0 Replies Latest reply on Jul 29, 2013 12:12 PM by propopulus

    Security Questions regarding FormsCentral hosting


      Hello Adobe FormsCentral,


      We are evaluating the possibility of implementing FormsCentral into our scholarship program, our OIT (office of information technology) would like you to answer these questions so they can evaluate if we can use your Forms Central services.



      1. Is there an information security policy? Does it align with Industry Standards and/or Best Practices?
      2. Is there a risk assessment program?
      3. Is there a security awareness program?  Is there a security awareness training program?
      4. Is there a physical security program?
      5. Is there a formal operational change management / change control process?
      6. Is there an Acceptable Use Policy?
      7. Is there an Unacceptable Use Policy?
      8. Is there an Incident Management program? Is there an Incident Response Plan (formal or informal)?
      9. What are the backup procedures?
      10. Are there termination procedures?
      11. Is there a mobile device policy?
      12. Is there a process for managing the Security Controls and Security Lifecycle?



      1. Is Managed Hosting FERPA compliant?
      2. Is Managed Hosting SAS 70 compliant?
      3. Is Managed Hosting HIPPA compliant?



      1. Are environmental controls in place and monitored?  Please describe.
      2. What Operating System is used for hosting?
      3. Are  all  the  servers  supporting  the  application(s)/storage  on  a  subnet  free  from  development  and test activity?
      4. Does each subnet containing an application/file server have a firewall to control access into and out of the subnet?
      5. What steps will you take to harden the server operating systems supporting the hosted application/storage?
      6. Where are the Managed Hosting servers located?
      7. Can a client access the servers handling their data?
      8. Is it possible for a client to set up a regular ping test for their own internal monitoring purposes?
      9. Does Managed Hosting proactively monitor client’s servers 24 x 7?
      10. Please describe the external and internal firewall configuration that protects the servers supporting the System.
      11. Do all client systems reside within a data center?
      12. Are external parties granted physical or digital access to the data centers and client information?
      13. Are wireless devices in use?
      14. Is removable media allowed in the production environment?
      15. Is anti-virus deployed or are anti-virus products used?
      16. Are there alternate data centers in the event of a disaster?
      17. What does the Managed Hosting Internet Stack consist of?



      1. How is data protected?  Please describe protection measures (encryption, HTTPS, SFTP, etc.) during transit and storage.
      2. At time of hardware disposal or service discontinuation, what is the process or method for cleaning/wiping data from disks?
      3. Are vulnerability tests (internal/external) performed? Are automated tools for security testing or code review used?
      4. Is there an information security function responsible for security initiatives within the organization?
      5. Does management require the use of confidentiality or non-disclosure agreements?
      6. Existing  Vulnerability  Management  Procedures:  How  and  when  are  vulnerability  scans  conducted? 
      7. Is there insurance coverage for business interruptions or general services interruption?
      8. How and when are Managed Hosting servers patched?
      9. What are the responsibilities of a Managed Hosting client?
      10. How can a client get access to review logs?
      11. What are the existing Security Monitoring Capabilities?
      12. What  other  security  tools,  processes,  or  safeguards  are  currently  in  use  by  Managed Hosting?
      13. Is  there  any  third  party  that  routinely  assesses  Managed  Hosting  security  measures  to verify that security controls are comprehensive and operating as expected?
      14. What are the names of the 3rd party firms contracted to perform vulnerability scans, risk assessments, and penetration tests?
      15. Will all users who authenticate to the hosted application have a unique user account?
      16. Are  usernames  and  passwords  for  users  authenticating  to  the  hosted  application  encrypted  when transmitted over public networks such as the Internet?
      17. What is the Password Control Policy for users who authenticate to the hosted application/data?
      18. Are users required to change their initial password at first login?
      19. Will users have the ability to change their passwords?



      1. Do  you  perform  security  checks  or  background  checks  on  employees  or  contract  staff  that  may  be granted access to sensitive or confidential customer data?
      2. Are Social Engineering Tests conducted?
      3. Describe  the  Managed  Hosting  personnel  structure  in  terms  of  supporting  security functions and enforcement of security policies?



      1. Are audit logs enabled? What attributes are logged?
      2. For what period of time are audit trails retained?
      3. Is there an independent auditing function or responsibility within Managed Hosting?
      4. Can we (the client) review the results of the 3rd party assessments?