeling incorporated in the design phase of development?
  • How do you train developers in SSDLC / Secure Coding Practices?

Deployment Processes

  • Are all code artifacts run through automated validation of production-readiness?
  • Is a staging/pre-production system used to validate build artifacts before promotion to production?

Dependency Management

  • Do you maintain a bill of materials for third party libraries or code in your service?
  • Do you outsource development? (contracted with a 3rd party? open source project inclusion?)
  • What types of security reviews do you perform on outsourced software?

Compliance

How often and why are your operational controls validated:


Internal Audits

  • How do you conduct internal audits (audits lead by your personnel) of the service? please describe the scope and frequency of audits.

External Audits

  • How do you conduct external (third-party) audits of the service? please describe the scope and frequency of audits.
  • Please provide a copy of the most recent report.

Certifications

  • Which IT operational, security, privacy related standards, certifications and/or regulations you do comply with?
  • Please provide a copy of the most recent certifications

Privacy

  • Are your confidential data access controls in line with your data classification matrix?
  • Do you share customer data with, or enable direct access by, any third-party?
  • Do you seek a right to use or own customer derived data for your own purposes?
  • Is your Privacy Policy externally available? Please provide us with the URL

Customer Facing Application Security

Here we focus on Security and logging for SAAS offerings


Authentication

  • Please describe how you authenticate users: If passwords are used, describe complexity requirements, and how passwords are protected. If SSO is supported, please describe the available options.
  • Does application allow user MFA to be enforced by admins?
  • Does application support IP whitelisting for user authentication?

Role Based Access Control

  • Does your application support standardized roles and permissions for users (ie admin, user)?
  • Does your application enable custom granular permissions and roles to be created?

Audit logging

  • Which audit trails and logs are kept for systems and applications with access to customer data?
  • Does your application provide customer adminstrators with direct access to verbose audit logs (API, export, viewer etc)?

Data Retention

  • Does your application allow for custom data retention policy for customer data?

Change management

  • Does your application provide a change log?
  • Does your application provide a sandbox environment to customers for testing?

API Management

  • Does your API implement rate limiting capabilities?
  • How does your application store API keys?
  • Does application support IP whitelisting for API access?
  • How does your application store API keys?
  • Please describe how you authenticate users: If passwords are used, describe complexity requirements, and how passwords are protected. If SSO is supported, please describe the available options

Definitions


Bug bounty program:

  • any method by which members of the public can submit to a company information regarding security vulnerabilities, software to fix an issue, or any other deviation of the company's software that does not fit its intended purpose.

Critical Security Vulnerability:

  • a vulnerability is a state in a computing system (or set of systems) that either:
  • 1) allows an attacker to execute commands as another user, or
  • 2) allows an attacker to access data that is contrary to the specified access restrictions for that data, or
  • 3) allows an attacker to pose as another entity, or
  • 4) allows an attacker to conduct a denial of service

Data Classification Policy (or Matrix):

  • A policy or matrix classifying data by risk and applying appropriate controls to safeguard the data.

Data Encryption Standard:

  • A document describing the security method (including Algorithms) used to encryption information, e.g. AES-256

Data Flow Diagram:

  • A diagram showing how data flow through the infrastructure and applications, from ingestion onwards.

Individual contractors:

  • any non-employee that works under the direct control of the employer.

Multifactor authentication (MFA):

  • a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction

Partner:

  • any person or business entity with an agreement to share work with the company

Penetration Test approved methodology:

  • a penetration test that follows one of the frameworks listed here:
  • - Open Source Security Testing Methodology Manual (“OSSTMM”)
  • - NIST Special Publication 800-115
  • - OWASP Testing Guide
  • - PCI Penetration Testing Guidance
  • - Penetration Testing Execution Standard
  • - Penetration Testing Framework

Penetration Test:

  • the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Every vulnerability discovered is disclosed to the customer.

Personally Identifiable Information (PII):

  • any information that can be individually attributed to identify an individual. This information includes, but is not limited to, drivers license numbers, social security numbers (or their equivalent), health and financial records.

Personnel:

  • Includes employees and contractors under the direct control of management.

Privacy Incident:

  • A privacy incident results from the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, and for an other than authorized purpose, have access or potential access to PII in usable form, whether physical or electronic. The term encompasses both suspected and confirmed incidents involving PII that raise a reasonable risk of harm.

Protected Data:

  • Includes PII, sensitive data, HIPAA data, financial data and other data defined as sensitive data

Rule-based Access Control:

  • A methodology to assign and manage appropriate level of access control to all computer systems in an organization or enterprise based on job functions and responsibilities.

Security Incident:

  • An incident is any event that threatens the security, confidentiality, integrity, or availability of information assets (electronic or paper), information systems, and/or the networks that deliver the information. An incident can involve:
  • 1) violation of an explicit or implied security policy
  • 2) attempts to gain unauthorized access
  • 3) unwanted denial of resources
  • 4) unauthorized use
  • 5) changes without the owner’s knowledge, instruction, or consent

Sensitive data:

  • any information a reasonable person would consider private, or not choose to share with public.

Vendor Audit:

  • A process in which a vendors security controls are validated by an approved method. The deliverable is access to the audited report(s) of the vendor service, which involves either triggering a new audit or gaining access to a current audit report for the vendor.

Web application firewall (WAF):

  • A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

EU Specific terms from Directive 95/46/EC
(current Data Protection regime in the EU)

Personal Data:

  • any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Controller:

  • the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Processor:

  • a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Consent:

  • Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal Data Breach:

  • a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Processing:

  • a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Recipient:

  • A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Third Party:

  • a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

Terms & Conditions


Disclaimer and Limited License Grant

  • The Vendor Security Alliance (VSA) questionnaire and all related material (the “Licensed Material”) is provided AS IS, with no representations or warranties of any kind, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the absence of errors, whether or not known or discoverable. VSA and its members will have no liability under any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of use of the Licensed Material, even if advised of the possibility of such losses, costs, expenses, or damages.

  • VSA grants a limited right, under its copyright rights in the Licensed Material, for users of the Licensed Material to download a copy of the Licensed Material and reproduce and distribute unmodified copies for sole purpose of (a) a particular user evaluating its own internal security processes and the security practices of its direct vendors, or (b) providing Feedback to VSA. All other uses are prohibited (including, without limitation, using the Licensed Material in connection with a security consulting or hosted vendor management service), and no additional intellectual property rights are granted by VSA to any party. “Feedback” means any suggested changes to the Licensed Material. VSA will have the right to reproduce, distribute, perform, display and create derivative works of all Feedback, and use all Feedback without restriction and without payments to any party.