Vendor Security Due Diligence Checklist
Vendor Security Due Diligence Checklist
Vendor Security Due Diligence Checklist
Vendor Company Name:
Primary Business Address:
City: _____________________________ State: _______ Zip: ___________
Years In Business: ________
Primary Industry Classification:
(e.g., ISP/Network, ASP/Hosting, Application Development, Managed Security, Consultancy)
Primary Business Contact Name:
Title:
Telephone:
Email:
Primary Security Contact Name:
Title:
Telephone:
Email:
TYPES OF SERVICES TO BE PROVIDED TO LVVWD/SNWA
Identify which services are being offered/provided to LVVWD/SNWA by vendor (check all that apply):
Internet Service Provider (ISP) or Other Data Network Services.
☐
Commercial Co‐location/Cloud Hosting (Physical, Network, and/or System‐Level Only).
☐
Commercial Co‐location/Cloud Hosting (P, N, and S – plus Application/ASP‐Level).
☐
Original Application Development.
☐
Payment Processing Services.
☐
Outsourced Retail Sales/Fulfillment/Service.
☐
Page 1 of 9
Vendor Security Due Diligence Checklist
Outsourced Commercial Business Operations Processing.
☐
Outsourced Healthcare‐Related Provider, Back‐Office, or Insurance Services.
☐
Managed Security Services Provider.
☐
Business/Marketing Consultancy Services.
☐
IT/Technical Consultancy Services.
☐
Independent Audit/Compliance Services.
☐
Other (include description):
☐
MISSION‐CRITICALITY OF THE SERVICES BEING PROVIDED
Identify the underlying business criticality assumption(s) associated with the services being provided on
LVVWD/SNWA’s behalf (check all that apply):
The service represents or supports a real‐time, human health or safety activity that requires
☐ 24x7x365 availability (and is covered under a formal SLA contract).
The service represents or supports a real‐time, revenue generating activity that requires
☐ 24x7x365 availability (and is covered under a formal SLA contract).
The service represents or supports a batch/periodic, revenue generating activity that requires
☐ general availability on the client’s behalf, but which may include agreed‐upon provisions for less
than 99% availability due to scheduled or unscheduled outages.
The service represents or supports an important business‐related back‐office support function
that requires general availability to LVVWD/SNWA’s employees or customers, but which may
☐ include agreed‐upon provisions for less than 99% availability due to scheduled or unscheduled
outages.
The service represents supports a non‐essential, ancillary, and/or value‐added function that is
☐ not generally subject to high‐availability requirements.
Page 2 of 9
Vendor Security Due Diligence Checklist
SENSITIVITY OF THE INFORMATION BEING HANDLED OR PROCESSED
Identify the sensitivity of the information being entrusted into the vendor’s care as a required element of the services
being offered to LVVWD/SNWA:
The vendor will receive, handle, process, store, and/or transmit Personally Identifiable
☐ Information (PII) associated with LVVWD/SNWA’s customers, employees, or other involved
parties. (PII includes, but is not limited to, names, addresses, SSNs, DLs, purchase histories, etc.)
The vendor will receive, handle, process, store, and/or transmit Payment Cardholder
☐ Information (PCI) associated with LVVWD/SNWA’s customers. (PCI includes debit/credit card
numbers, expiration dates, track 1/2 data, etc.)
The vendor will receive, handle, process, store, and/or transmit Other Types of Financial
Account/Payment Information associated with LVVWD/SNWA’s customers, employees, or other
☐ involved parties. (This can include bank/brokerage account numbers, ACH codes, balances, debts,
etc.)
The vendor will receive, handle, process, store, and/or transmit Private Health Information (PHI)
☐ associated with LVVWD/SNWA’s customers, employees, or other involved parties. (PHI can
include paper/electronic health records, treatment data, etc.)
The vendor will receive, handle, process, store, and/or transmit Competitive Business
Information associated with LVVWD/SNWA’s operations (water delivery and billing), intellectual
☐ property, legal/compliance, or other types of data elements subject confidentiality
requirements.
The vendor will receive, handle, process, store, and/or transmit Publicly Available Information
☐ associated with LVVWD/SNWA’s overall activities.
