<p> ATTACHMENT C IT SECURITY QUESTIONNAIRE</p><p>Access Control </p><p>1. How is access to the website granted? </p><p>2. Does the website use multi factor authentication?</p><p>3. What type of authentication is used to verify user identity during account set up and/or password reset?</p><p>4. What is the mechanism for obtaining a new password (Password reset)?</p><p>5. Describe password complexity requirements.</p><p>6. Are newly granted/reset passwords required to be changed upon first log-in?</p><p>7. Do passwords age out (are password resets forced after a period of time)?</p><p>8. Does the application lock users out after a number of unsuccessful log-in attempts?</p><p>9. Does the system capture unsuccessful log-in attempts and are those logs monitored?</p><p>10. Are password histories maintained in order to repetition of passwords?</p><p>11. Are passwords masked as they are entered and stored encrypted? </p><p>12. Is user access level/permissions/authority driven by role?</p><p>13. Is access level given under the principle of least privilege? </p><p>14. Is access to the site secure (SSL, VPN etc.)?</p><p>15. Does the system limit the number of concurrent user sessions?</p><p>16. Does the user session time-out after a specified period of time?</p><p>17. Does the user session automatically terminate upon moving the browser to another site?</p><p>18. Are there other interactive activities that can be performed on the site without logging in?</p><p>19. Can Administrators gain access to the back end application(s) through the website? (Remote Access) </p><p>Vendor Internal Controls 20. Are passwords stored encrypted? </p><p>21. Do remote sessions utilize cryptography?</p><p>22. Internally, does the organization allow wireless access to the web site or back end application(s)?</p><p>23. Is customer information entered into the site accessible through mobile devices internally?</p><p>24. Does the vendor employ principles of least privilege in regard to customer data?</p><p>25. Is access based on a role-based methodology with a clear segregation of duties?</p><p>26. Do back-end systems utilize the same access controls outlined in the previous section?</p><p>27. Does the vendor undergo third party penetration testing on an annual basis?</p><p>28. Are penetration tests available for Citizens review?</p><p>Security Awareness Training</p><p>29. Are there security awareness elements on the site (Reminders, security points etc)?</p><p>30. Does the vendor conduct mandatory annual security awareness training for its workforce?</p><p>Audit and Accountability</p><p>31. Does the vendor log customer activity (Login attempts, activities, changes, date, time, user etc)?</p><p>32. Are these logs separated by customer and available to Citizens should they be required?</p><p>33. Does the vendor have a defined list of auditable events with documented processes and procedures for handling such events?</p><p>34. Are logs maintained and stored separate from the system that they report on?</p><p>35. Does the vendor monitor open source information for evidence of unauthorized disclosure of customer data? </p><p>Security Assessment and Authorization</p><p>36. Does the vendor use a risk based approach to information security?</p><p>37. Does the vendor have a documented process for conducting assessments, prioritizing and remediating risks?</p><p>38. Can the vendor provide a copy of a SAS 70 Type 2 or an SSAE 16 type 2 or 3?</p><p>Configuration Management 39. Does the vendor have a documented process for notifying CPIC of changes to the website along with an impact analysis in advance of the change?</p><p>40. Does the vendor follow a formalized and documented change management process?</p><p>41. Does the vendor have a formalized and documented patch management policy and process, including testing prior to implementation?</p><p>42. Does the vendor enforce physical and logical restrictions against unauthorized changes to the information system?</p><p>43. Is the workforce utilized by the vendor, qualified to perform their duties particularly around risk assessments and security functions?</p><p>44. Does the vendor have standardized, documented and mandatory configuration settings which include the principles of least functionality?</p><p>Identification and Authentication</p><p>45. Does the vendor use multi factor authentication internally?</p><p>46. Does the vendor use bi-directional authentication before establishing device connections to the network?</p><p>47. Does the vendor ensure that all users are uniquely identified in their systems (No generic IDs)?</p><p>Incident Response</p><p>48. Does the vendor have a documented and tested incident response policy and procedures document? </p><p>49. Are all incidents tracked and documented?</p><p>50. Will incident documentation affecting Citizens data be available for review by Citizens?</p><p>Maintenance</p><p>51. Does the vendor have documented processes and procedures?</p><p>52. Does the vendor maintain a record of all security maintenance? </p><p>53. Are all systems in use able to be supported (No antiquated systems that are not supported)?</p><p>Media Protection</p><p>54. Does the organization have a formal, documented media protection policy?</p><p>55. Does the vendor sanitize media prior to disposal, repurposing or reuse? </p><p>Risk Assessment 56. Are risk assessments performed as a normal part of the SDLC process?</p><p>57. Does the vendor perform internal vulnerability scanning on a regular basis?</p><p>System and Service Acquisition</p><p>58. Are Information Security personnel imbedded in the application and system SDLC processes? </p><p>59. Are any parts of the services or infrastructure that Citizens will be purchasing outsourced to a third party?</p><p>60. Will the vendor allow third party penetration testing through a reputable vendor of our choosing and at our expense?</p><p>System and Communications Protection</p><p>61. Does the information system provide mechanisms to protect the authenticity of communication sessions? </p><p>62. Does the vendor obtain public key certificates from a reputable service provider?</p><p>63. Does the system have sufficient controls to prevent or limit the effects of a denial of service attack?</p><p>64. Does the vendor maintain a segregation of duties between user and administrative roles?</p><p>65. Does the vendor maintain a segregation of duties between developers and production?</p><p>66. Does the information system prevent unauthorized and unintended information transfer via shared system resources?</p><p>67. Does the system monitor and control communications at the external boundary of the system and at the internal boundaries within the system? </p><p>System and Information Integrity</p><p>68. In the event of an application or system fault are detailed error messages delivered to web users?</p><p>69. Does the site reveal error messages only to authorized personnel and prohibit the inclusion of sensitive information in error logs or administrative messages?</p><p>70. Does the site check the validity of information inputs?</p><p>71. Does the vendor employ malicious code protection mechanisms? </p><p>Program Management</p><p>72. Does the vendor develop, monitor and report on the result of information security performance?</p><p>Other 73. Does the vendor retain copies of the background reports generated? </p><p>74. Does the vendor retain input data such as SSN etc?</p><p>75. Is sensitive data obscured upon entry (SSN)?</p><p>76. Are all transmission/connections encrypted? </p><p>77. Are report files encrypted or locked in any way?</p>