Scribd Logo
Upload

Welcome to Scribd!

  • Service Provider Security Assessment Questionnaire

    Uploaded by

    Anonymous LUIwju87AR
    36 views3 pages
    ServiceProviderSecurityAssessmentQuestionnaire

    Original Title

    ServiceProviderSecurityAssessmentQuestionnaire

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ServiceProviderSecurityAssessmentQuestionnaire

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    36 views3 pages

    Service Provider Security Assessment Questionnaire

    Uploaded by

    Anonymous LUIwju87AR
    ServiceProviderSecurityAssessmentQuestionnaire

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    ServiceProviderSecurityAssessmentQuestionnaire

    SERVICEPROVIDERSECURITYASSESSMENTQUESTIONNAIRE

    1.Describeyourpoliciesandproceduresthatensureaccesstogovernmentinformationislimitedtoonlythose
    employees/Contractorswhorequireaccesstoperformyourproposedservices.

    ElearningExpertsmaintainsaformalsecurityprogrammateriallyinaccordancewithindustrystandardsthatis
    designatedto:(i)ensurethesecurityandintegrityoftheCustomerContent(ii)protectagainstthreatsorhazardsto
    thesecurityofintegrityofCustomerContentand(iii)preventunauthorizedaccesstoCustomerContent.

    CorporateofficesecuritymeasuresincludeCCTVandabusinesssecuritysystem.

    Onlyauthorizedpersonnelhaveaccesstomanagementnetworksandapplicationnetworks.Remoteaccessto
    networksandservicesisachievedviaindustrystandardencryptionprotocolsandvirtualprivatenetworking(VPN).

    Administrativeandremoteaccessishighlyrestrictedandisapprovedbyseniormanagementusingleastprivilege
    principles.Grantingandrevocationofaccesscanbeaccomplishedinsecondsbyseniormanagement.

    Additionally,inapplicationcomputingenvironments,eachhostedsiteisexecutedinitsownsecuritycontext,with
    permissionsandaccessseparatefromothersites.Suchmeasuresprovidealayerofseparationsothatonesite
    cannotaccessdatafromanothersite.

    2.Describeyourdisasterrecoveryandbusinesscontinuityplans.

    Localbackupsareperformeddailyandstoredexternallytotheproductionapplicationenvironment.Thesebackups
    canberestoredtoaproductionlearningsiteintheeventofunexpecteddataloss.

    Inadditiontolocaldatabackups,disasterrecoveryandbusinesscontinuityincludesoffsitebackupsofthe
    componentsandconfigurationsrequiredforthecompleterestorationofthelearningmanagementsystem.Remote,
    offsitebackupsaretransmittedviaencryptedchannelstoanAmazonEC2instance.Theoffsitedisasterrecovery
    consistsof:
    nightlycopyoffullbackups
    24hourrecoverytimepoint(RTP)
    clientaccesstoremotedatabackup
    abilitytorestorebackuptorunningEC2instance

    Intheeventofadisasternecessitatingtheneedforanoffsitedisasterrecovery,thelastavailableoffsitebackup
    snapshotisrestoredtoarunninginstanceofthelearningmanagementsystem.Theoffsiteapplicationanddatabase
    serverinstancecanbescaleduptosupportproductionworkloaddemand.

    Continuityplansincluderedundanciesateverylevel,includingutilitypower,generator,UPS,Internetprovider,
    network,server,powersupply,virtualmachine,anddisk/storageredundancies.

    ElearningExperts10April2014ServiceProviderSecurityAssessmentQuestionnaire1

    3.WhatsafeguardsandpracticesdoyouhaveinplacetovetemployeesandContractorswhohaveaccessto
    governmentinformation?

    National,State,andCountycriminal,EVerify,andeducationalbackgroundchecksareperformedonallemployees
    andanypersonnelwhohaveaccesstogovernmentinformation.Additionally,professionalreferencesareutilizedto
    vetthequalityandexperienceofsuchpersonnel.Backgroundchecksarerepeatedannually.

    ThesecurityandconfidentialityofourclientsdataiscoveredinNewHireOrientation,documentedinamandatory
    confidentialityagreementsignedbyallemployees,contractors,andinterns,andiscontinuallyreinforcedbyour
    internalsecuritypolicies.Securityisdiscussedwithstaffduringprojectmeetingsandthroughcompanywide
    communications.

    4.DescribeandexplainyoursecuritypoliciesandproceduresrelatedtouseofContractors/subcontractors.

    Whenevercontractors/subcontractorsareemployedforaspecifictask,wecreatedevelopmentenvironmentsfor
    eachtowhichonlyrestrictedaccessisgrantedonneedtohavebasis.Suchdevelopmentenvironmentsare
    segregatedintermsofnetwork,firewallandvpnaccessfromallotherproductionvirtualorphysicalservers.Random
    dataisgenerallyusedtosimulateproductionenvironmentfortestingpurposes.

    5.Listanycertificationsthatyouhavethatdemonstratethatadequatesecuritycontrolsareinplacetoproperly
    store,manageandprocessgovernmentinformation(forexample,ISOorSSAEcertifications).Willthese
    certificationsbeinplaceforthedurationofthecontract?Willyouprovidethestatewithmostrecentandfuture
    auditreportsrelatedtothesecertifications?

