Information Security IT Security Assessment Questionnaire ......Federal Information Security...
Transcript of Information Security IT Security Assessment Questionnaire ......Federal Information Security...
IT Security Assessment
Questionnaire
Information Security Assessment Questionnaire
Have other UT locations deployed this application or system?
Optional Comments:
Yes No If yes, list locations:
Is this product a regulated medical device? Yes No Attach MDS2 form15.
12.
14.
13.
16.
7.
6.
5.
10.
8.
Please complete the entire form and do not leave any information blank. Incomplete information, will delay the process of the assessment. Our SLA requires a minimum of 10 business days to review. If you have any questions regarding this form, you can email them to [email protected].
A. General Information
Is this a funded project? Yes No1. 2. Has this project been reviewed by the Governance Committee: Yes No
3. Has this project been reviewed by the purchasing department? If yes, by who? Yes No
4. Date Form Completed: Brief Description of the project, grant, or purchase:
Purpose of the project, grant, or purchase:
UT Customer Contact:
UT IT Project Manager:
UT IT Support Contact:
B. Vendor Information
Business or Legal Entity Name and Address:
Name and contact information of vendor representative completing questionnaire:
Vendor Contact Name: Vendor Telephone Number:
Vendor Email Address: Vendor Website (url):
9.
C. Project Information
11. What is the name of the product?
What is the version of the product?
Is this an upgrade, a new install, or has the software been purchased?
D. UT Resources
Describe the technical resources required for this project:
17.
Describe remote access needed by the vendor for this project. UT currently supports, VDI, client VPN's, and branch VPN.
18.
Information Security Questionnaire - Page 1 of 5
The University of Toledo defines data as any data that the University has an obligation to provide for confidentiality, availability, or integrity along with security terms or other cyber security legal, regulatory, or industry standard requirements defined in the project agreements or grant terms? Check all that apply below:19.
General Data Protection Regulations (GDPR) DFARS 252.204-7012
Federal Information Security Management Act of 2002 (FISMA) FTC "Red Flags" Rule
GLBA Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA/HITECH)
Ohio HB-104
Payment Card Industry Data Security Standard (PCI-DSS)
Service Organization Controls (SSAE-16, SOC-1, SOC-2, SOC-3, etc.)
Industry Standards (NIST, ISO 27000, etc.)
Right to Audit Student Data (FERPA)
Personally Identifiable Information (Social Security Number, Drivers License Number, etc.) Intellectual Property
Credit Card or Financial Account Data Other (Please Describe)
Please Describe:
21. UT staff responsible for compliance: Title: Department:
Will sensitive data be exposed, transmitted, or shared to any outside organization? If yes, please provide information on how this will occur. Yes No
UT contact responsible for data access approvals:
Yes Is wired or wireless access required to the internet? Yes No
Information Security Questionnaire - Page 2 of 5
Provide the minimum and recommended workstation specifications:
E. Antivirus CompatibilityDoes your application or system require any special configuration or file exclusions for antivirus? If yes, UT will need a comprehensive list of the exclusions and documentation demonstrating justification for the exclusions (i.e. real-time scanning, file, or folder exclusions).
Describe limitations, exclusions for special configuration for anti-virus software used with the product:
Has this product been tested and confirmed to operate with Microsoft System Center Endpoint Protection? (SCEP)?
Yes No
Yes No
F. Workstation Components
Will product be installed on UT workstations? Yes NoAre any third party applications or software components required to use the product? No
If yes, please explain. For example; Oracle, Java, Microsoft.NET runtime components, Adobe Flash, Adobe Reader?
Is this product or solution tested with other third party software for compatibility? No
If Yes, how are update compatibility notices communicated to the university:
No
If Yes, list supported browsers and versions:
What OS platforms are supported? MAC IOS
How often are patches applied and who is responsible to apply the patches? UT or the vendor?
No
Please Describe:
Is wired or wireless access to the UT network required?
20.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
Does your product require the use of a web browser?
NoYesWill this project involve the creation, processing, storage, transmission, receipt, or disposal of sensitive data?
Yes
Yes
Yes
Windows Linux Other
Hardware Platform: (cloud base, hybrid, on- premis) If cloud or hybrid, please explain in full detail:
Hardware Platform?
34.
H. Network ServicesList the network services required to support this application. (i.e. SMTP, FTP, HTTP, FTP, file sharing, SNMP, etc.) Please include data flow diagrams. List all TCP, UDP, ICMP needed ports and explain purpose.
