3rd Party Outsourcing Information Security Assessment Questionnaire V1.4
3rd Party Outsourcing Information Security Assessment Questionnaire V1.4
3rd Party Outsourcing Information Security Assessment Questionnaire V1.4
Description of Service/Product:____________________________________________________________________________
DATA REQUIREMENTS
(mark a "1" in all boxes applicable for this relationship)
Transmit Stores Data Type (if needed, refer to definitions worksheet tab)
or Access Offsite Risk UBC Comments
High Protected Health Information (PHI)
High Personally Identifiable Information (PII) for Students or Non-students
High Social Insurance Numbers (SIN)
High Payment Card Information
High Sensitive Digital Research Data
High Physical Plant Detail
High Institution Mission Critical Information
Medium Business Critical Information
Medium Intellectual Property
Medium Other Sensitive Information
Low Public Information
4. Ensures that users have the authority to only read or modify those programs, or
data, which are needed to perform their duties.
0 Total Access Controls
Answer Comments H. Monitoring. The vendor: UBC Comments
1. Reviews access permissions monthly for all server files, databases, application,
etc.
2. Implements system event logging on all servers and records at a minimum who,
what, and when for all transactions.
3. Reviews and analyses after hours system accesses, at least monthly.
4. Reviews system logs for failed logins, or failed access attempts monthly.
5. Reviews and removes dormant accounts on systems at least monthly.
6. Reviews web server logs weekly for possible intrusion attempts and daily for
significant changes in log file size as an indicator of compromise.
7. Reviews network and firewall logs at least monthly.
8. Reviews wireless access logs at least monthly.
9. Performs scanning for rogue access points at least quarterly.
10. Actively manages IDS/IPS systems and alert notifications have been
implemented.
11. Performs vulnerability scanning at least quarterly.This is a mandatory
requirement for all UBC EMRs.
12. Performs penetration testing at least anually, if the vendor manages any PHI on
behalf of UBC. This is a mandatory requirement for all UBC EMRs.
13. Checks routinely that password complexity is adhered to.
0 Total Monitoring Controls
Answer Comments I. Physical Security. The vendor: UBC Comments
1. Controls access to secure areas. E.g. key distribution management (both
physical and electronic), paper/electronic logs, monitoring of facility doors, etc.
2. Controls access to server rooms and follows least privilege and need-to-know
practices for those facilities.
3. Has special safeguards in place for computer rooms. e.g. cipher locks, restricted
access, room access log, card swipe access control, etc.
4. Shreds or incinerates printed confidential information.
5. Prohibits or encrypts confidential information on laptops & mobile devices.
6. Positions desktops, which display confidential information, in order to protect
from unauthorised viewing.
7. Escorts all visitors in computer rooms or server areas.
8. Implements appropriate environmental controls, where possible, to manage
equipment risks. E.g. fire safety, temperature, humidity, battery backup, etc.
9. Has no external signage indicating the content or value of the server room or any
room containing confidential customer information.
10. Provides an export copy of all of the customer's data in a mutually agreed upon
format at the end of the contract.
11. Follows forensically secure data destruction processes for confidential data on
hard drives, tapes & removable media when it's no longer needed and at the end of
the contract term.
0 Total Physical Controls
Answer Comments J. Contingency. The vendor: UBC Comments