Is there a formalized risk governance plan that defines the Enterprise Risk Management program requirements?

Yes

Does the risk governance plan include risk management policies, procedures, and internal controls?

Yes

Does the risk governance plan include range of assets to include: people, processes, data and technology?

Yes

Is there a formalized Risk Assessment process that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization?

Yes

Is there a program to manage the treatment of identified risks?

Yes

Do Subcontractors (e.g., backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, hosting providers, etc.) have access to scoped systems and data or processing facilities?

Yes

Is there a documented third-party risk management program in place for the selection, oversight and risk assessment of Subcontractors (e.g. service providers, dependent service providers, sub-processors)?

Yes

Does the third-party risk management program require business units to notify if there are new or changed subcontractors?

Yes

Does the third-party risk management program require Confidentiality and/or Non Disclosure Agreements from Subcontractors?

Yes

Does the third-party risk program require Subcontractors to notify if there are changes affecting services rendered?

Yes

Does the third-party risk management program require background checks performed for Service Provider Contractors and Subcontractors?

Yes

For all subcontractors requiring assessment, is there a contract?

Yes

Do contracts with all subcontractors include Non-Disclosure/Confidentiality Agreements?

Yes

Do contracts with all subcontractors include ownership of information, trade secrets and intellectual property?

Yes

Do contracts with all subcontractors include permitted use of confidential information?

Yes

Do contracts with all subcontractors include data breach notification?

Yes

Do contracts with all subcontractors include Indemnification/liability?

Yes

Do contracts with all subcontractors include termination/exit clause?

Yes

Do contracts with all subcontractors include breach of agreement terms?

Yes

Does the third party risk management program include an assigned individual or group responsible for capturing, maintaining and tracking subcontractor Information Security or other issues?

Yes

Does remediation reporting include a process to identify and log subcontractor information security, privacy and/or data breach issues?

Yes

Is there a set of information security policies that have been approved by management, published and communicated to constituents?

Additional information
Yes

Have all policies been assigned to an owner responsible for review and approve periodically?

Yes

Have all information security policies and standards been reviewed in the last 12 months?

Yes

Are responsibilities for asset protection and for carrying out specific information security processes clearly identified and communicated to the relevant parties?

Yes

Are information security personnel (internal or outsourced) responsible for information security processes?

Additional information
Yes

Are information security personnel responsible for the creation, and review of information security policies?

Additional information
Yes

Are information security personnel responsible for the review and/or monitoring information security incidents or events?

Additional information
Yes

Do all projects involving Scoped Systems and Data go through some form of information security assessment?

Yes

Is there an asset management program approved by management, communicated to constituents and an owner to maintain and review?

Additional information
No

Is there an asset Inventory list or configuration management Database (CMDB)?

Yes

Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate Constituents and assigned an owner to maintain and periodically review the policy?

Yes

Is there a process to verify return of constituent assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.) upon termination?

Additional information
Yes

Is Information classified according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification?

Yes

Is an owner assigned to all Information Assets?

No

Are owners responsible to approve and periodically review access to Information Assets?

No

Is there a policy or procedure for information handling (storing, processing, and communicating) consistent with its classification that has been approved by management, communicated to appropriate constituents and assigned an owner to maintain and periodically review?

Yes

Does the policy or procedure for information handling include encryption requirements?

Yes

Does the policy or procedure for information handling include storage requirements including authorized use of Public Cloud storage?

Additional information
No

Does the policy or procedure for information handling include electronic transmission security requirements including email, web, and file transfer services?

Additional information
Yes

Does the policy or procedure for information handling include removable media (Thumb Drives, DVDs, Tapes, etc.) requirements?

Yes

Is there a data retention/destruction requirement that includes information on live media, backup/archived media, and information managed by Subcontractors?

Additional information
Yes

Is Scoped Data sent or received via physical media?

No

Is Scoped Data sent or received electronically?

Yes

Is all Scoped Data sent or received electronically encrypted in transit while outside the network?

