Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

ISO naire

VIEWS: 0 PAGES: 3

									Rochdale Sixth Form College – Data Security Questionnaire

1. Data Centres
Physical Security
      Question                                                                                                         Reply
1     Do you manage and host your clients websites or are these hosted for you by a third
      party?

2     What certified standards do your data centre or hosting facilities meet?
3     What business continuity arrangements are in place for the physical environment?
4     What physical access restrictions are in place for unauthorised persons?

                                                                                                                            rd
2. Human Resources Security – If Data Centres are not managed by your own staff please reply for both your company and the 3 party
Prior to Employment
       Question                                                                                                         Reply
1      What checks carried out on all permanent, temporary and contracting staff who are
       accessing the information or supporting this system?
2      Are staffs required to sign confidentiality/non-disclosure agreements:
           1. As part of their contract of employment
           2. Per customer contract
3      What is your leavers process in relation to data security?
4      Are security roles and responsibilities defined for each member of staff?


3. Backup Facilities
      Question                                                                                                      Reply
1     What are your IT back arrangements?

2     Is the backup location both off site and secured to restricted personnel?
3     Is the backup media protected by passwords and/or encryption, please specify which and
      to what level i.e. encryption standard if applicable?


4. Data Protection
Data at Rest
      Question                                                                                                      Reply
1     Is data encrypted within data centre storage? If so:
          1. is this at a hardware level or a software level
          2. what encryption standard is used
          3. is this deployed at all data centres in use
                                                                                                                                     1
                                                                    rd
2    Will all staff with access to THE data be named, including any 3 party company
     personnel? If not, what staff groups could have access to THE data within your
                                    rd
     organisation and any other 3 party ?


Remote Data Access
                        rd
1   Will your staff or 3 party company staff have access to view THE data remotely, i.e. for
                                                  rd
    support reasons? If yes, please state what 3 party companies will be provided with
    access and provide assurance of their confidentiality agreements and security processes?
2   Is all remote access solutions fully secure? Please provide details of remote access
    technical policy i.e.
          Is all access from company owned machines or can staff use personal owned
             equipment to gain access
          Are machines encrypted, is 2 factor authentication, or more, used for access



5. Application Specific
Media Handling & Security
     Question                                                                                  Reply
1    Will the design of the system be formally documented and stored securely?
2    Is information and software protected against fraudulent activity, contract dispute and
     disclosure or modification of information
3    What controls are in place to separate customers data stored on the same server,
4    Provide assurance that parameters being past to your Servers are not viewable by users
     therefore allowing a change in the URL to gain access to another’s account?
5    What security tests are in place and how often are they performed?

Monitoring
     Question                                                                                  Reply
1    What network monitoring arrangements are in place? How will this ensure the security of
     our website?

Operational Procedures & Responsibilities
     Question                                                                                  Reply
1    Are all development changes to systems authorised and recorded?

User Access Management
     Question                                                                                  Reply
1    Explain the username syntax and how the first login process works including; are users
                                                             st
     forced to change passwords on first logon and how the 1 password is generated
2    Are passwords and password files encrypted (on screen and in databases) and stored
     separately from the main application system data

                                                                                                       2
3     Is use of generic accounts, shared or non unique ID's prohibited?
4     Are the number of concurrent logons restricted?
5     Is system access disabled after a maximum number of login attempts?
6     Is there a formal procedure to remove obsolete accounts?



6. Compliance
Compliance with Legal Requirements
     Question                                                                                    Reply
1    Please provide a copy of your Information Security Policy and any other policies you feel
     relevant to support your application i.e. Remote Access Policy
2    Do formal disposal procedures exist to ensure that THE data is destroyed and
     unrecoverable during hardware asset destruction / renewal programs
3    Do procedures exist for customers to be notified of any breach that involves either the
     locations where their data is resident or the data itself
4    Have any breaches of physical or logical security controls taken place in the previous 24           No
     months that involved potential or real exposure to client data




                                                                                                         3

								
To top