Yes No
If No, please explain:
Does the product require LDAP or other directory service integration? List all that apply: Yes No
37. Does your application require internet access for server components of the proposed system? NoYes
Does your product include a web server or are web services required? Yes No
Will your application require any ports open in our outside firewall? List all ports and their purpose? Yes No
40. Does this application utilize a mobile device component? Yes No
I. Authentication and Access Control
Does the application or system use hard coded passwords?41. No YesIf yes, are the passwords encrypted when transmitted: NoYes
42. Will there be any problems with changing any default or factory set passwords or pass codes? Yes Yes, we have passwords or passcodes
that are hard-coded.No, all passwords and passcodes may be changed.No
How will user authentication take place for this system? ADFS, LDAP, SAML, etc. UT active directory to manage user authentication and authorization
This system has its own authentication and authorization mechanism
44.If this system utilizes its own user authentication process, describe that process and how it works:
If the system utilizes its own user authentication process, do controls exist to enforce secure password policies? Check all that apply:
Minimum Length Password ComplexityExpiration Password History
46.Which methods are used to authenticate users to this application? Check all that apply: Unique User ID Password
Hardware Token Software Token Challenge Questions MFA Other
47. Who will be responsible for creating and managing user accounts? UT Vendor
48.
If this system utilizes its own user authentication process, describe the process of how an account can be suspended or revoked if needed:
Information Security Questionnaire - Page 3 of 5
What server platforms are used? Linux/Unix (version) Other ( or versions)
How often are patches applied and who is responsible to apply the patches? UT or the vendor?
Windows (version)33.
35.
36.
38.
39.
43.
45.
Cloud Base
G. Server Components
Hybrid On-premis Other
If unsecure services are used (HTTP, FTP, Telnet, SNMP v1&2, etc.), can the secure alternatives be used instead (HTTPS, SFTP, SSH, SNMP v3, etc.)?
Does your application support single sign on? Yes No
49.
For the authorization aspect of this system, list the various account types native to this system and what their capabilities are (i.e. admin., user, super user, etc.):
Does this application allow role based access? If yes, provide documentation on each role and their rights. Include in Email submission.50. Yes No
J. Data Security and Encryption
51. Is there any known issues with the workstations using encryption on them? The University of Toledo currently uses McAfee, Winmagic, and Bit Locker, and File Vault. No
52.
Is transmission of data between endpoints encrypted? No
53.
If yes, describe the algorithms and key strengths your solutions is capable of supporting:
If data transmission is not encrypted, can a third-party encryption solution be used to provide this layer of security: NoYes
Does your solution provide any validation techniques to ensure integrity when processing or storing data into the system? Please describe if applicable: Yes No
Do any mechanisms exist to ensure the integrity of historically stored data? Please describe if applicable: No
Is disk or file/folder encryption natively used within your system for stored data? If yes, please describe which algorithms and key strengths the system is capable of:
Yes No
57.If sensitive data is stored within this application or system, has the application been audited for compliance with federal or industry regulations and standards (HIPAA, PCI, etc.)? If yes, include PCI addendum: Yes No
K. System LoggingWhat activity can be audited through the system logs? Check all that apply:
58.
Date and time of login User account that logged on
Specific activities performed by users (reading, modifying, and deleting: Date and time of logout Other, please describe:
59.Patient Data Personal Identifiable/Employee Data
Confidential business (planning, financial, etc.) data IP Addresses
Is sensitive data stored in the log files? (for example; password, Social Security Numbers, etc.):60. Yes No
61. Does the application or system have the capability of utilizing a centralized logging mechanism? Yes No
62. Are the log files archived for protection and future needs?
63.
Is encryption used to protect the confidentiality and integrity of the stored logs? If yes, what are the algorithms and key strengths? Yes No
NoYes
Information Security Questionnaire - Page 4 of 5
Credit Card (CHD, Merchant ID (MID), CVV2 or CVC2 data
Which data types are stored in the system logs:
Yes
Yes
54.
55.
56.
Yes
L. Web Security (skip if product has no web service functionality)
64.
Can UT access the user activity/audit logs without vendor intervention? If yes, explain the process: Yes No
65.Does your system utilize web based access for users or administrators as opposed to installing specialized client software for access?
Yes No, client software must be installed. Web pages are not used in this system. If no, skip the remaining questions in this section.
66. If a web server is part of this system setup, which web server(s) are used: Apache IIS Other
67. Will the latest version of this web server be used: Yes No, the version we use is?
68. Which web protocol will be used with this system: HTTP Both, depending on what part of the site is accessed.HTTPS
69. Can the HTTP settings be set to redirect all traffic from port 80 to port 443 and use HTTPS exclusively: Yes No
70. What version(s) of SSL/TLS does this web server/application support? Select all that apply: SSL v1 SSL v2 SSL v3 TLS v1 TLS v1.1 & Above None
71. Can earlier versions of SSL that have been identified as vulnerable be disabled? Yes No
72. Will the webpage for this system be available through the internet for users, employees, and patients, or is this an internal use only system? Internal Only The system will have an internet facing presence
M. Compliance and Privacy
Do you use deidentified data from our users? If yes, describe: Yes No
Provide the end of life date for this product:
When the product or service is no longer required, how will UT data be returned?
MANDATORY ASSESSMENT DOCUMENTATION Forward any flow diagrams, documentation, and certifications to [email protected].
Information Security Questionnaire - Page 5 of 5
73.
74.
75.