Vendor Assessment Checklist

Is there a formalized risk governance plan that defines the Enterprise Risk Management program requirements?

Does the risk governance plan include risk management policies, procedures, and internal controls?

Does the risk governance plan include range of assets to include: people, processes, data and technology?

Is there a formalized Risk Assessment process that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization?

Is there a program to manage the treatment of identified risks?

Do Subcontractors (e.g., backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, hosting providers, etc.) have access to scoped systems and data or processing facilities?

Is there a documented third-party risk management program in place for the selection, oversight and risk assessment of Subcontractors (e.g. service providers, dependent service providers, sub-processors)?

Does the third-party risk management program require business units to notify if there are new or changed subcontractors?

Does the third-party risk management program require Confidentiality and/or Non Disclosure Agreements from Subcontractors?

Does the third-party risk program require Subcontractors to notify if there are changes affecting services rendered?

Does the third-party risk management program require background checks performed for Service Provider Contractors and Subcontractors?

For all subcontractors requiring assessment, is there a contract?

Do contracts with all subcontractors include Non-Disclosure/Confidentiality Agreements?

Do contracts with all subcontractors include ownership of information, trade secrets and intellectual property?

Do contracts with all subcontractors include permitted use of confidential information?

Do contracts with all subcontractors include data breach notification?

Do contracts with all subcontractors include Indemnification/liability?

Do contracts with all subcontractors include termination/exit clause?

Do contracts with all subcontractors include breach of agreement terms?

Does the third party risk management program include an assigned individual or group responsible for capturing, maintaining and tracking subcontractor Information Security or other issues?

Does remediation reporting include a process to identify and log subcontractor information security, privacy and/or data breach issues?

Is there a set of information security policies that have been approved by management, published and communicated to constituents?

Have all policies been assigned to an owner responsible for review and approve periodically?

Have all information security policies and standards been reviewed in the last 12 months?

Are responsibilities for asset protection and for carrying out specific information security processes clearly identified and communicated to the relevant parties?

Are information security personnel (internal or outsourced) responsible for information security processes?

Are information security personnel responsible for the creation, and review of information security policies?

Are information security personnel responsible for the review and/or monitoring information security incidents or events?

Do all projects involving Scoped Systems and Data go through some form of information security assessment?

Is there an asset management program approved by management, communicated to constituents and an owner to maintain and review?

Is there an asset Inventory list or configuration management Database (CMDB)?

Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate Constituents and assigned an owner to maintain and periodically review the policy?

Is there a process to verify return of constituent assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.) upon termination?

Is Information classified according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification?

Is an owner assigned to all Information Assets?

Are owners responsible to approve and periodically review access to Information Assets?

Is there a policy or procedure for information handling (storing, processing, and communicating) consistent with its classification that has been approved by management, communicated to appropriate constituents and assigned an owner to maintain and periodically review?

Does the policy or procedure for information handling include encryption requirements?

Does the policy or procedure for information handling include storage requirements including authorized use of Public Cloud storage?

Does the policy or procedure for information handling include electronic transmission security requirements including email, web, and file transfer services?

Does the policy or procedure for information handling include removable media (Thumb Drives, DVDs, Tapes, etc.) requirements?

Is there a data retention/destruction requirement that includes information on live media, backup/archived media, and information managed by Subcontractors?

Is Scoped Data sent or received via physical media?

Is Scoped Data sent or received electronically?

Is all Scoped Data sent or received electronically encrypted in transit while outside the network?

Does Scoped Data sent or received electronically include protection against malicious code by network virus inspection or virus scan at the endpoint?

Do scans performed on incoming and outgoing email include phishing prevention?

Are scoped systems or data stored or transferred in cloud-based public file sharing solutions? If yes, please explain in the 'Additional Information' field.

Is regulated or confidential Scoped Data stored electronically?

Is regulated or confidential Scoped Data stored in a database?

Is regulated or confidential Scoped Data stored in files?

Are encryption keys managed and maintained for Scoped Data?

Are encryption keys generated in a manner consistent with key management industry standards?

