Vendor Security Compliance Questionnaire
Company Information Name of Company: Click here to enter text.
Company Website: Click here to enter text.
Contact Person Completing the Questionnaire: Click here to enter text.
Email Address: Click here to enter text.
Phone Number: Click here to enter text.
Date of Completed Questionnaire: Click here to enter text.
Questionnaire Completion Instructions
Select the appropriate answer in the Response section and provide additional details and supporting material to support
Question Requirement Response Describe
1. An individual has been designated as being Yes ☐ Click here to enter text. responsible for security within the No ☐ organization. 1 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
n/a ☐ An information security policy, based on Click here to enter text. industry acceptable standards and Yes ☐ frameworks, is in place, has been approved by 2. No ☐ management and has been communicated to employees, contractors and individuals n/a ☐ working on behalf of the organization. Security roles and responsibilities of Click here to enter text. employees, contractors and individuals Yes ☐ 3. working on behalf of the organization are No ☐ defined and documented in accordance with n/a ☐ the organization’s information security policy. An information security awareness and Click here to enter text. training program has been established and Yes ☐ 4. provides general awareness and role specific No ☐ (e.g., secure coding, CJIS, etc.) security n/a ☐ training to all employees. Background screenings of employees, Click here to enter text. contractors and individuals working on behalf Yes ☐ 5. of the organization are performed to include No ☐ criminal, credit, professional / academic and n/a ☐ references 6. The organization will: (1) locate all production Yes ☐ Click here to enter text. and disaster recovery data centers that store, No ☐ process or transmit Minnesota Judicial Branch n/a ☐ data only in the continental United States, (2) store, process and transmit Minnesota Judicial 2 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
Branch data only in the continental United States, and (3) locate all monitoring and support of all the cloud computing or hosting services only in the continental U.S. The system/solution/service provides Click here to enter text. password protection and security controls to Yes ☐ prevent unauthorized access to or use of the 7. No ☐ system, data, and images. Proposed system solutions will ensure Industry best practices n/a ☐ for security architecture & design. No data of any kind shall be transmitted, Click here to enter text. exchanged or otherwise passed to or accessed Yes ☐ 9. by other vendors or interested parties except No ☐ on a case-by-case basis as specifically agreed n/a ☐ to in writing by the Minnesota Judicial Branch. The system/solution/service will encrypt Click here to enter text. sensitive data in transit and at rest using Yes ☐ 10. industry standard encryption protocols; No ☐ encryption keys will be managed at least in n/a ☐ part by the Minnesota Judicial Branch.. 11. All data will be stored, processed, and Yes ☐ Click here to enter text. maintained solely on designated servers and No ☐ that no data at any time will be processed on n/a ☐ or transferred to any portable or laptop computing device or any portable storage medium, unless that storage medium is in use as part of the organization’s designated 3 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
backup and recovery processes. All Information systems will be configured to Yes ☐ Click here to enter text. 12. industry security best practices (e.g., CIS, NIST, No ☐ etc.). n/a ☐ Anti-Malware software will be installed, Yes ☐ Click here to enter text. 13. running and maintained on all systems. No ☐ n/a ☐ All physical access to information systems will Click here to enter text. Yes ☐ be controlled and restricted to only those with 14. No ☐ a need to physically access these systems and logs of access maintained.. n/a ☐ The system/solution/service will be developed Yes ☐ Click here to enter text. 15. according to secure software development No ☐ best practices (e.g., OWASP, SANs SWAT etc.). n/a ☐ All source code and object code must be Click here to enter text. made available to be scanned for vulnerabilities by the Minnesota Judicial Branch or results of the organizations source Yes ☐ 16. code and object code vulnerability testing No ☐ must be made available to the Minnesota n/a ☐ Judicial Branch. Vendor must have a process in place to address vulnerabilities in a timely manner. 17. The system/solution/service has capability to Yes ☐ Click here to enter text. integrate with Security Incident Event No ☐ 4 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
Management (SIEM) system. n/a ☐ The system/solution/service’s storage Click here to enter text. processes, backup storage processes, and Yes ☐ 18. security procedures being implemented No ☐ ensure that there is no loss of data or n/a ☐ unauthorized access to the data. Firewalls are in place at the network Yes ☐ Click here to enter text. 19. perimeter and between the internal network No ☐ segment and any DMZ. n/a ☐ Systems and applications are patched in a Click here to enter text. timely manner to ensure critical security and Yes ☐ 20. operational patches and fixes are in place to No ☐ ensure the confidentiality, integrity and n/a ☐ availability of the information system. Vulnerability tests (internal/external) are Click here to enter text. performed on all applications and platform Yes ☐ 21. and results provided to Minnesota Judicial No ☐ Branch. Vendor must have a process in place n/a ☐ to address vulnerabilities in a timely manner.. Online transactions must conform to Click here to enter text. commercial security standards and measures such as TLS, and others. Temporary files for all Yes ☐ 22. secure online transactions must be securely No ☐ and permanently deleted when said n/a ☐ transaction is complete
5 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
The system/solution/service will comply with Click here to enter text. the National Institute of Standards and Technology (NIST) Recommended Security Yes ☐ 23. Controls for Federal Information Systems and No ☐ Organizations, Special Publication 800-53 ☐ revision 4, for (High) system in accordance to n/a Minnesota Judicial Branch data classification).
