Vendor Security Review Resources


12 Questions to Ask Existing and Prospective Vendors About Their Security:


  1. Compliance - Do they have certified compliance for the standard(s) you are required to follow (HIPAA, PCI DSS, etc,). Require documentation for any compliance, and ensure that it is current.

  2. Audits - Do any external audits, such as SSAE 16 or ISO 27001 exist?  if so, do they apply to the vendor, or their upstream provider?  Such an audit is of limited value if it applies only to the upstream vendor

  3. Testing - Does the vendor have regular vulnerability and penetration testing completed?  If so, ask to review the results.

  4. Prior Incident - Has the vendor experience a recent breach or security incident?  If so, request details, and remediation efforts.

  5. CSO - Does the organization have a dedicated Chief Security Officer?

  6. Background Checks - Are background checks performed pre-employment and periodically thereafter?

  7. Third Party Reviews - Does the vendor have a formal third party review process for their vendors, conducted at least yearly?

  8. Access - Is vendor employee access limited to only the resources required to do their jobs?  If so, ask for details.

  9. Incident Response - Does a formal incident response process exist?  If so, is it tested at lease yearly?

  10. Data segregation - Is your data segregated from data belonging to other customers of the vendor?

  11. Encryption - Is data encrypted at rest and in transit, using strong cryptography?  If so, request details about the cryptography in use.  Ensure that it is consistent with NIST 800-111

  12. Test Environment -  Does a separate test environment exist for testing changes prior to deployment?  If so, is there a formal, documented change management process?


Vulnerability Scanning Resources:



Third Party Review Program Resources





LET'S TALK: 678-341-3630
  • Facebook Social Icon
  • Twitter App Icon
  • Google+ Social Icon
  • LinkedIn App Icon

© 2016. togoCIO, LLC