Is there an option for clients to manage their own encryption keys?

Are Constituents able to view client's unencrypted Data?

Do Constituents have the ability to view an unencrypted version of regulated or confidential Information?

Are Human Resource policies approved by management, communicated to Constituents and an owner to maintain and review?

Do Human Resource policies include Constituent background screening criteria?

Does Constituent background screening criteria include Criminal screening?

Are Constituents required to attend security awareness training?

Does the security awareness training program include an explanation of Constituents' security roles and responsibilities?

Does the security awareness training program include new hire and annual participation?

Does the Human Resource policy include a disciplinary process for non-compliance?

Does the Human Resource policy include Termination and/or change of status processes?

Is electronic access to systems containing scoped data removed within 24 hours for terminated constituents?

Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review?

Are there physical security controls for all secured facilities (e.g., data centers, office buildings)?

Do the physical security controls include electronic controlled access system (key card, token, fob, biometric reader, etc.)?

Do the physical security controls include entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards?

Are there physical access controls that include restricted access and logs kept of all access?

Do physical access controls include collection of access equipment (badges, keys, change pin numbers, etc.) upon termination or status change?

Are physical access control procedures documented?

Do physical access controls require reporting of lost or stolen access cards/keys?

Are there environmental controls (e.g., Fire detection and suppression) in secured facilities to protect computers and other physical assets?

Are visitors permitted in the facility?

Do the Scoped Systems and Data reside in a data center?

Are locking screensavers on unattended system displays or locks on consoles required within the data center?

Is there a procedure for equipment removal from the data center?

Are management approved operating procedures utilized?

Is there an operational change management/Change Control policy or program that has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy?

Do changes to the production environment including network, systems, application updates, and code changes subject to the change control process?

Does the change control process include a formal process to ensure clients are notified prior to changes being made which may impact their service?

Does the change control process include a scheduled maintenance window?

Does the change control process include a scheduled maintenance window which results in client downtime?

Are Information security requirements specified and implemented when new systems are introduced, upgraded, or enhanced?

Are new, upgraded or enhanced systems required to include a determination of security requirements based on the sensitivity of the data?

Do systems and network devices utilize a common time synchronization service?

Is there an access control program that has been approved by management, communicated to Constituents and an owner to maintain and review the program?

Are Constituents able to access Scoped Data?

Are clients allowed to manage access to their own systems and data?

Is there a set of rules governing the way IDs are created and assigned?

Are unique IDs required for authentication to applications, operating systems, databases and network devices?

Is there a process to request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data?

Is access to applications, operating systems, databases, and network devices provisioned according to the principle of least privilege?

Is there segregation of duties for granting access and approving access to Scoped Systems and Data?

Is there segregation of duties for approving and implementing access requests for Scoped Systems and Data?

Is access to systems that store or process scoped data limited?

Are passwords used?

Is there a password policy for systems that transmit, process or store Scoped Systems and Data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? If no, please explain in the 'Additional Information' field.

Does the password policy apply to both Constituent and client passwords? If no, please explain in the 'Additional Information' field

Does the password policy define specific length and complexity requirements for passwords?

Does the password policy require a minimum password length of at least eight characters?

Are complex passwords (mix of upper case letters, lower case letters, numbers, and special characters) required on systems transmitting, processing, or storing Scoped Data?

Does the password policy prohibit a PIN or secret question as a possible stand-alone method of authentication?

Does the password policy define requirements for provisioning and resetting passwords?

Does the password policy require initial and temporary passwords to be changed upon next login?

Does the password policy require initial and temporary passwords to be random and complex?

Is password reset authority restricted to authorized persons and/or an automated password reset tool?

Does the password policy require changing passwords at regular intervals?

Does the password policy require keeping passwords confidential?

Does the password policy prohibit users from sharing passwords?

Does the password policy prohibit keeping an unencrypted record of passwords (paper, software file or handheld device)?

Does the password policy prohibit including unencrypted passwords in automated logon processes (e.g., stored in a macro or function key)?

Does the password policy require passwords to be encrypted in transit?

