← Back

Security Risk Assessment Questionnaire.xlsx.xlsx

Parsed source · 11,438 chars

Risk Assessment Questionnaire

Los Angeles Superior Court Third Party Security Risk Assessment Questionnaire
Name of Company:
Company's Website:
Contact Person Completing the Assessment:
Email Address:
Phone Number:
Select the appropriate answer from the drop down in the Response column, and provide a brief description in the Comments section.
Information Security Assessment Questions Response Comments Comments Comments
Organizational Information Security
1 Do you have a member of your organization with dedicated information security duties? #ERROR(Ref) #ERROR(Ref)
2 Is a background check required for all employees accessing and handling the organization's data? #ERROR(Ref) #ERROR(Ref)
3 Does the organization have written information security policies? #ERROR(Ref) #ERROR(Ref)
3.1 If yes, please provide copies when responding to this assessment #ERROR(Ref) #ERROR(Ref)
4 Does the organization have a written password policy that details the required structure of passwords? #ERROR(Ref) #ERROR(Ref)
4.1 How do you verify password strength? #ERROR(Ref) #ERROR(Ref)
5 Do all staff receive information security awareness training? #ERROR(Ref) #ERROR(Ref)
6 Does the organization employ a Data Classification and Retnetion Policy? #ERROR(Ref) #ERROR(Ref)
7 Does the organization have a formal change control process for IT changes? #ERROR(Ref) #ERROR(Ref)
8 Has the organization implemented an IT Governance framework such as ITIL, NIST, COBIT or ISO 27001? #ERROR(Ref) #ERROR(Ref)
9 Will your company be processing credit cards on behalf of the Los Angeles Superior Court? #ERROR(Ref) #ERROR(Ref)
9.1 If yes, is your company PCI DSS compliant? Please provide certification or self-assessment report #ERROR(Ref) #ERROR(Ref)
General Security #ERROR(Ref) #ERROR(Ref)
10 Is Endpoint Protection software installed on data processing servers and workstations? #ERROR(Ref) #ERROR(Ref)
11 Are system and security patches applied to workstations on a routine bases? #ERROR(Ref) #ERROR(Ref)
12 Are system and security patches applied to servers on a routine bases? #ERROR(Ref) #ERROR(Ref)
12.1 Are system and security patches tested prior to implementation in the production environment? #ERROR(Ref) #ERROR(Ref)
13 Do employees have a unique log-in ID with Phishing-Resistent MFA when accessing data? #ERROR(Ref) #ERROR(Ref)
14 Does the organization have security measures in place for data protection? #ERROR(Ref) #ERROR(Ref)
14.1 If yes, please describe in the comments section #ERROR(Ref) #ERROR(Ref)
15 Is access restricted to systems that contain sensitive data? (The Court considers Court Case data, financial data, employee/payroll data, social security numbers, and intellectual property data sensitive) #ERROR(Ref) #ERROR(Ref)
15.1 If yes, what controls or are currently in place to restrict access? #ERROR(Ref) #ERROR(Ref)
16 Is physical access to data processing equipment (servers and network equipment) restricted? #ERROR(Ref) #ERROR(Ref)
16.1 If yes, what controls are currently in place? #ERROR(Ref) #ERROR(Ref)
17 Is there a process for secure disposal of both IT equipment, media and customer data? #ERROR(Ref) #ERROR(Ref)
17.1 If yes, please describe in the comments section #ERROR(Ref) #ERROR(Ref)
18 Does the organization have a formal log management and retention policy and process? #ERROR(Ref) #ERROR(Ref)
18.1 If yes, please describe the scope and length in the comments section #ERROR(Ref) #ERROR(Ref)
Network Security #ERROR(Ref) #ERROR(Ref)
19 Are network boundaries protected by firewalls? #ERROR(Ref) #ERROR(Ref)
20 Is regular network vulnerability scanning performed? #ERROR(Ref) #ERROR(Ref)
21 Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your organization? #ERROR(Ref) #ERROR(Ref)
21.1 If yes, please describe in the comments section #ERROR(Ref) #ERROR(Ref)
22 Are employees required to use a VPN when accessing the organization's systems from all remote locations? #ERROR(Ref) #ERROR(Ref)
23 Is wireless access allowed in your organization? #ERROR(Ref) #ERROR(Ref)
23.1 If yes, please describe how it is protected in the comments section #ERROR(Ref) #ERROR(Ref)
Systems Security #ERROR(Ref) #ERROR(Ref)