Yes

Does Scoped Data sent or received electronically include protection against malicious code by network virus inspection or virus scan at the endpoint?

Additional information
Yes

Do scans performed on incoming and outgoing email include phishing prevention?

Yes

Are scoped systems or data stored or transferred in cloud-based public file sharing solutions? If yes, please explain in the 'Additional Information' field.

No

Is regulated or confidential Scoped Data stored electronically?

Yes

Is regulated or confidential Scoped Data stored in a database?

Yes

Is regulated or confidential Scoped Data stored in files?

Yes

Are encryption keys managed and maintained for Scoped Data?

Yes

Are encryption keys generated in a manner consistent with key management industry standards?

Yes

Is there an option for clients to manage their own encryption keys?

Additional information
No

Are Constituents able to view client's unencrypted Data?

Additional information
Yes

Do Constituents have the ability to view an unencrypted version of regulated or confidential Information?

Additional information
Yes

Are Human Resource policies approved by management, communicated to Constituents and an owner to maintain and review?

Additional information
Yes

Do Human Resource policies include Constituent background screening criteria?

Yes

Does Constituent background screening criteria include Criminal screening?

Yes

Are Constituents required to attend security awareness training?

Yes

Does the security awareness training program include an explanation of Constituents' security roles and responsibilities?

Yes

Does the security awareness training program include new hire and annual participation?

Yes

Does the Human Resource policy include a disciplinary process for non-compliance?

Yes

Does the Human Resource policy include Termination and/or change of status processes?

Yes

Is electronic access to systems containing scoped data removed within 24 hours for terminated constituents?

Yes

Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review?

Yes

Are there physical security controls for all secured facilities (e.g., data centers, office buildings)?

Yes

Do the physical security controls include electronic controlled access system (key card, token, fob, biometric reader, etc.)?

Yes

Do the physical security controls include entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards?

Yes

Are there physical access controls that include restricted access and logs kept of all access?

Yes

Do physical access controls include collection of access equipment (badges, keys, change pin numbers, etc.) upon termination or status change?

Yes

Are physical access control procedures documented?

Yes

Do physical access controls require reporting of lost or stolen access cards/keys?

Yes

Are there environmental controls (e.g., Fire detection and suppression) in secured facilities to protect computers and other physical assets?

Yes

Are visitors permitted in the facility?

No

Do the Scoped Systems and Data reside in a data center?

Yes

Are locking screensavers on unattended system displays or locks on consoles required within the data center?

Yes

Is there a procedure for equipment removal from the data center?

Additional information
Yes

Are management approved operating procedures utilized?

Yes

Is there an operational change management/Change Control policy or program that has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy?

Yes

Do changes to the production environment including network, systems, application updates, and code changes subject to the change control process?

Yes

Does the change control process include a formal process to ensure clients are notified prior to changes being made which may impact their service?

Additional information
Yes

Does the change control process include a scheduled maintenance window?

Yes

Does the change control process include a scheduled maintenance window which results in client downtime?

Yes

Are Information security requirements specified and implemented when new systems are introduced, upgraded, or enhanced?

Yes

Are new, upgraded or enhanced systems required to include a determination of security requirements based on the sensitivity of the data?

Yes

Do systems and network devices utilize a common time synchronization service?

Yes

Is there an access control program that has been approved by management, communicated to Constituents and an owner to maintain and review the program?

Additional information
Yes

Are Constituents able to access Scoped Data?

Additional information
No

Are clients allowed to manage access to their own systems and data?

No

Is there a set of rules governing the way IDs are created and assigned?

Yes

Are unique IDs required for authentication to applications, operating systems, databases and network devices?

Yes

Is there a process to request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data?

Yes

Is access to applications, operating systems, databases, and network devices provisioned according to the principle of least privilege?

Yes

Is there segregation of duties for granting access and approving access to Scoped Systems and Data?

Yes

Is there segregation of duties for approving and implementing access requests for Scoped Systems and Data?

Yes

Is access to systems that store or process scoped data limited?

Yes

Are passwords used?