Does the password policy require passwords to be encrypted or hashed in storage?

Are user IDs and passwords communicated/distributed via separate media (e.g., e-mail and phone)?

Does the password policy require changing passwords when there is an indication of possible system or password compromise?

Is Multi-factor Authentication deployed?

Does system policy require terminating or securing active sessions when finished?

Does system policy require logoff from terminals, PC or servers when the session is finished?

Is there a process for reviewing access?

Are user access rights reviewed periodically?

Are privileged user access rights reviewed periodically?

Are access rights reviewed when a constituent changes roles?

Are inactive Constituent user IDs disabled and deleted after defined periods of inactivity?

Are applications used to transmit, process or store Scoped Data?

Are outside development resources utilized?

Are system, vendor, or service accounts disallowed for normal operations and monitored for usage?

Are web applications configured to follow best practices or security guidelines (e.g., OWASP)?

Is data input into applications validated?

Are Scoped Systems and Data used in the test, development, or QA environments?

Is application development performed?

Is there a formal Software Development Life Cycle (SDLC) process?

Is there a secure software development lifecycle policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?

Is there a documented change management/change control process for applications with Scoped Data?

Does the application change management/change control process include change control procedures required for all changes to the production environment?

Does the application change management/change control process include testing prior to deployment?

Does the application change management/change control process include stakeholder communication and/or approvals?

Does the application change management/change control process include documentation for all system changes?

Does the application change management/change control process include version control for all software?

Does the application change management/change control process include logging of all Change Requests?

Are applications evaluated from a security perspective prior to promotion to production?

Is open source software or libraries used to transmit, process or store Scoped Data?

Is a Secure Code Review performed regularly?

Do secure code reviews include regular analysis of vulnerability to recent attacks?

Are identified security vulnerabilities remediated prior to promotion to production?

Does the SDLC process include communicating known un-remediated vulnerabilities to the Security Monitoring and Response group for awareness and monitoring?

Is a web site supported, hosted or maintained that has access to Scoped Systems and Data?

Do you have logical or Physical segregation between web, application and database components? i.e., Internet, DMZ, Database?

Are Web Servers used for transmitting, processing or storing Scoped Data?

Are reviews performed to validate compliance with documented web server software security standards?

Is HTTPS enabled for all web pages?

Are sample applications and scripts removed from web servers?

Are available high-risk web server software security patches applied and verified at least monthly?

Are web server software versions that no longer have security patches released prohibited?

Is sufficient detail contained in Web Server and application logs to support incident investigation, including successful and failed login attempts and changes to sensitive configuration settings and files?

Are Web Server and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?

Is an API available to clients?

Are mobile applications that access Scoped Systems and Data developed?

Are any actions performed by the mobile application to access, process, transmit or locally store scoped systems and data?

Is there an established incident management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?

Is there a formal Incident Response Plan?

Does the Incident Response Plan include guidance for escalation procedure?

Does the Incident Response Plan include actions to be taken in the event of an information security event?

Are events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation regularly reviewed using a specific methodology to uncover potential incidents?

Are events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation regularly reviewed using a specific methodology to uncover potential incidents?

Does regular security monitoring include malware activity alerts such as uncleaned infections and suspicious activity?

Is there an established business resiliency program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program?

Does the business resiliency program include a formal annual (or more frequent) executive management review of business continuity key performance indicators, accomplishments, and issues?

Do the products and/or services specified in the scope of this assessment fall within the scope of the Business Resiliency program?

Are formal business continuity procedures developed and documented?

Has senior management assigned the responsibility for the overall management of critical response and recovery efforts?

Is there a periodic (at least annual) review of your Business Resiliency procedures?

Are there any dependencies on critical third party service providers?

Is communication in the event of a disruption that impacts the delivery of key service provider products and services required?

Is there a formal, documented Information Technology Disaster Recovery exercise and testing program in place?

Is there an annual schedule of planned Disaster Recovery and other Business Resiliency exercises and tests?

Are backups of Scoped Systems and Data performed?

