Hello Adobe FormsCentral,
We are evaluating the possibility of implementing FormsCentral into our scholarship program, our OIT (office of information technology) would like you to answer these questions so they can evaluate if we can use your Forms Central services.
- Is there an information security policy? Does it align with Industry Standards and/or Best Practices?
- Is there a risk assessment program?
- Is there a security awareness program? Is there a security awareness training program?
- Is there a physical security program?
- Is there a formal operational change management / change control process?
- Is there an Acceptable Use Policy?
- Is there an Unacceptable Use Policy?
- Is there an Incident Management program? Is there an Incident Response Plan (formal or informal)?
- What are the backup procedures?
- Are there termination procedures?
- Is there a mobile device policy?
- Is there a process for managing the Security Controls and Security Lifecycle?
- Is Managed Hosting FERPA compliant?
- Is Managed Hosting SAS 70 compliant?
- Is Managed Hosting HIPPA compliant?
- Are environmental controls in place and monitored? Please describe.
- What Operating System is used for hosting?
- Are all the servers supporting the application(s)/storage on a subnet free from development and test activity?
- Does each subnet containing an application/file server have a firewall to control access into and out of the subnet?
- What steps will you take to harden the server operating systems supporting the hosted application/storage?
- Where are the Managed Hosting servers located?
- Can a client access the servers handling their data?
- Is it possible for a client to set up a regular ping test for their own internal monitoring purposes?
- Does Managed Hosting proactively monitor client’s servers 24 x 7?
- Please describe the external and internal firewall configuration that protects the servers supporting the System.
- Do all client systems reside within a data center?
- Are external parties granted physical or digital access to the data centers and client information?
- Are wireless devices in use?
- Is removable media allowed in the production environment?
- Is anti-virus deployed or are anti-virus products used?
- Are there alternate data centers in the event of a disaster?
- What does the Managed Hosting Internet Stack consist of?
- How is data protected? Please describe protection measures (encryption, HTTPS, SFTP, etc.) during transit and storage.
- At time of hardware disposal or service discontinuation, what is the process or method for cleaning/wiping data from disks?
- Are vulnerability tests (internal/external) performed? Are automated tools for security testing or code review used?
- Is there an information security function responsible for security initiatives within the organization?
- Does management require the use of confidentiality or non-disclosure agreements?
- Existing Vulnerability Management Procedures: How and when are vulnerability scans conducted?
- Is there insurance coverage for business interruptions or general services interruption?
- How and when are Managed Hosting servers patched?
- What are the responsibilities of a Managed Hosting client?
- How can a client get access to review logs?
- What are the existing Security Monitoring Capabilities?
- What other security tools, processes, or safeguards are currently in use by Managed Hosting?
- Is there any third party that routinely assesses Managed Hosting security measures to verify that security controls are comprehensive and operating as expected?
- What are the names of the 3rd party firms contracted to perform vulnerability scans, risk assessments, and penetration tests?
- Will all users who authenticate to the hosted application have a unique user account?
- Are usernames and passwords for users authenticating to the hosted application encrypted when transmitted over public networks such as the Internet?
- What is the Password Control Policy for users who authenticate to the hosted application/data?
- Are users required to change their initial password at first login?
- Will users have the ability to change their passwords?
- Do you perform security checks or background checks on employees or contract staff that may be granted access to sensitive or confidential customer data?
- Are Social Engineering Tests conducted?
- Describe the Managed Hosting personnel structure in terms of supporting security functions and enforcement of security policies?
- Are audit logs enabled? What attributes are logged?
- For what period of time are audit trails retained?
- Is there an independent auditing function or responsibility within Managed Hosting?
- Can we (the client) review the results of the 3rd party assessments?