VENDOR‐MAINTAINED CYBER INSURANCE POLICY PROTECTIONS
1. Summarize the vendor’s current cyber liability insurance policy coverage to protect the vendor against
substantial monetary losses arising from either first‐party or third‐party liability risks. Identify whether the
policy covers LVVWD/SNWA losses via third‐party coverage or as an additional insured. Include policy limits
and whether it covers 1) Breach remediation and notification expenses, 2) Breach response counsel, 3)
Forensic investigation, 4) Credit monitoring services, 5) Regulatory fines and penalties, 6) Crisis management
and public relations, 7) Exclusions for mechanical failure, failure to maintain the computer network, failure to
maintain risk controls or lack of encryption:
Page 3 of 9
Vendor Security Due Diligence Checklist
OPEN‐ENDED QUESTIONS RELATING TO VENDOR’S SECURITY/PRIVACY
For the remainder of this form, supply the best possible written responses to the questions posed within each of the
following topic areas. Responses will be compared with LVVWD/SNWA’s own practices to determine whether the
vendor’s practices meet or exceed LVVWD/SNWA’s standards for the proposed services relationship.
INFORMATION SECURITY MANAGEMENT CAPABILITIES
1. If any vendor employees will have access to LVVWD/SNWA data, describe the vendor’s data security policies,
employee cyber security training, and employee background checks.
2. Describe the vendor’s Information Security team to include: size (in Full Time Employees), skills composition,
background checks, and indicate to what extent (if any) vendor employees will be assigned specifically to the
security oversight of LVVWD/SNWA’s data/activities entrusted to vendor:
3. If vendor relies upon downstream vendors to provided security‐centric support (e.g., MSSP) services, identify
these vendors and the functions they will be providing as part of the service agreement with LVVWD/SNWA:
4. If any vendor subcontractors or non‐employees of the vendor will have access to LVVWD/SNWA data,
describe the subcontractor’s data security policies, the subcontractor’s employee cyber security training, and
subcontractor’s employee background checks.
Page 4 of 9
Vendor Security Due Diligence Checklist
REGULATORY/COMPLIANCE ACTIVITIES AND CERTIFICATIONS
1. Identify each of the relevant certifications (and latest compliance dates) maintained by the vendor that speak
to independent audit confirmation of the vendor’s security practices (examples include PCI DSS/ASV,
Sarbanes‐Oxley, SAS 70/SSAE 16, HIPAA/HITECH, GLBA, etc.):
2. If the most recent audit reports identified in question (1) identified any security gaps or issues, briefly
summarize the steps that have been taken – or are still pending – to fully resolve them:
3. Beyond the scope of the formal audits identified in question (1), summarize any ongoing security‐related
audit activities that are regularly performed by the vendor’s in‐house security team or other third party
security firms, including the use of vulnerability scanning and/or penetration testing.
4. If healthcare‐related data is being managed by the vendor with the additional support of sub‐contractors,
indicate whether the vendor has obtained legally sufficient Business Associate Agreements for each of the
sub‐contractors who will potentially have access to LVVWD/SNWA’s PHI data:
PROTECTION/SEGREGATION OF LVVWD/SNWA DATA
1. When sensitive LVVWD/SNWA data (PII, PCI, PHI, Confidential business data) are entrusted to the vendor’s
care, identify how such data is segregated from that of other clients while in system storage (e.g., physical
segregation, logical segregation via VLANs/firewalls, separate DB instances, etc.):
Page 5 of 9
Vendor Security Due Diligence Checklist
2. Explain how the vendor encrypts LVVWD/SNWA data while in‐transit and/or at‐rest (including, where
possible, the names of the branded solutions being used and the size/strength of the encryption keys):
3. Describe how the vendor’s access to LVVWD/SNWA data is managed including account
provisioning/termination and role‐based assignments:
4. Describe how servers under the vendor’s control are hardened to minimize the use of non‐essential
commands, data, and TCP/IP ports/services prior to deploying and hosting LVVWD/SNWA data:
5. Identify branded cloud‐based solutions in use by the vendor and the extent to which the vendor can
guarantee that all client data is not stored, even temporarily, outside of United States borders:
6. If the vendor uses cloud‐based solutions to store or transmit LVVWD/SNWA data, describe who