Is there a policy or process for the backup of production data?

Are backups protected from ransom ware attacks?

Are backup media and restoration procedures tested at least annually?

Are backup and replication errors reviewed and resolved as required?

Is backup media stored offsite?

Are backups containing Scoped Data stored in an environment where the security controls protecting them are equivalent to production environment security controls?

Are there policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements?

Is there a documented process to identify and assess regulatory changes that could significantly affect the delivery of products and services?

Is there an internal audit, risk management, or compliance department, or similar management oversight unit with responsibility for assessing, identifying and tracking resolution of outstanding regulatory issues?

Does the audit function have independence from the lines of business?

Are audits performed to ensure compliance with applicable statutory, regulatory, contractual or industry requirements?

Is there a set of policies and procedures that address required records management and compliance reporting?

Are internal management reporting and/or external reporting to government agencies maintained in accordance with applicable law?

Do employees undergo annual training regarding company expectations related to non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities?

Will this engagement include any call center related services?

Are marketing or selling activities conducted directly to Client's customers?

Is training conducted for Constituents who have direct customer contact regarding consumer protection compliance responsibilities?

Is there an incentive or compensation program for Constituents who directly sell/market to Client customers? If yes please describe in the 'Additional Information' field

Are there documented policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices?

Are collections activities conducted directly to Client's customers?

Are terms of sale, dispute and/or return of goods procedures available online?

Are there direct interactions with your client's customers?

Is there a documented process to receive and respond to complaints, inquiries and requests from business or trade associations (e.g. BBB, GMOs, chambers of commerce, PCI Council) and from government agencies, including state attorneys general?

Is there a documented escalation and resolution process to address specific complaints to management and the client?

Are documented policies and procedures maintained to enforce applicable legal, regulatory or contractual cybersecurity obligations?

Are client audits and/or risk assessments permitted?

Is evidence of internal controls available during a client assessment?

Are controls validated by independent, third party auditors or information security professionals?

Is there a compliance program or set of policies and procedures that address internal and external Fraud Detection and Fraud Prevention?

Are accounts opened, financial transactions initiated or other account maintenance activity (e.g., applying payments, address changes, receiving payments, transferring funds, etc.) through either electronic, telephonic, written or in-person requests made on behalf of your clients' customers?

Are there policies and procedures to address payments compliance in the delivery of the product or services if required by regulation?

Are electronic commerce web sites or applications used to transmit, process or store Scoped Systems and Data?

Are all transaction details i.e., payment card info and information about the parties conducting transactions, prohibited from being stored in the Internet facing DMZ?

Are policies and procedures in place to restrict activities or transactions for sanctioned countries (e.g. country blocking)?

Are there compliance and sanction checks (e.g., Office of Foreign Assets Controls - OFAC) performed against customers, suppliers and third parties?

Is there a sanctions compliance program or set of policies and procedures that address obligations for Office of Foreign Assets Controls (OFAC) requirements?

Are End User Devices (Desktops, Laptops, Tablets, Smartphones) used for transmitting, processing or storing Scoped Data?

Are end user device security configuration standards documented?

Are Activity alerts such as uncleaned infections and suspicious activity reviewed and actioned at least weekly for all end user devices?

Are defined procedures in place to identify and correct systems without anti-virus at least weekly for all end user devices?

Are Constituents allowed to utilize mobile devices within your environment?

Can Constituents access corporate e-mail using mobile devices?

Is there a mobile device management program in place that has been approved by management and communicated to appropriate Constituents?

Are personal computers (PCs) used to transmit, process or store Scoped Systems and Data.

Are non-company managed PCs used to connect to the company network?

Is there a policy that defines network security requirements that is approved by management, communicated to Constituents and has an owner to maintain and review?

Is there an approval process prior to installing a network device?

Are there security and hardening standards for network devices, including Firewalls, Switches, Routers and Wireless Access Points (baseline configuration, patching, passwords, Access control)?

Are all network device administrative interfaces configured to require authentication and encryption?

Are default passwords changed or disabled prior to placing network devices into production?