Independent Security audits of the Click here to enter text. system/solution/service, processes and data centers used to provide the services/solution are conducted at least annually. Audits are Yes ☐ 24. performed in accordance to SSAE16 SOC 2 or No ☐ equivalent (e.g. FedRAMP) industry security n/a ☐ standards. Contracted vendor will provide the most recent independent physical and logical audit results to the Minnesota Judicial Branch. The organization has the capability to Click here to enter text. coordinate disaster recovery and business Yes ☐ 25. continuity processes and plans with the No ☐ Minnesota Judicial Branch. n/a ☐
The organization will provide the Minnesota Click here to enter text. Judicial Branch with an example of a detailed Yes ☐ 26. disaster recovery continuity of operations plan No ☐ as part of their response. Plan that is similar to n/a ☐ our size and capacity. 6 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
The proposal must provide a detailed Click here to enter text. explanation of the security features that are Yes ☐ 27. built into the proposed No ☐ system/solution/service. Note: A diagram of the system/solution/service with the security n/a ☐ feature would be helpful as well. The vendor and system/solution/product/ Click here to enter text. service/proposal will comply with the requirements of the Minnesota Judicial Yes ☐ 28. Branch Rules of Public Access to Records of No ☐ the Judicial Branch and applicable state and n/a ☐ federal laws/regulations (e.g., HIPAA, FERPA, IRS Publication 1075, FBI/CJIS, and PCI DSS). If Federal, state or industry compliance Click here to enter text. requirements pertain to the data (e.g. CJI, IRS Yes ☐ 29.. 1075, PHI (HIPAA), SSA, PCI DSS, Etc.) the No ☐ system/solution/service will comply with the n/a ☐ said security policy and industry best practice. All data received from the Minnesota Judicial Click here to enter text. Branch or created, collected or otherwise obtained as part of this agreement will be Yes ☐ 30.. owned solely by the Minnesota Judicial No ☐ Branch and all access, use and disclosure of the data shall be restricted to only that which n/a ☐ is required to perform the organization’s duties under this agreement. 31. Processes will be in place to securely destroy Yes ☐ Click here to enter text. 7 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
or delete Minnesota Judicial Branch data according to the standards enumerated in D.O.D. 5015.2 from systems or media no No ☐ longer being used to fulfill the terms of this n/a ☐ agreement or upon request from the Minnesota Judicial Branch. In the event of termination of the agreement, Click here to enter text. the organization shall implement an orderly return of Minnesota Judicial Branch assets and the subsequent secure disposal of Minnesota Yes ☐ Judicial Branch assets. 32. No ☐ During any period of suspension, the n/a ☐ organization will not take any action to intentionally erase any Minnesota Judicial Branch Data.
An incident response plan is in place which Click here to enter text. includes notifying the Minnesota Judicial Yes ☐ 33. Branch immediately of a known or suspected No ☐ security or privacy incident involving n/a ☐ Minnesota Judicial Branch data.
8 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
Question Requirement Response Describe
Click here to enter text. Web Application Firewall(s) (WAF) are in place Yes ☐ 34 at the network perimeter to protect No ☐ application and code flaws. n/a ☐ All system/solution/product/ service/proposal Click here to enter text. will have an Audit Logging function, it is Yes ☐ 35 critical for security and audit functions at No ☐ Minnesota Judicial Branch. n/a ☐
Click here to enter text. Secure Logging: the system should not log Yes ☐ 36. any sensitive data (e.g. PCI, PHI, PII, SSN,) into No ☐ unprotected log storage. n/a ☐ Yes ☐ Click here to enter text. 37 No ☐ n/a ☐ Yes ☐ Click here to enter text. 38 No ☐ n/a ☐ Yes ☐ Click here to enter text. 39 No ☐ n/a ☐ Yes ☐ Click here to enter text. 40. No ☐ n/a ☐ 9 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor. Minnesota Judicial Branch Vendor Questionnaire
10 Your answers to this questionnaire to the extent deemed relevant by the State will become an appendix in the contract for the awarded vendor.