| Los Angeles Superior Court Third Party Security Risk Assessment Questionnaire |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Name of Company: |
|
|
|
|
|
|
| Company's Website: |
|
|
|
|
|
|
| Contact Person Completing the Assessment: |
|
|
|
|
|
|
| Email Address: |
|
|
|
|
|
|
| Phone Number: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Select the appropriate answer from the drop down in the Response column, and provide a brief description in the Comments section. |
|
|
|
|
|
|
| Information Security Assessment Questions |
|
|
Response |
Comments |
Comments |
Comments |
| Organizational Information Security |
|
|
|
|
|
|
| 1 |
|
Do you have a member of your organization with dedicated information security duties? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 2 |
|
Is a background check required for all employees accessing and handling the organization's data? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 3 |
|
Does the organization have written information security policies? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 3.1 |
|
If yes, please provide copies when responding to this assessment |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 4 |
|
Does the organization have a written password policy that details the required structure of passwords? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 4.1 |
|
How do you verify password strength? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 5 |
|
Do all staff receive information security awareness training? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 6 |
|
Does the organization employ a Data Classification and Retnetion Policy? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 7 |
|
Does the organization have a formal change control process for IT changes? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 8 |
|
Has the organization implemented an IT Governance framework such as ITIL, NIST, COBIT or ISO 27001? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 9 |
|
Will your company be processing credit cards on behalf of the Los Angeles Superior Court? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 9.1 |
|
If yes, is your company PCI DSS compliant? Please provide certification or self-assessment report |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| General Security |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 10 |
|
Is Endpoint Protection software installed on data processing servers and workstations? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 11 |
|
Are system and security patches applied to workstations on a routine bases? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 12 |
|
Are system and security patches applied to servers on a routine bases? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 12.1 |
|
Are system and security patches tested prior to implementation in the production environment? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 13 |
|
Do employees have a unique log-in ID with Phishing-Resistent MFA when accessing data? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 14 |
|
Does the organization have security measures in place for data protection? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 14.1 |
|
If yes, please describe in the comments section |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 15 |
|
Is access restricted to systems that contain sensitive data? (The Court considers Court Case data, financial data, employee/payroll data, social security numbers, and intellectual property data sensitive) |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 15.1 |
|
If yes, what controls or are currently in place to restrict access? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 16 |
|
Is physical access to data processing equipment (servers and network equipment) restricted? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 16.1 |
|
If yes, what controls are currently in place? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 17 |
|
Is there a process for secure disposal of both IT equipment, media and customer data? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 17.1 |
|
If yes, please describe in the comments section |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 18 |
|
Does the organization have a formal log management and retention policy and process? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 18.1 |
|
If yes, please describe the scope and length in the comments section |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Network Security |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 19 |
|
Are network boundaries protected by firewalls? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 20 |
|
Is regular network vulnerability scanning performed? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 21 |
|
Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your organization? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 21.1 |
|
If yes, please describe in the comments section |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 22 |
|
Are employees required to use a VPN when accessing the organization's systems from all remote locations? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 23 |
|
Is wireless access allowed in your organization? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 23.1 |
|
If yes, please describe how it is protected in the comments section |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Systems Security |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 24 |
|
Are computer systems (servers) backed up according to a regular schedule? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 24.1 |
|
Has the back-up and recovery process been verified? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 24.2 |
|
Does the organization store backups offsite? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 24.3 |
|
Does the organization encrypt its backups? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 25 |
|
Does the organization replicate data to locations outside of the United States? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 26 |
|
Does the organization outsource its data storage? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 26.1 |
|
If yes, to whom is the data outsourced? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 27 |
|
Is there formal control of access to System Administrator privileges? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 27.1 |
|
If a shared tenant is used for SaaS, IaaS or PaaS, please describe security measrues to separate access |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 28 |
|
Are servers configured to capture who accessed a system and what changes were made? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 28.1 |
|
If no, in case of a security breach, how do you determine who accessed the system and what changes were made? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Business Continuity / Disaster Recovery |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 29 |
|
Does the organization have disaster recovery plans for data processing facilities? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 29.1 |
|
Is the disaster recovery plan extend to and organization wide Business Continuity Plans? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 30 |
|
Are computer rooms protected against fire and flood? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 31 |
|
Does the organization have a "Hot" recovery site? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Incident Response |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 32 |
|
If an information security breach involving the Court's data occurred, would the the Court be notified of the breach? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 32.1 |
|
If yes, how soon would the Court be notified? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 33 |
|
Does the organization have a formal Incident Response plan? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 33.1 |
|
If yes, do you perform regular tabletop exercises? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 34 |
|
Has the organization experienced an information security breach in the past three (3) years? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 34.1 |
|
If so, please document what information was lost and what was the recovery process in the comments section? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 34.2 |
|
If so, please document how the clients were notified and how quickly in the comments section? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Auditing / Client Reporting |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 35 |
|
Does the organization receive an SSAE-16 SOC Report? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 35.1 |
|
If so, please document which type of SOC report is being obtained in the comments section. Please provide a copy of the latest SOC report. |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 35.2 |
|
If not, do you perform a regular penetration testing and and can you provide a remediation attestation? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 35.3 |
|
If not, does the organization allow clients the right to audit their systems and controls? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Application Development Security (Optional if Organization Services Do Not Include Propietary Software) |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 36 |
|
Does your organization utilize a Secure SDLC process? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 36.1 |
|
If yes, please provide a high level process in the comments section (include any threat modelling processes and and code scanning activities) |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 36.2 |
|
If yes, do you conduct regular vulnerability testing or employ a bug bounty program? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 37 |
|
Does the organization use contractors or third parties to develop its software? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 37.1 |
|
Describe how the organization ensures its security policies are maintained by the third parties |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| Data Privacy (Optional if the organization process or stores personal information) |
|
|
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 38 |
|
Does the organization have a global privacy and data protection policy/ies? (please submit a copy) |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 39 |
|
Does the organization encrypts PII data at rest and at transmission? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 40 |
|
Does the organization provide privacy and personal data handling training to employees who have access to PII? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 41 |
|
If processing or storing California residents' data, does the organization adhere to the CCPA? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
| 41.1 |
|
Does the contract/master agreement provide for a privacy amendement for processing activities? |
|
|
#ERROR(Ref) |
#ERROR(Ref) |
|
|
|
|
|
|
#ERROR(Ref) |