Security Risk Assessment Question List
Security Risk Assessment Question List
As part of the evaluation and procurement process for any new applications or services, the following questions should be asked of the vendor. Responses should be reviewed by the CCS Information Security team to ensure that the security of University data and systems is ensured.
- What are the security controls in place to control, authorize, and audit access to University data?
- Do you use multi-factor or other Identity Management solutions?
- If the solution is cloud-based, how do you segment and isolate our customer tenant/instance and data from other customers?
- Do you own and operate your own data center or it outsourced to a third party or cloud-based service such as AWS?
- What applicable standards or certifications do you comply with? In particular, is your data center SOC2/3 certified?
- How do you segment your corporate network from your data center and customer data?
- Are you using Next Generation Firewalls and IPS to secure your Data Center customers from the internet?
- Do you employ application-specific protection, such as with Web Application Firewalls?
- What advanced malware detection software does you employ on your servers? Do these solutions have behavioural detection and response capabilities?
- Do you use application control/whitelisting on your servers?
- Are there additional security controls, processes, or risk management practices you can share?
- Are there security settings and controls that we, the customer, is responsible for managing?
Data Privacy Questions
- In what geographic area(s) will our data be stored?
- Aside from approved University of Guelph users, who has access to our data, and who approves this access? Are we notified when new users are approved?
- Who is considered the owner of any University of Guelph data stored in this application and your Data Centers?
- Who is liable for any breaches or unapproved exposure of our data?
- Will you use our data for analysis? If yes, describe how it will be used. Who approves this? Are we notified?
- Will you share our data with any 3rd parties? Will we be notified when this occurs?
- Please describe your data destruction processes. What happens with customer data when they are no longer a customer? How do you decommission data? What are the timelines?
- Is our data encrypted in motion? (i.e. transmitted over a network)
- Is our data encrypted at rest? (i.e. when stored on disk or in a database)
- If you are using encryption, what encryption technologies are used? How are keys stored and secured? Do you use Hardware Security Modules (HSM) for key management?
- Describe your disaster recovery (DR) and business continuity practices (BCP) including backup operations. How is our data protected for reliability and availability?
- Describe your incident response processes, and client notification of breaches. How and who do you notify when you have a security breach?
- Do you log all activity and review for malicious activity? If so, how is this done? I.e. are you using a SIEM?
- If this application requires a database, provide specific details on how the data is secured and what specific permissions are required for database access?
- What ports are used for access to this service/application?
- Do you follow a server hardening standard for all systems?
- How is vulnerability management handled on your servers? For example, how frequently are they scanned and patched for vulnerabilities?
- What is your software patch frequency and software update release process? What methodologies do you use for standardized and secure development?
Educause also offers a very comprehensive Higher Education Cloud Vendor Assessment Tool which can be found here - https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool
CCS Information Security
Last Updated: April 4, 2018