Yes

Is there a password policy for systems that transmit, process or store Scoped Systems and Data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? If no, please explain in the 'Additional Information' field.

Yes

Does the password policy apply to both Constituent and client passwords? If no, please explain in the 'Additional Information' field

Yes

Does the password policy define specific length and complexity requirements for passwords?

Yes

Does the password policy require a minimum password length of at least eight characters?

Yes

Are complex passwords (mix of upper case letters, lower case letters, numbers, and special characters) required on systems transmitting, processing, or storing Scoped Data?

Yes

Does the password policy prohibit a PIN or secret question as a possible stand-alone method of authentication?

No

Does the password policy define requirements for provisioning and resetting passwords?

Yes

Does the password policy require initial and temporary passwords to be changed upon next login?

Yes

Does the password policy require initial and temporary passwords to be random and complex?

Yes

Is password reset authority restricted to authorized persons and/or an automated password reset tool?

Yes

Does the password policy require changing passwords at regular intervals?

Yes

Does the password policy require keeping passwords confidential?

Yes

Does the password policy prohibit users from sharing passwords?

Yes

Does the password policy prohibit keeping an unencrypted record of passwords (paper, software file or handheld device)?

Yes

Does the password policy prohibit including unencrypted passwords in automated logon processes (e.g., stored in a macro or function key)?

Yes

Does the password policy require passwords to be encrypted in transit?

Yes

Does the password policy require passwords to be encrypted or hashed in storage?

Yes

Are user IDs and passwords communicated/distributed via separate media (e.g., e-mail and phone)?

Yes

Does the password policy require changing passwords when there is an indication of possible system or password compromise?

Yes

Is Multi-factor Authentication deployed?

Yes

Does system policy require terminating or securing active sessions when finished?

Yes

Does system policy require logoff from terminals, PC or servers when the session is finished?

Yes

Is there a process for reviewing access?

Yes

Are user access rights reviewed periodically?

Yes

Are privileged user access rights reviewed periodically?

Yes

Are access rights reviewed when a constituent changes roles?

Yes

Are inactive Constituent user IDs disabled and deleted after defined periods of inactivity?

Yes

Are applications used to transmit, process or store Scoped Data?

Yes

Are outside development resources utilized?

No

Are system, vendor, or service accounts disallowed for normal operations and monitored for usage?

Additional information
Yes

Are web applications configured to follow best practices or security guidelines (e.g., OWASP)?

Yes

Is data input into applications validated?

Yes

Are Scoped Systems and Data used in the test, development, or QA environments?

No

Is application development performed?

Yes

Is there a formal Software Development Life Cycle (SDLC) process?

Yes

Is there a secure software development lifecycle policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?

Yes

Is there a documented change management/change control process for applications with Scoped Data?

Yes

Does the application change management/change control process include change control procedures required for all changes to the production environment?

Additional information
No

Does the application change management/change control process include testing prior to deployment?

Yes

Does the application change management/change control process include stakeholder communication and/or approvals?

No

Does the application change management/change control process include documentation for all system changes?

Yes

Does the application change management/change control process include version control for all software?

Yes

Does the application change management/change control process include logging of all Change Requests?

Yes

Are applications evaluated from a security perspective prior to promotion to production?

Yes

Is open source software or libraries used to transmit, process or store Scoped Data?

Yes

Is a Secure Code Review performed regularly?

Yes

Do secure code reviews include regular analysis of vulnerability to recent attacks?

Yes

Are identified security vulnerabilities remediated prior to promotion to production?

Yes

Does the SDLC process include communicating known un-remediated vulnerabilities to the Security Monitoring and Response group for awareness and monitoring?

Additional information
n/a

Is a web site supported, hosted or maintained that has access to Scoped Systems and Data?

Yes

Do you have logical or Physical segregation between web, application and database components? i.e., Internet, DMZ, Database?

Yes

Are Web Servers used for transmitting, processing or storing Scoped Data?

Yes

Are reviews performed to validate compliance with documented web server software security standards?

No

Is HTTPS enabled for all web pages?

