IT Security Questionnaire

ATTACHMENT C IT SECURITY QUESTIONNAIRE

Access Control

1. How is access to the website granted?

2. Does the website use multi factor authentication?

3. What type of authentication is used to verify user identity during account set up and/or password reset?

4. What is the mechanism for obtaining a new password (Password reset)?

5. Describe password complexity requirements.

6. Are newly granted/reset passwords required to be changed upon first log-in?

7. Do passwords age out (are password resets forced after a period of time)?

8. Does the application lock users out after a number of unsuccessful log-in attempts?

9. Does the system capture unsuccessful log-in attempts and are those logs monitored?

10. Are password histories maintained in order to repetition of passwords?

11. Are passwords masked as they are entered and stored encrypted?

12. Is user access level/permissions/authority driven by role?

13. Is access level given under the principle of least privilege?

14. Is access to the site secure (SSL, VPN etc.)?

15. Does the system limit the number of concurrent user sessions?

16. Does the user session time-out after a specified period of time?

17. Does the user session automatically terminate upon moving the browser to another site?

18. Are there other interactive activities that can be performed on the site without logging in?

19. Can Administrators gain access to the back end application(s) through the website? (Remote Access)

Vendor Internal Controls 20. Are passwords stored encrypted?

21. Do remote sessions utilize cryptography?

22. Internally, does the organization allow wireless access to the web site or back end application(s)?

23. Is customer information entered into the site accessible through mobile devices internally?

24. Does the vendor employ principles of least privilege in regard to customer data?

25. Is access based on a role-based methodology with a clear segregation of duties?

26. Do back-end systems utilize the same access controls outlined in the previous section?

27. Does the vendor undergo third party penetration testing on an annual basis?

28. Are penetration tests available for Citizens review?

Security Awareness Training

29. Are there security awareness elements on the site (Reminders, security points etc)?

30. Does the vendor conduct mandatory annual security awareness training for its workforce?

Audit and Accountability

31. Does the vendor log customer activity (Login attempts, activities, changes, date, time, user etc)?

32. Are these logs separated by customer and available to Citizens should they be required?

33. Does the vendor have a defined list of auditable events with documented processes and procedures for handling such events?

34. Are logs maintained and stored separate from the system that they report on?

35. Does the vendor monitor open source information for evidence of unauthorized disclosure of customer data?

Security Assessment and Authorization

36. Does the vendor use a risk based approach to information security?

37. Does the vendor have a documented process for conducting assessments, prioritizing and remediating risks?

38. Can the vendor provide a copy of a SAS 70 Type 2 or an SSAE 16 type 2 or 3?

Configuration Management 39. Does the vendor have a documented process for notifying CPIC of changes to the website along with an impact analysis in advance of the change?

40. Does the vendor follow a formalized and documented change management process?

41. Does the vendor have a formalized and documented patch management policy and process, including testing prior to implementation?

42. Does the vendor enforce physical and logical restrictions against unauthorized changes to the information system?

43. Is the workforce utilized by the vendor, qualified to perform their duties particularly around risk assessments and security functions?

44. Does the vendor have standardized, documented and mandatory configuration settings which include the principles of least functionality?

Identification and Authentication

45. Does the vendor use multi factor authentication internally?

46. Does the vendor use bi-directional authentication before establishing device connections to the network?

47. Does the vendor ensure that all users are uniquely identified in their systems (No generic IDs)?

Incident Response

48. Does the vendor have a documented and tested incident response policy and procedures document?

49. Are all incidents tracked and documented?

50. Will incident documentation affecting Citizens data be available for review by Citizens?

Maintenance

51. Does the vendor have documented processes and procedures?

52. Does the vendor maintain a record of all security maintenance?

53. Are all systems in use able to be supported (No antiquated systems that are not supported)?

Media Protection

54. Does the organization have a formal, documented media protection policy?

55. Does the vendor sanitize media prior to disposal, repurposing or reuse?

Risk Assessment 56. Are risk assessments performed as a normal part of the SDLC process?

57. Does the vendor perform internal vulnerability scanning on a regular basis?

System and Service Acquisition

58. Are Information Security personnel imbedded in the application and system SDLC processes?

59. Are any parts of the services or infrastructure that Citizens will be purchasing outsourced to a third party?

60. Will the vendor allow third party penetration testing through a reputable vendor of our choosing and at our expense?

System and Communications Protection

61. Does the information system provide mechanisms to protect the authenticity of communication sessions?

62. Does the vendor obtain public key certificates from a reputable service provider?

63. Does the system have sufficient controls to prevent or limit the effects of a denial of service attack?

64. Does the vendor maintain a segregation of duties between user and administrative roles?

65. Does the vendor maintain a segregation of duties between developers and production?

66. Does the information system prevent unauthorized and unintended information transfer via shared system resources?

67. Does the system monitor and control communications at the external boundary of the system and at the internal boundaries within the system?

System and Information Integrity

68. In the event of an application or system fault are detailed error messages delivered to web users?

69. Does the site reveal error messages only to authorized personnel and prohibit the inclusion of sensitive information in error logs or administrative messages?

70. Does the site check the validity of information inputs?

71. Does the vendor employ malicious code protection mechanisms?

Program Management

72. Does the vendor develop, monitor and report on the result of information security performance?