On 10/30/2013 10:46 AM, Edward Ned Harvey (lopser) wrote:
At a 3rd party communication service vendor where I work, we occasionally (borderline regularly) see 3rd party security questionnaires from prospective customers, which are almost identical. Questions like:Has an information security policy been implemented? Is there an access control policy based on the principle of least privilege that has been implemented and communicated to all employees? Are procedures in place to register and revoke individuals from resource access control lists? Are controls in place to provide access for authorized users based on business need and least privilage? And so on, for pages and pages. My question is - there's so much similarity in these questionnaires, I'd like to know where they come from. We'd like to prepare our "standard" one of these questionnaires, and when customers request one to be completed, we'd like to give them our standard generic version, to hopefully cut out a lot of the work necessary to complete them. If I can't find a source of a "generic" one, I'm going to have to create one from scratch, based on a difficult hand-merge of customer specific versions of these questionnaires we've received from customers. Do any of you use such questionnaires? (I'm sure some do.) Where did you get it from originally?
I meant to send this to the list, but wasn't paying enough attention :P ------------------------------------------------------------------------It's very likely that they're getting the questionnaires, or samples at least, from their auditors. It sounds like they're doing due diligence.
I work at a small financial institution, and I know our auditors and regulators require that we do our due diligence and make sure all of our vendors, especially any considered critical, have policies and procedures in place to safeguard any information they may have about us or our customers.
I know there are samples provided by various regulatory bodies and auditors and other companies likely look at those and may just use then verbatim,
Regards, KouroshG
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
