SIG respnses

File
ID Question Response Expected Vendor Comments Analyst Notes Risk? Add to report? Section Save Notes
A.1 Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? if yes, does it include: Si Yes A. Risk Management
A.1.1 A risk assessment, conducted within the last 12 months? Si Yes A. Risk Management
A.1.2 Risk Governance? Si Yes A. Risk Management
A.1.3 Range of assets to include: people, processes, data and technology? Si Yes A. Risk Management
A.1.4 Range of threats to include: malicious, natural, accidental, cyber, business changes (transaction volume)? Si Yes A. Risk Management
A.1.5 Risk scoping? Si Yes A. Risk Management
A.1.6 Risk context? Si Yes A. Risk Management
A.1.7 Risk training plan? Si Yes A. Risk Management
A.1.8 Risk evaluation criteria? Si Yes A. Risk Management
A.1.9 Risk scenarios? If yes: Si Yes A. Risk Management
A.1.9.1 Have scenarios been created for a variety of events with a range of possible threats that could impact the range of assets? Si Yes A. Risk Management
A.1.9.2 Do the scenarios include threat types impacting all assets resulting in business impact? Si Yes A. Risk Management
A.1.10 Ownership, action plan, response plan, management update? Si Yes A. Risk Management
A.2 Are controls identified for each risk classified as: preventive, detective, corrective, predictive (technical or administrative controls)? Si Yes A. Risk Management
B.1 Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? If yes, does the policy contain: Si Yes B. Security Policy
B.1.1 Risk assessment? Si Yes B. Security Policy
B.1.2 Risk management? Si Yes B. Security Policy
B.1.3 Security awareness training/education? Si Yes B. Security Policy
B.1.4 Business continuity? Si Yes B. Security Policy
B.1.5 Consequences for non-compliance with corporate policies? Si Yes B. Security Policy
B.1.6 Responsibilities for information security management? Si Yes B. Security Policy
B.1.7 Acceptable use? Si Yes B. Security Policy
B.1.8 Access control? Si Yes B. Security Policy
B.1.9 Application security? Si Yes B. Security Policy
B.1.10 Change control? Si Yes B. Security Policy
B.1.11 Clean desk? Si Yes B. Security Policy
B.1.12 Computer and communication systems access and use? Si Yes B. Security Policy
B.1.13 Data handling? Si Yes B. Security Policy
B.1.14 Desktop computing? Si Yes B. Security Policy
B.1.15 Disaster recovery? Si Yes B. Security Policy
B.1.16 Email? Si Yes B. Security Policy
B.1.17 Constituent accountability? Si Yes B. Security Policy
B.1.18 Encryption? Si Yes B. Security Policy
B.1.19 Exception process? Si Yes B. Security Policy
B.1.20 Information classification? Si Yes B. Security Policy
B.1.21 Internet/Intranet access and use? Si Yes B. Security Policy
B.1.22 Mobile computing? Si Yes B. Security Policy
B.1.23 Network security? Si Yes B. Security Policy
B.1.24 Operating system security? Si Yes B. Security Policy
B.1.25 Personnel security and termination? Si Yes B. Security Policy
B.1.26 Physical access? Si Yes B. Security Policy
B.1.27 Policy maintenance? Si Yes B. Security Policy
B.1.28 Remote access? Si Yes B. Security Policy
B.1.29 Security incident and privacy event management? Si Yes B. Security Policy
B.1.30 Secure disposal? Si Yes B. Security Policy
B.1.31 Social media, social networking? Si Yes B. Security Policy
B.1.32 Vulnerability management? Si Yes B. Security Policy
B.1.33 Terms of Use for Mobile Devices? Si Yes B. Security Policy
B.1.34 Have the policies been reviewed in the last 12 months? If yes, did the review include: Si Yes B. Security Policy
B.1.34.1 Feedback from interested parties? Si Yes B. Security Policy
B.1.34.2 Results of independent reviews? Si Yes B. Security Policy
B.1.34.3 Policy compliance? Si Yes B. Security Policy
B.1.34.4 Changes that could affect the approach to managing information security? Si Yes B. Security Policy
B.1.34.5 Reported information security incidents? Si Yes B. Security Policy
B.1.34.6 Recommendations provided by relevant authorities? Si Yes B. Security Policy
B.1.34.7 Records management? Si Yes B. Security Policy
