SIGv6.2

Copyright Shared Assessments 2010 Complete and accurate documents created under the Shared Assessments Program may be downloaded from the official Shared Assessments Program website at . While retaining copyrights, the Shared Assessments Program makes specific documents available to the public for the purpose of conducting self-assessments and third-party security assessments. Licenses for other uses are available from the Shared Assessments. Individuals and organizations should review the terms of use prior to downloading, copying, using or modifying Shared Assessment Program documents. This notice must be included on any copy of the Shared Assessments Program documents, excluding assessors AUP reports. The Shared Assessments Program is administered by The Santa Fe Group (). Questions about this document and the program should be directed to: Michele Edson Senior Vice President The Santa Fe Group 505-466-6434 Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 Cover PagePage 2 of 102 Page(s) Index: % Comp The Santa Fe GroupTerms of UseN/A Standardized Information Gathering (SIG) QuestionnaireBusiness Information0% Version 6.0Documentation Request ListN/A Released: October 2010SIG Lite0% A. Risk Management0% B. Security Policy0% C. Organizational Security0% D. Asset Management0% InstructionsE. Human Resources Security0% One of the many benefits of the Shared Assessments Program is that its tools F. Physical and Environmental0% help service providers reduce the number of audits and questionnaires they mustG. Communications and Operations Management0% undergo. Service providers instructed to complete only the “SIG Lite“ questions H. Access Control0% should go directly to the “SIG Lite“ tab. This tab may also be helpful inI. Information Systems Application Development and Maintenance0% selecting the most appropriate areas of the SIG for a given type of service J. Incident Event and Communications Management0% provided. For additional depth of evaluation, use the “SIG Lite“ K. Business Continuity and Disaster Recovery0% tab with the full SIG. Please note: Because customers may request L. Compliance0% varying amounts of information based on the scope or criticality of the services M. Additional QuestionsN/A provided, completing the entire SIG allows service providers to supplyP. Privacy0% consistent responses to all customers.GlossaryN/A Version HistoryN/A There are two parts to this questionnaire:Formula NotesN/A - SIG LiteFullN/A - Detail tabs (A through L and P).SIG Total0% Please follow the instructions below to complete the SIG Lite or full SIG. Response Cell Background Color Coding (All tabs)Resp Response Required (cells with a blue background are editable) Full SIGYes ResponseYes 1) Complete the “Business Information“ tab.No ResponseNo 2) Compile all documentation requested on the “Documentation“ tab.N/A ResponseN/A 3) Answer all questions on the “SIG Lite“ tab and tabs A through L and P byTop of table (no response required) selecting “Yes,“ “No“ or “N/A“ from the drop-down menu. 4) Use the “Additional Information“ field to provide any pertinent information. (An explanation is required for “N/A“ responses.) 5) Answer questions on the “Additional Questions“ tab (tab M) only if additional questions have been inserted there. SIG Lite Only 1) Complete the “Business Information“ tab. 2) Compile all documentation requested on the “Documentation“ tab. 3) Answer all of the questions on the “SIG Lite“ tab by selecting “Yes,“ “No“ or “N/A“ from the drop-down menu. 4) Use the “Additional Information“ field to provide any pertinent information. (An explanation is required for “N/A“ responses.) 5) Answer questions on the “Additional Questions“ tab (tab M) only if additional questions have been inserted. SIG Management Tool (SMT) A macros-enabled spreadsheet is included with the SIG to help with processing service provider responses and managing the transfer of responses from previous versions of the SIG. If a master SIG is created, the SMT allows for comparisons of all responses in the master SIG to the SIG offered by a service provider. The SMT will also transfer responses and the “Additional Information“ field from previous versions of the SIG. For a full list of functions, please refer Terms of Use Agreed Upon Procedures and Standardized Information Gathering Questionnaire The Shared Assessments Program (“Program“) maintains, promotes and facilitates the use of the Agreed Upon Procedures (“AUP“) and Standardized Information Gathering Questionnaire (“SIG“) documents. To support this purpose, the Program makes the AUP, SIG and other documents (“Program Documents“) available to the public for the purpose of conducting self assessments and third party security, business continuity and privacy control assessments. The AUP and SIG may be downloaded at /download/. Once downloaded, the documents may be copied and used for conducting security, business continuity and privacy control assessments subject to the terms and conditions set forth herein. It is recommended that the most current version(s) of the AUP and SIG in either XML or Excel format should be used to ensure maximum efficiency when sharing results with other Program participants. The Program also makes the Program Documents available to other industry organizations for the purpose of proposing additions and amendments that will make the documents more useful in other industries. The Shared Assessments