24 Are computer systems (servers) backed up according to a regular schedule? #ERROR(Ref) #ERROR(Ref)
24.1 Has the back-up and recovery process been verified? #ERROR(Ref) #ERROR(Ref)
24.2 Does the organization store backups offsite? #ERROR(Ref) #ERROR(Ref)
24.3 Does the organization encrypt its backups? #ERROR(Ref) #ERROR(Ref)
25 Does the organization replicate data to locations outside of the United States? #ERROR(Ref) #ERROR(Ref)
26 Does the organization outsource its data storage? #ERROR(Ref) #ERROR(Ref)
26.1 If yes, to whom is the data outsourced? #ERROR(Ref) #ERROR(Ref)
27 Is there formal control of access to System Administrator privileges? #ERROR(Ref) #ERROR(Ref)
27.1 If a shared tenant is used for SaaS, IaaS or PaaS, please describe security measrues to separate access #ERROR(Ref) #ERROR(Ref)
28 Are servers configured to capture who accessed a system and what changes were made? #ERROR(Ref) #ERROR(Ref)
28.1 If no, in case of a security breach, how do you determine who accessed the system and what changes were made? #ERROR(Ref) #ERROR(Ref)
Business Continuity / Disaster Recovery #ERROR(Ref) #ERROR(Ref)
29 Does the organization have disaster recovery plans for data processing facilities? #ERROR(Ref) #ERROR(Ref)
29.1 Is the disaster recovery plan extend to and organization wide Business Continuity Plans? #ERROR(Ref) #ERROR(Ref)
30 Are computer rooms protected against fire and flood? #ERROR(Ref) #ERROR(Ref)
31 Does the organization have a "Hot" recovery site? #ERROR(Ref) #ERROR(Ref)
Incident Response #ERROR(Ref) #ERROR(Ref)
32 If an information security breach involving the Court's data occurred, would the the Court be notified of the breach? #ERROR(Ref) #ERROR(Ref)
32.1 If yes, how soon would the Court be notified? #ERROR(Ref) #ERROR(Ref)
33 Does the organization have a formal Incident Response plan? #ERROR(Ref) #ERROR(Ref)
33.1 If yes, do you perform regular tabletop exercises? #ERROR(Ref) #ERROR(Ref)
34 Has the organization experienced an information security breach in the past three (3) years? #ERROR(Ref) #ERROR(Ref)
34.1 If so, please document what information was lost and what was the recovery process in the comments section? #ERROR(Ref) #ERROR(Ref)
34.2 If so, please document how the clients were notified and how quickly in the comments section? #ERROR(Ref) #ERROR(Ref)
Auditing / Client Reporting #ERROR(Ref) #ERROR(Ref)
35 Does the organization receive an SSAE-16 SOC Report? #ERROR(Ref) #ERROR(Ref)
35.1 If so, please document which type of SOC report is being obtained in the comments section. Please provide a copy of the latest SOC report. #ERROR(Ref) #ERROR(Ref)
35.2 If not, do you perform a regular penetration testing and and can you provide a remediation attestation? #ERROR(Ref) #ERROR(Ref)
35.3 If not, does the organization allow clients the right to audit their systems and controls? #ERROR(Ref) #ERROR(Ref)
Application Development Security (Optional if Organization Services Do Not Include Propietary Software) #ERROR(Ref) #ERROR(Ref)
36 Does your organization utilize a Secure SDLC process? #ERROR(Ref) #ERROR(Ref)
36.1 If yes, please provide a high level process in the comments section (include any threat modelling processes and and code scanning activities) #ERROR(Ref) #ERROR(Ref)
36.2 If yes, do you conduct regular vulnerability testing or employ a bug bounty program? #ERROR(Ref) #ERROR(Ref)
37 Does the organization use contractors or third parties to develop its software? #ERROR(Ref) #ERROR(Ref)
37.1 Describe how the organization ensures its security policies are maintained by the third parties #ERROR(Ref) #ERROR(Ref)
Data Privacy (Optional if the organization process or stores personal information) #ERROR(Ref) #ERROR(Ref)
38 Does the organization have a global privacy and data protection policy/ies? (please submit a copy) #ERROR(Ref) #ERROR(Ref)
39 Does the organization encrypts PII data at rest and at transmission? #ERROR(Ref) #ERROR(Ref)
40 Does the organization provide privacy and personal data handling training to employees who have access to PII? #ERROR(Ref) #ERROR(Ref)
41 If processing or storing California residents' data, does the organization adhere to the CCPA? #ERROR(Ref) #ERROR(Ref)
41.1 Does the contract/master agreement provide for a privacy amendement for processing activities? #ERROR(Ref) #ERROR(Ref)
#ERROR(Ref)