Is there sufficient detail contained in network device logs to support incident investigation?

Are all available high-risk security patches applied and verified on network devices?

Are network technologies used to isolate critical and sensitive systems into network segments separate from those with less sensitive systems?

Is every connection to an external network (e.g., The Internet, partner networks) terminated at a firewall?

Do network devices deny all access by default?

Do the firewalls have any rules that permit 'any' network, sub network, host, protocol or port on any of the firewalls (internal or external)?

Is there a policy that defines the requirements for remote access from external networks to networks containing Scoped Systems and Data that has been approved by management and communicated to constituents?

Are encrypted communications required for all remote network connections from external networks to networks containing Scoped Systems and Data?

Is remote administration of organizational assets approved, logged, and performed in a manner that prevents unauthorized access?

Are encrypted communications required for all remote system access?

Are Baseboard Management Controllers (BMCs) enabled on any servers or other devices?

Is the default password changed on all BMCs?

Are all BMCs configured on network address ranges reserved specifically for BMCs and no other devices?

Are BMC firmware updates monitored regularly and applied at the first available maintenance window?

Are Network Intrusion Detection capabilities employed?

Is there a DMZ environment within the network that transmits, processes or stores Scoped Systems and Data?

Are wireless networking devices connected to networks containing Scoped Systems and Data?

Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?

Does the Wireless Security Policy require wireless connections to be secured with WPA2, and encrypted using AES or CCMP?

Is there collection of, access to, processing of, or retention of any client scoped Data that includes any classification of non-public personal information or personal data of individuals?

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as personally identifiable financial information under the Gramm-Leach-Bliley Act?

Does the client scoped data include the disclosure of account numbers or identifiers to the consumer's account?

Does the contract limit the usage of the account number information?

Is client scoped data collected, accessed, processed, or retained that can be classified as consumer report information or derived from a consumer report under the Fair and Accurate Credit Reporting Act (FACTA)?

Are policies and procedures for secure disposal of consumer information maintained to prevent the unauthorized access to or use of information in a consumer report or information derived from a consumer report?

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as protected health information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act?

Are there documented policies and procedures to detect and report unauthorized acquisition, use, or disclosure of PHI client scoped data?

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under U.S. State Privacy Regulations? (e.g., CA, MA, NY, NV, WA, CO)

If client scoped data includes data of California residents, does the contract prohibit the vendor from retaining, using or disclosing the personal information for any other commercial purpose other than the specific purpose of performing the services?

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as European Union covered Personal Data, or Sensitive Personal Data (e.g., genetic data, biometric data, health data)?

Is Client scoped data collected, transmitted, processed or retained that can be classified as Personal Information as defined by Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or Canadian Provincial Privacy Regulations

Are there contractual obligations and procedures defined to address breach notification to the client including maintenance of record-keeping obligations of all breaches?

Is client scoped data collected, accessed, transmitted, processed or retained that can be classified as Cardholder Data (CHD) within a Cardholder Data Environment (CDE) for credit card processing?

Is a Report on Compliance (ROC), or Self-Assessment Questionnaire (SAQ) and Attestation of Compliance for Service Providers (AOC) available? If Yes, Please provide and note in additional comments the type of third party assurance documentation

Is client-scoped data of minors collected, transmitted, processed or stored that can be classified under the Children's Online Privacy Protection Act?

Does the organization maintain an external safe harbor certification for children's privacy? If yes, please indicate the certifying organization and link to current status

Is there a designated organizational structure or function responsible for data privacy or data protection as it relates to client-scoped privacy data?

Is documentation of data flows and/or data inventories maintained for client scoped privacy data based on data or asset classification?

Is there a documented privacy policy and are procedures maintained for the protection of information collected, transmitted, processed, or maintained on behalf of the client?

Are regular privacy impact risk assessments conducted? If yes, please provide frequency and scope in 'Additional Information' field.

Is a Training and Awareness Program maintained that addresses data privacy and data protection obligations based on role?

Does the organization have or maintain internet-facing websites(s), mobile applications, or other digital services or applications that, collect, use, or retain client-scoped private data and are used directly by individuals?