Yes

Are sample applications and scripts removed from web servers?

Yes

Are available high-risk web server software security patches applied and verified at least monthly?

Yes

Are web server software versions that no longer have security patches released prohibited?

Yes

Is sufficient detail contained in Web Server and application logs to support incident investigation, including successful and failed login attempts and changes to sensitive configuration settings and files?

Yes

Are Web Server and application logs relevant to supporting incident investigation protected against modification, deletion, and/or inappropriate access?

Yes

Is an API available to clients?

Yes

Are mobile applications that access Scoped Systems and Data developed?

Yes

Are any actions performed by the mobile application to access, process, transmit or locally store scoped systems and data?

Yes

Is there an established incident management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?

Yes

Is there a formal Incident Response Plan?

Yes

Does the Incident Response Plan include guidance for escalation procedure?

Yes

Does the Incident Response Plan include actions to be taken in the event of an information security event?

Yes

Are events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation regularly reviewed using a specific methodology to uncover potential incidents?

Yes

Are events on Scoped Systems or systems containing Scoped Data relevant to supporting incident investigation regularly reviewed using a specific methodology to uncover potential incidents?

Yes

Does regular security monitoring include malware activity alerts such as uncleaned infections and suspicious activity?

Yes

Is there an established business resiliency program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program?

Additional information
Yes

Does the business resiliency program include a formal annual (or more frequent) executive management review of business continuity key performance indicators, accomplishments, and issues?

Yes

Do the products and/or services specified in the scope of this assessment fall within the scope of the Business Resiliency program?

Additional information
Yes

Are formal business continuity procedures developed and documented?

Additional information
Yes

Has senior management assigned the responsibility for the overall management of critical response and recovery efforts?

Yes

Is there a periodic (at least annual) review of your Business Resiliency procedures?

Additional information
Yes

Are there any dependencies on critical third party service providers?

Additional information
Yes

Is communication in the event of a disruption that impacts the delivery of key service provider products and services required?

Yes

Is there a formal, documented Information Technology Disaster Recovery exercise and testing program in place?

Yes

Is there an annual schedule of planned Disaster Recovery and other Business Resiliency exercises and tests?

Additional information
Yes

Are backups of Scoped Systems and Data performed?

Yes

Is there a policy or process for the backup of production data?

Additional information
Yes

Are backup media and restoration procedures tested at least annually?

Yes

Are backup and replication errors reviewed and resolved as required?

Yes

Is backup media stored offsite?

Additional information
Yes

Are backups containing Scoped Data stored in an environment where the security controls protecting them are equivalent to production environment security controls?

Yes

Are there policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements?

Additional information
Yes

Is there a documented process to identify and assess regulatory changes that could significantly affect the delivery of products and services?

Yes

Is there an internal audit, risk management, or compliance department, or similar management oversight unit with responsibility for assessing, identifying and tracking resolution of outstanding regulatory issues?

Yes

Does the audit function have independence from the lines of business?

Yes

Are audits performed to ensure compliance with applicable statutory, regulatory, contractual or industry requirements?

Yes

Is there a set of policies and procedures that address required records management and compliance reporting?

Yes

Are internal management reporting and/or external reporting to government agencies maintained in accordance with applicable law?

Yes

Do employees undergo annual training regarding company expectations related to non-disclosure of insider information, code of conduct, conflicts of interest, and compliance and ethics responsibilities?

Yes

Will this engagement include any call center related services?

Additional information
Yes

Are marketing or selling activities conducted directly to Client's customers?

No

Is training conducted for Constituents who have direct customer contact regarding consumer protection compliance responsibilities?

Yes

Is there an incentive or compensation program for Constituents who directly sell/market to Client customers? If yes please describe in the 'Additional Information' field

No

Are there documented policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices?

Yes

Are collections activities conducted directly to Client's customers?

No

Are terms of sale, dispute and/or return of goods procedures available online?

Yes

Are there direct interactions with your client's customers?

