At a 3rd party communication service vendor where I work, we occasionally (borderline regularly) see 3rd party security questionnaires from prospective customers, which are almost identical. Questions like:
Has an information security policy been implemented? Is there an access control policy based on the principle of least privilege that has been implemented and communicated to all employees? Are procedures in place to register and revoke individuals from resource access control lists? Are controls in place to provide access for authorized users based on business need and least privilage? And so on, for pages and pages. My question is - there's so much similarity in these questionnaires, I'd like to know where they come from. We'd like to prepare our "standard" one of these questionnaires, and when customers request one to be completed, we'd like to give them our standard generic version, to hopefully cut out a lot of the work necessary to complete them. If I can't find a source of a "generic" one, I'm going to have to create one from scratch, based on a difficult hand-merge of customer specific versions of these questionnaires we've received from customers. Do any of you use such questionnaires? (I'm sure some do.) Where did you get it from originally?
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