(LVVWD/SNWA, vendor, vendor subcontractor, cloud provider, etc.) has access to the data, the defined trust
levels, and the authentication (include SAML/ADFS details) and transport mechanisms used:
7. Identify branded solutions the vendor uses for anti‐virus and malware prevention within the environment(s)
that transmit/house LVVWD/SNWA data:
Page 6 of 9
Vendor Security Due Diligence Checklist
8. Identify branded solutions the vendor uses for intrusion detection/prevention system (IDS/IPS) capabilities
within the environment(s) that transmit/house LVVWD/SNWA data:
9. Identify any branded solutions in use by the vendor that provide for effective data loss prevention (DLP),
security information event management (SIEM), distributed denial‐of‐service (DDoS) prevention or any other
types of advanced protection capabilities within the environment(s) that transmit/house LVVWD/SNWA data:
10. Identify branded solutions used by the vendor to provide for effective change management control and/or
automated system patching capabilities within the environment(s) that transmit/house LVVWD/SNWA data:
APPLICATION DEVELOPMENT SECURITY PRACTICES
1. To the extent that the vendor employs in‐house original code developers to create/maintain applications that
transmit/house/process mission‐critical and/or sensitive LVVWD/SNWA data, identify who is responsible for
security involving the requirements, design, coding, and testing of new/updated code:
2. Identify the extent to which all original code developers within the vendor’s employ have received either
formal or informal instruction regarding secure coding practices, such as those promulgated by OWASP or
other standards‐based entities:
Page 7 of 9
Vendor Security Due Diligence Checklist
3. Identify the extent to which all new/updated original code that will be utilized to transmit/house/process
mission‐critical and/or sensitive client data is subjected to a pre‐production source code analysis tool,
application‐level vulnerability scanning (utilizing a commercial solution such as IBM’s AppScan, HP’s
WebInspect, etc.) and/or active penetration testing – preferably by third party security vendors – prior to
final deployment decisions:
4. If the vendor relies upon third party code development vendors within this context, confirm that the vendor
has undertaken review of questions (1‐3) above with each of the outsourced vendors and has obtained
satisfactory responses in all cases.
SERVICE AVAILABILITY AND DISASTER RECOVERY CAPABILITIES
1. Identify the architectural and branded solution‐based capabilities by which the vendor has incorporated high‐
availability (e.g., HOT‐HOT, HOT‐WARM) technology solutions designed to ensure compliance with SLA terms
that require real‐time availability of services associated with the transmission/hosting/processing of
LVVWD/SNWA data:
2. Describe how the vendor’s system availability architecture based upon geographically diverse placement of
nodes/domains to support the mission‐critical services involving LVVWD/SNWA data:
3. Describe how the vendor performs regular disaster recovery plan testing involving the network/system assets
that incorporate the transmission/hosting/processing of LVVWD/SNWA data:
Page 8 of 9
Vendor Security Due Diligence Checklist
4. Identify the extent to which UPS and longer‐term backup generator capacity exists at all vendor locations
that are involved in the hosting/processing of LVVWD/SNWA data:
INCIDENT RESPONSE AND PRIVACY CAPABILITIES
1. Describe the vendor’s overall incident response plan, including any pre‐made templates ready to use in the
event of an incident or data breach. Identify the timing and the manner in which LVVWD/SNWA will be
apprised of incidents and/or breaches and subsequent resolution tasks:
2. Describe the vendor’s capability to identify and respond to a potential data breach that could involve
unauthorized exposure of LVVWD/SNWA’s sensitive data while in the custody of vendor’s environment(s):
3. Identify the vendor’s access to skilled data forensics capabilities on either an in‐house or external standby
basis should the need ever arise:
4. Within the past two years, identify any significant information security or privacy breach incidents that
negatively impacted any of the vendor’s clients and briefly describe the efforts undertaken by the vendor to
address/resolve them and along with changes to the vendor’s information security/privacy practices
designed to prevent recurrence.
Page 9 of 9