No

Is there a documented process to receive and respond to complaints, inquiries and requests from business or trade associations (e.g. BBB, GMOs, chambers of commerce, PCI Council) and from government agencies, including state attorneys general?

No

Is there a documented escalation and resolution process to address specific complaints to management and the client?

Yes

Are documented policies and procedures maintained to enforce applicable legal, regulatory or contractual cybersecurity obligations?

Yes

Are client audits and/or risk assessments permitted?

Yes

Is evidence of internal controls available during a client assessment?

Yes

Are controls validated by independent, third party auditors or information security professionals?

Yes

Is there a compliance program or set of policies and procedures that address internal and external Fraud Detection and Fraud Prevention?

Yes

Are accounts opened, financial transactions initiated or other account maintenance activity (e.g., applying payments, address changes, receiving payments, transferring funds, etc.) through either electronic, telephonic, written or in-person requests made on behalf of your clients' customers?

No

Are there policies and procedures to address payments compliance in the delivery of the product or services if required by regulation?

Yes

Are electronic commerce web sites or applications used to transmit, process or store Scoped Systems and Data?

No

Are all transaction details i.e., payment card info and information about the parties conducting transactions, prohibited from being stored in the Internet facing DMZ?

No

Are policies and procedures in place to restrict activities or transactions for sanctioned countries (e.g. country blocking)?

Yes

Are there compliance and sanction checks (e.g., Office of Foreign Assets Controls - OFAC) performed against customers, suppliers and third parties?

Yes

Is there a sanctions compliance program or set of policies and procedures that address obligations for Office of Foreign Assets Controls (OFAC) requirements?

Yes

Are End User Devices (Desktops, Laptops, Tablets, Smartphones) used for transmitting, processing or storing Scoped Data?

Yes

Are end user device security configuration standards documented?

Yes

Are Activity alerts such as uncleaned infections and suspicious activity reviewed and actioned at least weekly for all end user devices?

Yes

Are defined procedures in place to identify and correct systems without anti-virus at least weekly for all end user devices?

Yes

Are Constituents allowed to utilize mobile devices within your environment?

Yes

Can Constituents access corporate e-mail using mobile devices?

Yes

Is there a mobile device management program in place that has been approved by management and communicated to appropriate Constituents?

Yes

Are personal computers (PCs) used to transmit, process or store Scoped Systems and Data.

Yes

Are non-company managed PCs used to connect to the company network?

Additional information
Yes

Is there a policy that defines network security requirements that is approved by management, communicated to Constituents and has an owner to maintain and review?

Yes

Is there an approval process prior to installing a network device?

Yes

Are there security and hardening standards for network devices, including Firewalls, Switches, Routers and Wireless Access Points (baseline configuration, patching, passwords, Access control)?

Yes

Are all network device administrative interfaces configured to require authentication and encryption?

Yes

Are default passwords changed or disabled prior to placing network devices into production?

Yes

Is there sufficient detail contained in network device logs to support incident investigation?

Yes

Are all available high-risk security patches applied and verified on network devices?

Yes

Are network technologies used to isolate critical and sensitive systems into network segments separate from those with less sensitive systems?

Yes

Is every connection to an external network (e.g., The Internet, partner networks) terminated at a firewall?

Yes

Do network devices deny all access by default?

Yes

Do the firewalls have any rules that permit 'any' network, sub network, host, protocol or port on any of the firewalls (internal or external)?

Additional information
Yes

Is there a policy that defines the requirements for remote access from external networks to networks containing Scoped Systems and Data that has been approved by management and communicated to constituents?

Yes

Are encrypted communications required for all remote network connections from external networks to networks containing Scoped Systems and Data?

Yes

Is remote administration of organizational assets approved, logged, and performed in a manner that prevents unauthorized access?

Yes

Are encrypted communications required for all remote system access?

Yes

Are Baseboard Management Controllers (BMCs) enabled on any servers or other devices?

Yes

Is the default password changed on all BMCs?

Yes

Are all BMCs configured on network address ranges reserved specifically for BMCs and no other devices?