Program attaches the following conditions to individuals and organizations downloading, copying and/or using the Program Documents: No modifications may be made to the Program Documents without the express written permission of the Shared Assessments Program Steering Committee and The Santa Fe Group. Organizations must notify The Santa Fe Group at of their reasons for the modifications and make the modifications available to for review and approval as additions and/or modifications to the current version of the documents. Copyright and all other intellectual property or proprietary rights in any modifications to the Program Documents shall belong exclusively to the Program and The Santa Fe Group. Persons downloading the Program Documents who wish to incorporate the AUP and/or SIG into a software product offered for license or sale must first obtain a separate license from the Shared Assessments Program. The Program Documents have been developed as tools for information security, privacy and business continuity compliance. They are based on general information security and privacy laws, regulation, principles, frameworks, audit programs, seal programs and regulatory guidance from various jurisdictions and do not constitute legal advice or an exhaustive list of questions or procedures covering all the information security or privacy laws in the US, or rest of the world, that may apply to a service provider. Each user should consult counsel on a case-by-case basis to ensure compliance with all applicable information security and privacy laws, regulations, policies and standards. THE SHARED ASSESSMENTS PROGRAM DOCUMENTS ARE PROVIDED “AS IS“ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE SANTA FE GROUP, OR THE PROGRAM, ITS SPONSORS OR PROGRAM MEMBERS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THE PROGRAM DOCUMENTS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The Program will make every effort to ensure that the AUP and SIG available for download from the Shared Assessments Program website are the most current version of the documents that have been reviewed and approved by the Shared Assessments Steering Committee and Working Group(s). Please note that support for the AUP and SIG will be limited to the most current version and two prior versions. By downloading and/or using the documents, you acknowledge and agree to these disclaimers, limitations, terms and conditions. Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 Business InformationPage 4 of 102 Page(s) Business Information 20 Total Questions to be Answered 0% Percent Complete Question/RequestResponse Responder Name Responder Job Title Responder Contact Information Date of Response Company Profile Name of the holding or parent company Company/business name Publicly or privately held company If public, what is the name of the Exchange If public, what is the trading symbol Type of legal entity and state of incorporation How long has the company been in business Are there any material claims or judgments against the company If yes, describe the impact it may have on the services in scope of this document Computer Equipment Details (relative to scope of services provided) Production site physical address Backup site physical address Any additional locations where Scoped Systems and Data is stored If so, provide locations (address, city, state, country). Provide details in the following areas: - Operating systems - Workstations (# of devices) - Servers (# of devices) - List Applications in scope - Number of employees by function (e.g., development, systems operations, information security) Scope Question Please provide the below responses to establish the scope of the SIG Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 Business InformationPage 5 of 102 Page(s) Name and description of service (relative to scope of this questionnaire) Type of service provided: - Shared (provided to multiple clients) - Dedicated (provided to one client) - Other (explain) Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 DocumentationPage 6 of 102 Page(s) Documentation Document Request Question Ref Type of information provided (e.g., document, summary, table of contents) * Information Security Policies and Procedures. This should include the following (if not, provide the individual documents as necessary): a) Hiring policies and practices and employment application b) User Account administration policy and procedures for all supported platforms where Scoped Systems and Data are processed and network/LAN access. c) Supporting documentation to indicate completion of User Entitlement reviews d) Employee Non-disclosure agreement document e) Information Security Incident Report policy and procedures, including all contract information f) Copy of Visitor Policy and procedures g) Security Log Review Policies and Procedures * Copy of internal or external information security audit report Information technology and security organization charts (including where information security resides in the organization and the composition of any information security steering committees). Note - Actual names of employees is not required. * Physical Security policy and procedures (building and/or restricted access) * Third-party security reviews/assessments/penetration tests Legal clauses and confidentiality templates for third parties Topics covered in the security training program * Security incident handling and