    ThehostingfacilityatCavernTechnologiesisSSAE16TypeIIcompliantandSAS70certified.Thesecompliance
    measuresandcertificationswillbeinplaceforthedurationofthecontract.Tothatend,anIndependentService
    Auditor'sReportontheDescriptionofaServiceOrganizationsSystemandtheSuitabilityoftheDesignand
    OperatingEffectivenessofControlsdocumentcanbeprovideduponrequest.

    6.Describethepolicies,proceduresandpracticesyouhaveinplacetoprovideforthephysicalsecurityofyour
    datacentersandothersiteswheregovernmentinformationwillbehosted,accessedormaintained.

    ThecomputingclusterislocatedinaprivatesuiteinsideofaSSAE16TypeIIcertifieddatacenterinamanmade
    caveoutsideofKansasCity.Accesstothedatacenteritselfismonitoredbyclosedcircuitcameras,controlledby
    AdvancedBiometricsandonlyallowedtoauthorizedElearningExpertspersonnel.Accesstoourprivatesuiteis
    restrictedwithbiometricscansandonlygrantedtoauthorizedElearningExpertspersonnelanddatacenter
    maintenancepersonnel.

    7.Willgovernmentinformationbeencryptedatrest?Willgovernmentinformationbeencryptedwhen
    transmitted?Willgovernmentinformationbeencryptedduringdatabackups?

    Productiondataisneveratrestandhencedoesnotlenditselftoencryptionatrest,althoughaccesstodatais
    strictlycontrolledviaaforementionedphysicalsecurityprotocols.Alldataintransmissionbetweenthedatacenter
    andexternalhostsisencryptedwithSSL.Localbackupsarenotencryptedastheyresideinasecuredatacenter.
    Remote/offsitedisasterrecoverybackupsareblocklevelencrypted,meaningthatwhenthedisasterrecovery
    host(s)areoffline(atrest)thebackupdataisinanencryptedstate.Furthersecurityenhancementsarepossibleas
    partofacustomizeddeployment.

    ElearningExperts10April2014ServiceProviderSecurityAssessmentQuestionnaire2

    8.Describesafeguardsthatareinplacetopreventunauthorizeduse,reuse,distribution,transmission,
    manipulation,copying,modification,accessordisclosureofgovernmentinformation.

    Accesstotheserverswheredataresidesisonlyallowedtoseniorstaffandemployeeswithimmediateaccessneed,
    andthenonlyunderdirectsupervision.Beyondthat,accesstobackendenvironmentisnotallowedasamatterof
    policytoanyonebeitlowerlevelstaffmembersorthirdpartycontractors.Allmaintenanceanddiagnosticsare
    performedwiththeuseoftoolsthatinteractwithdatainacontrolledandsecuredmanner.Ifitbecomesnecessaryto
    interactwithgovernmentdataonthebackendserversinawayotherthanbyusingapprovedtools,escalationto
    seniorpersonnelorexecutivelevelstaffwouldberequired.AllaccesstoserversisperformedthroughVPNbyusing
    encryptedkeysforauthentication.

    9.Whatcontrolsareinplacetodetectsecuritybreaches?Doyoulogtransactionsandnetworkactivity?How
    longdoyoumaintaintheseauditlogs?

    Networkmonitoringtoolsandnotificationsexisttodetectsecuritybreaches.Firewalllogsandunapprovednetwork
    activityareloggedandkeptforaminimumof30days.

    TheTotaraapplicationalsosupportsanumberofsecurityfeatures,includingabilitytoallow/denyspecificIP
    addressesandblocks.Antivirusscanningoffilesuploadedintotheapplicationisconfiguredonthelearning
    managementsysteminstance.

    10.Howwillgovernmentinformationbemanagedaftercontracttermination?Willgovernmentinformation
    providedtotheContractorbedeletedordestroyed?Whenwillthisoccur?

    Contractterminationpolicyincludesremovalofalldataforaclientfromtheapplicationexecutionenvironment
    (includingapplication,database,andstorageservers)withinamonthoftermination.Clientdataexistinginlocal
    backupsnapshotsarepurgedaftera3monthperiodstartingatthepointofdataremovalfromtheapplication
    executionenvironment.

    Remote/offsitedisasterrecoverybackupsaredestroyedwithinonemonthoftermination.

    11.Describeyourincidentresponsepoliciesandpractices.

    IncidentResponseOutline
    Discoveryofincident
    ReportofincidenttoCEO,COO,andCTO
    Investigationofincident
    Resolutionofincident
    Documentationofincident

    Securityincidentsaffectingclientsarereportedtoaffectedclients.

    12.Identifyanythirdpartywhichwillhostorhaveaccesstogovernmentinformation.

    NothirdpartywillhostorhaveaccesstogovernmentinformationonanyfacilityownedandoperatedbyElearning
    Experts.

    ElearningExperts10April2014ServiceProviderSecurityAssessmentQuestionnaire3

    You might also like