Yes

Are BMC firmware updates monitored regularly and applied at the first available maintenance window?

Yes

Are Network Intrusion Detection capabilities employed?

Additional information
Yes

Is there a DMZ environment within the network that transmits, processes or stores Scoped Systems and Data?

Yes

Are wireless networking devices connected to networks containing Scoped Systems and Data?

Yes

Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?

Yes

Does the Wireless Security Policy require wireless connections to be secured with WPA2, and encrypted using AES or CCMP?

Yes

Is there collection of, access to, processing of, or retention of any client scoped Data that includes any classification of non-public personal information or personal data of individuals?

Yes

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as personally identifiable financial information under the Gramm-Leach-Bliley Act?

Additional information
No

Does the client scoped data include the disclosure of account numbers or identifiers to the consumer's account?

Additional information
Yes

Does the contract limit the usage of the account number information?

No

Is client scoped data collected, accessed, processed, or retained that can be classified as consumer report information or derived from a consumer report under the Fair and Accurate Credit Reporting Act (FACTA)?

No

Are policies and procedures for secure disposal of consumer information maintained to prevent the unauthorized access to or use of information in a consumer report or information derived from a consumer report?

Yes

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as protected health information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act?

Additional information
n/a

Are there documented policies and procedures to detect and report unauthorized acquisition, use, or disclosure of PHI client scoped data?

Additional information
n/a

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under U.S. State Privacy Regulations? (e.g., CA, MA, NY, NV, WA, CO)

Additional information
n/a

If client scoped data includes data of California residents, does the contract prohibit the vendor from retaining, using or disclosing the personal information for any other commercial purpose other than the specific purpose of performing the services?

Additional information
n/a

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as European Union covered Personal Data, or Sensitive Personal Data (e.g., genetic data, biometric data, health data)?

Additional information
Yes

Is Client scoped data collected, transmitted, processed or retained that can be classified as Personal Information as defined by Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or Canadian Provincial Privacy Regulations

Additional information
n/a

Are there contractual obligations and procedures defined to address breach notification to the client including maintenance of record-keeping obligations of all breaches?

Additional information
Yes

Is client scoped data collected, accessed, transmitted, processed or retained that can be classified as Cardholder Data (CHD) within a Cardholder Data Environment (CDE) for credit card processing?

No

Is a Report on Compliance (ROC), or Self-Assessment Questionnaire (SAQ) and Attestation of Compliance for Service Providers (AOC) available? If Yes, Please provide and note in additional comments the type of third party assurance documentation

Yes

Is client-scoped data of minors collected, transmitted, processed or stored that can be classified under the Children's Online Privacy Protection Act?

Additional information
Yes

Does the organization maintain an external safe harbor certification for children's privacy? If yes, please indicate the certifying organization and link to current status

No

Is there a designated organizational structure or function responsible for data privacy or data protection as it relates to client-scoped privacy data?

Yes

Is documentation of data flows and/or data inventories maintained for client scoped privacy data based on data or asset classification?

Additional information
No

Is there a documented privacy policy and are procedures maintained for the protection of information collected, transmitted, processed, or maintained on behalf of the client?

No

Are regular privacy impact risk assessments conducted? If yes, please provide frequency and scope in 'Additional Information' field.

Additional information
Yes

Is a Training and Awareness Program maintained that addresses data privacy and data protection obligations based on role?

Additional information
Yes

Does the organization have or maintain internet-facing websites(s), mobile applications, or other digital services or applications that, collect, use, or retain client-scoped private data and are used directly by individuals?

Yes

Is personal data collected directly from an individual on behalf of the client?

Yes

Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data?

Yes

For client-scoped Data, is personal data provided to the organization directly by the client?

Yes

Are there documented policies and operating procedures regarding limiting the personal data collected and its use to the minimum necessary?

Yes

Are there controls in place to ensure that the collection and usage of client scoped data or personal information used or processed by the organization is limited and in compliance with applicable law?

Yes

Is there a documented records retention policy and process with defined schedules that ensure that Personal Information is retained for no longer than necessary?

