Vendor security checklist: 20 questions to ask a security vendor
If you own a business, choosing a vendor to meet your cybersecurity needs is not an easy task, but it is an important consideration when it comes to safeguarding your customers’ personal and financial information. To help you, we have created this checklist with some questions you should consider asking current or potential vendors.
It is not exhaustive, but it gives you a good start. If you don’t understand some or any of these questions, consider having a business partner or colleague help you interview vendors. And always remember to engage in a service level agreement and contract with the vendor so all expectations are clearly articulated.
20 questions to ask a security vendor
1. Does your company have a pre-employment screening policy for employees and contractors? What is that process? What is your process for training them on security best practices?
2. Does your company have a written control plan that contains the administrative, technical and physical safeguards you use to collect, process, protect, store, transmit, dispose or otherwise handle our data (e.g., information security plan)?
3. Does the system or application which will be storing our company data provide access control mechanisms (e.g., unique user IDs, passwords standards, role-based access)?
4. How will you help me comply with all applicable privacy and security laws for my business?
5. What certifications if any does your company have (ex. ISO 27001, SOC, etc.) and can you provide documentation?
6. Does the system or application provide multi-tenant controls for separation of users and data within the service?
7. Does your company utilize encryption methods for data in transit and data at rest where technically possible and legally permissible?
8. Are files and records reviewed, retained, and purged in accordance with legal requirements, contractual obligations and service level agreements?
9. What is your process for purging all files and records and removing accesses upon completion of the service, task, or contract?
10. What is your commitment to response time if I have a question or emergency? Do you have “off” hours?
11. Does your company have written business continuity/disaster recovery plans, which are tested on a periodic basis?
12. Does your company ensure adequate steps are taken to guard against unauthorized access to our company data (e.g., firewall)? Please list the technology and processes that are in place.
13. Does your company maintain up-to-date versions of anti-virus software, anti-malware, antispyware, and operating systems security patches? Please elaborate.
14. What will your company actively do to prevent security incidents or breaches, and how often do you plan to check for vulnerabilities? Please elaborate.
15. Does your company have a written plan to promptly identify, report, and respond to breaches of security related to our company data (e.g., incident response plan)?
16. Would our company retain ownership of its data at all times?
17. Does your company hire an external audit firm to perform a compliance review of your operational controls?
18. Will third party vendors (e.g., subcontractor, managed shared hosting) used by your company be restricted from having access to the system or application data of our company?
19. Does your company provide assurance (in the form of a written report) of your and your third-party vendor’s security and controls while customer data is being collected, processed and retained?
20. Can your company, and any relevant third-party service provider your company contracts with, send the results of your last security audit?
Hiring a security vendor is crucial to ensuring your customers’ personal and financial information is safe from hackers or other cybersecurity threats. Over the next few months, we’ll share greater insight and tips on other ways to safeguard your business and protect your customers’ financial information.