+1 Kourosh These sound a lot like the questions that were asked by the auditors during the semi-yearly interviews they did. Short of asking your insurance agent I don't know where you can find a "generic" version. I'm sure you could get most of the way there by combining a few of your customer question sheets together.
On Wed, Oct 30, 2013 at 11:06 AM, Kourosh@Sunsetsierra <[email protected]> wrote: > On 10/30/2013 10:46 AM, Edward Ned Harvey (lopser) wrote: >> >> At a 3rd party communication service vendor where I work, we >> occasionally (borderline regularly) see 3rd party security >> questionnaires from prospective customers, which are almost identical. >> Questions like: >> >> Has an information security policy been implemented? >> >> Is there an access control policy based on the principle of least >> privilege that has been implemented and communicated to all employees? >> >> Are procedures in place to register and revoke individuals from resource >> access control lists? >> >> Are controls in place to provide access for authorized users based on >> business need and least privilage? >> >> And so on, for pages and pages. >> >> My question is - there's so much similarity in these questionnaires, I'd >> like to know where they come from. We'd like to prepare our "standard" >> one of these questionnaires, and when customers request one to be >> completed, we'd like to give them our standard generic version, to >> hopefully cut out a lot of the work necessary to complete them. >> >> If I can't find a source of a "generic" one, I'm going to have to create >> one from scratch, based on a difficult hand-merge of customer specific >> versions of these questionnaires we've received from customers. >> >> Do any of you use such questionnaires? (I'm sure some do.) Where did >> you get it from originally? >> > > I meant to send this to the list, but wasn't paying enough attention :P > > ------------------------------------------------------------------------ > > It's very likely that they're getting the questionnaires, or samples at > least, from their auditors. It sounds like they're doing due diligence. > > I work at a small financial institution, and I know our auditors and > regulators require that we do our due diligence and make sure all of our > vendors, especially any considered critical, have policies and procedures in > place to safeguard any information they may have about us or our customers. > > I know there are samples provided by various regulatory bodies and auditors > and other companies likely look at those and may just use then verbatim, > > Regards, > > KouroshG > > > > > > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