Yes

Are Individuals informed about their rights to access, review, update, and correct their personal information which is maintained by the organization?

Yes

Are policies and procedures in place to address third party privacy obligations including limitations on disclosure and use of client scoped data?

Yes

Do fourth-parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to or process client scoped data?

Yes

Is there a documented data protection program with administrative, technical, and physical and environmental safeguards for the protection of client-scoped Data?

Yes

Is there a documented policy or process to maintain accurate, complete and relevant records of client scoped data?

Yes

Is there a data privacy or data protection function that maintains enforcement and monitoring procedures to address compliance for its privacy obligations for client-scoped privacy data?

Yes

Are there policies and processes in place to address privacy inquiries, complaints and disputes?

Yes

Are Windows servers used as part of the Scoped Services?

Yes

Is there an anti-malware policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?

Yes

Does the anti-malware policy or program include defined operating systems that require antivirus?

Yes

Does the approved anti-malware policy or program mandate an interval between the availability of a new anti-malware signature update and its deployment no longer than 24 hours?

No

Is there a vulnerability management policy or program that has been approved by management, communicated to appropriate constituent and an owner assigned to maintain and review the policy?

Yes

Are network Vulnerability Scans performed against internal networks and systems?

Yes

Are network vulnerability scans performed against internet-facing networks and systems?

Yes

Do network Vulnerability Scans occur at least Monthly?

Yes

Do you deliver software, firmware, and/or BIOS updates to clients through automatic downloads (e.g. Windows Update, LiveUpdate)?

Yes

Is there a documented process in place to protect against and detect attacks against automatic software update mechanisms?

Yes

Are Servers used for transmitting, processing or storing Scoped Data?

Yes

Are server security configuration standards documented and based on external industry or vendor guidance?

Yes

Are server security configuration reviews performed regularly to validate compliance with documented standards?

Yes

Are all servers configured according to security standards as part of the build process?

Yes

Are all unnecessary/unused services uninstalled or disabled on all servers?

Yes

Are vendor default passwords removed, disabled or changed prior to placing any device or system into production?

Yes

Is sufficient detail contained in Operating System and application logs to support security incident investigations (at a minimum, successful and failed login attempts, and changes to sensitive configuration settings and files)?

Yes

Are all systems and applications patched regularly?

Yes

Are there any Operating System versions in use within the Scoped Services that no longer have patches released? If yes, please describe in the 'Additional Information' section.

No

Is Unix or Linux used as part of the Scoped Services?

Yes

Are users required to 'su' or 'sudo' into root?

Yes

Are AS/400s used as part of the Scoped Services?

No

Are Mainframes used as part of the Scoped Services?

No

Are Hypervisors used to manage systems used to transmit, process or store Scoped Data?

Yes

Are Hypervisor hardening standards applied on all Hypervisors?

Yes

Are Hypervisor Standard builds/security compliance checks required?

Yes

Are Hypervisors kept up to date with current patches?

Additional information
Yes

Are unnecessary/unused Hypervisor services turned off?

Yes

Is sufficient information in Hypervisor logs to evaluate incidents?

Yes

Are Containers (e.g., Docker, Kubernetes, OpenShift) used to process or store Scoped Data?

Yes

Is there a Data Container Security policy approved by management, communicated to constituents and an owner to maintain and review?

Yes

Are Cloud Hosting services (IaaS) provided?

Yes

Is there an Internet-accessible self-service portal available that allows clients to configure security settings and view access logs, security events and alerts?

No

Are Cloud Hosting services subcontracted?

Yes

Is there a management approved process to ensure that backup image snapshots containing Scoped Data are authorized by Outsourcer prior to being snapped?

Additional information
Yes

Are backup image snapshots containing Scoped Data stored in an environment where the security controls protecting them are commensurate with the production environment?

Yes

Are default hardened base virtual images applied to virtualized operating systems?

No

Does the Cloud Hosting Provider provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services?

Additional information
Yes

Is the Cloud Service Provider certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO)?

Additional information
Yes