B.1.35 Is there a process to approve exceptions to the policy? Si Yes B. Security Policy
B.1.35.1 Does security own the approval process? Si Yes B. Security Policy
B.1.36 Is the information security policy communicated? If yes, is it communicated to: Si Yes B. Security Policy
B.1.36.1 Full time constituents? Si Yes B. Security Policy
B.1.36.2 Part time constituents? Si Yes B. Security Policy
B.1.36.3 Contractors? Si Yes B. Security Policy
B.2 Is there a vendor management program? Si Yes B. Security Policy
B.2.1 Does the vendor management program include an individual or group responsible for capturing, maintaining and tracking subcontractor information security issues? If yes, is there: Si Yes B. Security Policy
B.2.1.1 Risk rating of the issue (e.g., H/M/L, 1-5, etc.)? Si Yes B. Security Policy
B.2.1.2 Documented corrective action or remediation plan? Si Yes B. Security Policy
B.2.1.3 Target remediation date? Si Yes B. Security Policy
B.2.1.4 On-going communication with subcontractor to discuss status of remediation? Si Yes B. Security Policy
B.2.1.5 Escalation procedure if the remediation date is not met? Si Yes B. Security Policy
B.2.1.6 Sign-off when remediation is fully implemented? Si Yes B. Security Policy
B.2.1.7 Reporting on remediation? If yes, does it include: Si Yes B. Security Policy
B.2.1.7.1 Identification of stakeholders? Si Yes B. Security Policy
B.2.1.7.2 Reporting frequency? Si Yes B. Security Policy
C.1 Is there a respondent information security function responsible for security initiatives? If yes, does it include: Si Yes C. Organizational Security
C.1.1 Creation, review and approve of information security policies? Si Yes C. Organizational Security
C.1.2 Review the effectiveness of information security policy implementation? Si Yes C. Organizational Security
C.1.3 Manage assignment of specific roles and responsibilities for information security? Si Yes C. Organizational Security
C.1.4 Develop and maintain an overall strategic security plan? Si Yes C. Organizational Security
C.1.5 Consistent implementation of information security across different parts of the respondent's organization? Si Yes C. Organizational Security
C.1.6 Review and monitor information security / privacy incidents or events? Si Yes C. Organizational Security
C.1.7 Monitor significant changes in the exposure of information assets? Si Yes C. Organizational Security
C.1.8 Contacts with information security special interest groups, specialist security forums, or professional associations? Si Yes C. Organizational Security
C.1.9 Identify and document instances of non-compliance with security policies? Si Yes C. Organizational Security
C.1.10 Identify key Information Technology roles? Si Yes C. Organizational Security
C.2 Do external parties have access to Scoped Systems and Data or processing facilities? If yes, is: Si No C. Organizational Security
C.2.1 Access prohibited prior to a risk assessment being conducted? Si Yes C. Organizational Security
C.2.2 A risk assessment performed on third parties? No Yes C. Organizational Security
C.2.3 A controls assessment performed on third parties? Si Yes C. Organizational Security
C.2.4 Agreements in place when customers access Scoped Systems and Data? Si Yes C. Organizational Security
C.2.5 Does management require the use of confidentiality or non-disclosure agreements for all third parties? If yes, do they contain: Si Yes C. Organizational Security
C.2.5.1 Ownership of information, trade secrets and intellectual property? Si Yes C. Organizational Security
C.2.5.2 Permitted use of confidential information, and granting of rights to the signatory to use information? Si Yes C. Organizational Security
C.2.5.3 Process for notification and reporting of unauthorized disclosure or confidential information breaches? Si Yes C. Organizational Security
C.2.5.4 Expected actions to be taken in case of a breach of this agreement? Si Yes C. Organizational Security
C.2.6 Are there contracts with third party service providers who have access to Scoped Systems and Data ? If yes, do they include: Si Yes C. Organizational Security