reporting process Network configuration diagrams for internal and external networks defined in scope. Note - Sanitized versions of the network diagram are acceptable. * System and network configuration standards * System backup policy and procedures * Offsite storage policy and procedures * Vulnerability and threat management scan policy and procedures * Application security policy * Change control policy/procedures * Problem management policy/procedures Certification of proprietary encryption algorithms * Internal vulnerability assessments of systems, applications, and networks Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 DocumentationPage 7 of 102 Page(s) * System development and lifecycle (SDLC) process document * Business continuity plan (BCP) and / or Disaster recovery plan * Most recent BCP/DR test dates and results Most recent SAS70 / SSAE16 audit report Privacy policies (internal, external, web) *If your organizations policy prohibits the distribution of any of these documents, please provide the document title, the table of contents, the executive summary, revision history, and evidence of approval. Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 LitePage 8 of 102 Page(s) SIG Lite 68 Total Questions to be Answered0% Percent Complete Questionnaire Instructions: For each question choose either Yes, No or N/A from the drop-down menu provided. If N/A is chosen, an explanation is mandatory. Use the “Additional Information“ field to the right of the question. Click on the instruction pop-up box and drag if necessary. Ques Num Question/RequestResponseAdditional InformationAUP ReferenceISO Ref NumISO Ref TextGAPP No.GAPP Text A. Risk Assessment and Treatment SL.1 Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? A.1 IT & Infrastructure Risk Governance and Context4.1Assessing Security Risks B. Security Policy SL.2 Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?5.1.1 Information Security Policy Document SL.3 Have the policies been reviewed in the last 12 months? B.2 Information Security Policy Maintenance5.1.2 Review of Information Security Policy C. Organizational Security SL.4 Is there an information security function responsible for security initiatives within the organization?6.1.1 Management commitment to information security SL.5 Do external parties have access to Scoped Systems and Data or processing facilities?6.2External parties D. Asset Management SL.6 Is there an asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?7.1Responsibility For Assets SL.7Are information assets classified?7.2.1Classification Guidelines SL.8 Is there insurance coverage for business interruptions or general services interruption? 14.1.1.d Including Information Security In The Business Continuity Management Process E. Human Resource Security SL.9 Are security roles and responsibilities of constituents defined and documented in accordance with the organizations information security policy? B.1 Information Security Policy Content8.1.1Roles and responsibilities SL.10 Is a background screening performed prior to allowing constituent access to Scoped Systems and Data? E.2 Background Investigation Policy Content8.1.2Screening SL.11 Are new hires required to sign any agreements upon hire? 8.1.3 Terms and conditions of employment SL.12 Is there a security awareness training program? E.1 Security Awareness Training Attendance8.2.2 Information security awareness, education, and training SL.13 Is there a disciplinarily process for non-compliance with information security policies?8.2.3Disciplinary process SL.14Is there a constituent termination or change of status process?8.3.1Termination responsibilities F. Physical and Environmental Security SL.15 Is there a physical security program? 5.1.1 Information Security Policy Document SL.16 Are reasonable physical security and environmental controls present in the building/data center that contains Scoped Systems and Data? F.2 Physical Security Controls Scoped Systems and Data9.1.3 Securing offices, rooms, and facilities SL.17Are visitors permitted in the facility?9.1.2Physical entry controls G. Communications and Operations Management SL.18 Are Management approved operating procedures utilized? 10.1.1 Documented Operating Procedure SL.19 Is there an operational change management / change control policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?G.21 Change Control10.1.2Change Management SL.20 Is application development performed? 12.5 Security In Development And Support Processes SL.21 Do third party vendors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc)?N/A Shared Assessments ProgramStandardized Information Gathering (SIG) QuestionnaireVersion 6.0, October, 2010 LitePage 9 of 102 Page(s) Ques Num Question/RequestResponseAdditional InformationAUP ReferenceISO Ref NumISO Ref TextGAPP No.GAPP Text SL.22 Is there an anti-virus / malware policy or program (workstations, servers, mobile devices) that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?10.4.1.e Controls Against Malicious Code SL.23Are system backups of Scoped Systems and Data performed?10.5.1Information Back-Up SL.24 Are there external network connections (Internet, intranet, extranet, etc.)?N/A SL.25 Is wireless networking technology used? G.15 Unapproved Wireless Networks10.6.1.cNetwork Controls SL.26 Is there a removable media policy or program (CDs, DVDs, tapes, disk drives) that has been approved by management, communicated to app