Security Audit and Evaluation of E-discovery Vendor or Partner

The Security Audit Questionnaire was designed primarily to help evaluate the security capabilities of cloud providers and third parties offering electronic discovery or managed services.

The tool is also useful as a self-checklist for organizations testing the security capabilities of their own in-house systems.

Complete the questionnaire below and you will have your first cyber readiness assessment.

Name

First

Last

VENDOR OR PARTNER COMPANY NAME | Security Audit and Evaluation (First Session)

Does your company maintain any security or other specialized certifications (ISO27001, PCA, or similar)? If so, please provide details on types and certification dates and please provide a copy of your most recent report, audit, or certification.

Do you map your processes and procedures to standards (e.g. NIST, CIS, HITRUST, ISO, etc.)? If so, please list which ones.

Does your organization have documented Information Security Policies?

Is our (and our clients’) data segregated from other clients’ data on your networks and computers during its life cycle on your servers (including but not limited to: processing, review hosting, production, storage, and archiving)? If so, describe how.

Do you have a management process in the event of incidents or breaches? Describe roles, responsibilites, and testing for incident response.

Does your organization have a policy for business continuity and disaster recovery? If so, how often is policy renewed and updated?

Do you remain up to date with system and security patches? If so, please describe, including frequency, analysis, testing, and approvals.

Do you have a protocol for handling data that falls under the US or EU Data Protection Directive? If so, please describe.

Do you have a client notification plan in the event of incidents or breaches? If so, describe when the plan is put into action.

Does your organization maintain compliance with relevant security and privacy regulations? Describe.

where your of

Is there a formally documented privacy policy? If yes, describe. If no, explain reason.

Does your organization have a policy that addresses Information Classification and asset handling?

Does your organization have a formal process to assess the risk of service providers? Describe the process and what area within your organization is responsible.

Do you have physical security in place to protect information assets in offices and other facilaties where information assets are stored or processed? If so, please describe.

Does your organization have encryption tools to protect confidential/personal information that is in transit over public networks? If so, describe how these tools are used.

Is there a physical or logical network and server segregation that exists between client environments? If so, describe.

Do you have network security mechanisms in place (e.g., next-generation firewalls, IDS/IPS, etc.)? If so, please describe.

Send Us Mail

info@crontabcyber.com

Visit Our Office

801 Shelby Street, Indianapolis, US