Is personal data collected directly from an individual on behalf of the client?

Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data?

For client-scoped Data, is personal data provided to the organization directly by the client?

Are there documented policies and operating procedures regarding limiting the personal data collected and its use to the minimum necessary?

Are there controls in place to ensure that the collection and usage of client scoped data or personal information used or processed by the organization is limited and in compliance with applicable law?

Is there a documented records retention policy and process with defined schedules that ensure that Personal Information is retained for no longer than necessary?

Are Individuals informed about their rights to access, review, update, and correct their personal information which is maintained by the organization?

Are policies and procedures in place to address third party privacy obligations including limitations on disclosure and use of client scoped data?

Do fourth-parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to or process client scoped data?

Is there a documented data protection program with administrative, technical, and physical and environmental safeguards for the protection of client-scoped Data?

Is there a documented policy or process to maintain accurate, complete and relevant records of client scoped data?

Is there a data privacy or data protection function that maintains enforcement and monitoring procedures to address compliance for its privacy obligations for client-scoped privacy data?

Are there policies and processes in place to address privacy inquiries, complaints and disputes?

Are Windows servers used as part of the Scoped Services?

Is there an anti-malware policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?

Does the anti-malware policy or program include defined operating systems that require antivirus?

Does the approved anti-malware policy or program mandate an interval between the availability of a new anti-malware signature update and its deployment no longer than 24 hours?

Is there a vulnerability management policy or program that has been approved by management, communicated to appropriate constituent and an owner assigned to maintain and review the policy?

Are network Vulnerability Scans performed against internal networks and systems?

Are network vulnerability scans performed against internet-facing networks and systems?

Do network Vulnerability Scans occur at least Monthly?

Do you deliver software, firmware, and/or BIOS updates to clients through automatic downloads (e.g. Windows Update, LiveUpdate)?

Is there a documented process in place to protect against and detect attacks against automatic software update mechanisms?

Are Servers used for transmitting, processing or storing Scoped Data?

Are server security configuration standards documented and based on external industry or vendor guidance?

Are server security configuration reviews performed regularly to validate compliance with documented standards?

Are all servers configured according to security standards as part of the build process?

Are all unnecessary/unused services uninstalled or disabled on all servers?

Are vendor default passwords removed, disabled or changed prior to placing any device or system into production?

Is sufficient detail contained in Operating System and application logs to support security incident investigations (at a minimum, successful and failed login attempts, and changes to sensitive configuration settings and files)?

Are all systems and applications patched regularly?

Are there any Operating System versions in use within the Scoped Services that no longer have patches released? If yes, please describe in the 'Additional Information' section.

Is Unix or Linux used as part of the Scoped Services?

Are users required to 'su' or 'sudo' into root?

Are AS/400s used as part of the Scoped Services?

Are Mainframes used as part of the Scoped Services?

Are Hypervisors used to manage systems used to transmit, process or store Scoped Data?

Are Hypervisor hardening standards applied on all Hypervisors?

Are Hypervisor Standard builds/security compliance checks required?

Are Hypervisors kept up to date with current patches?

Are unnecessary/unused Hypervisor services turned off?

Is sufficient information in Hypervisor logs to evaluate incidents?

Are Containers (e.g., Docker, Kubernetes, OpenShift) used to process or store Scoped Data?

Is there a Data Container Security policy approved by management, communicated to constituents and an owner to maintain and review?

Are Cloud Hosting services (IaaS) provided?

Is there an Internet-accessible self-service portal available that allows clients to configure security settings and view access logs, security events and alerts?

Are Cloud Hosting services subcontracted?

Is there a management approved process to ensure that backup image snapshots containing Scoped Data are authorized by Outsourcer prior to being snapped?

Are backup image snapshots containing Scoped Data stored in an environment where the security controls protecting them are commensurate with the production environment?

Are default hardened base virtual images applied to virtualized operating systems?

Does the Cloud Hosting Provider provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services?

Is the Cloud Service Provider certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO)?