C.2.6.1 Non-Disclosure Agreement? Si Yes C. Organizational Security
C.2.6.2 Confidentiality Agreement? Si Yes C. Organizational Security
C.2.6.3 Media handling? Si Yes C. Organizational Security
C.2.6.4 Requirement of an awareness program to communicate security standards and expectations? Si Yes C. Organizational Security
C.2.6.5 Responsibilities regarding hardware and software installation and maintenance? Si Yes C. Organizational Security
C.2.6.6 Clear reporting structure and agreed reporting formats? Si Yes C. Organizational Security
C.2.6.7 Clear and specified process of change management? Si Yes C. Organizational Security
C.2.6.8 Notification of change? Si Yes C. Organizational Security
C.2.6.9 Process to address any identified issues? Si Yes C. Organizational Security
C.2.6.10 Access control policy? Si Yes C. Organizational Security
C.2.6.11 Breach notification? Si Yes C. Organizational Security
C.2.6.12 Description of the product or service to be provided? Si Yes C. Organizational Security
C.2.6.13 Description of the information to be made available along with its security classification? Si Yes C. Organizational Security
C.2.6.14 SLAs? Si Yes C. Organizational Security
C.2.6.15 Audit reporting? Si Yes C. Organizational Security
C.2.6.16 Ongoing monitoring? Si Yes C. Organizational Security
C.2.6.17 A process to regularly monitor to ensure compliance with security standards? Si Yes C. Organizational Security
C.2.6.18 Onsite review? Si Yes C. Organizational Security
C.2.6.19 Right to audit? Si Yes C. Organizational Security
C.2.6.20 Right to inspect? Si Yes C. Organizational Security
C.2.6.21 Problem reporting and escalation procedures? Si Yes C. Organizational Security
C.2.6.22 Business resumption responsibilities? Yes C. Organizational Security
C.2.6.23 Indemnification/liability? Si Yes C. Organizational Security
C.2.6.24 Privacy requirements? Si Yes C. Organizational Security
C.2.6.25 Dispute resolution? Yes C. Organizational Security
C.2.6.26 Choice of venue? Si Yes C. Organizational Security
C.2.6.27 Data ownership? Si Yes C. Organizational Security
C.2.6.28 Ownership of intellectual property? Si Yes C. Organizational Security
C.2.6.29 Involvement of the third party with subcontractors? Si Yes C. Organizational Security
C.2.6.30 Security controls these subcontractors need to implement? Si Yes C. Organizational Security
C.2.6.31 Termination/exit clause? Si Yes C. Organizational Security
C.2.6.32 Contingency plan in case either party wishes to terminate the relationship before the end of the agreements? Si Yes C. Organizational Security
C.2.6.33 Renegotiation of agreements if the security requirements of the respondent change? Si Yes C. Organizational Security
C.2.6.34 Current documentation of asset lists, licenses, agreements or rights relating to them? Si Yes C. Organizational Security
D.1 Is there an asset management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes D. Asset Management
D.1.1 Is there an inventory system for hardware and software assets? If yes, does it include: Si Yes D. Asset Management
D.1.1.1 Asset control tag? Si Yes D. Asset Management
D.1.1.2 Operating system? Si Yes D. Asset Management
D.1.1.3 Physical location? Si Yes D. Asset Management
D.1.1.4 Serial number? Si Yes D. Asset Management
D.1.1.5 Business function supported? Si Yes D. Asset Management
D.1.1.6 Environment (dev, test, etc.)? Si Yes D. Asset Management
D.1.1.7 IP address? Si Yes D. Asset Management
D.1.2 Is there a detailed description of software licenses (number of seats, concurrent users, etc.) ? Si Yes D. Asset Management
D.1.3 Is ownership assigned for information and assets? If yes, is the owner responsible to: Si Yes D. Asset Management
D.1.3.1 Appropriately classify information and assets? Si Yes D. Asset Management
D.1.3.2 Review and approve access to those information and assets? Si Yes D. Asset Management
D.1.3.3 Establish, document and implement rules for the acceptable use of information and assets? Si Yes D. Asset Management
D.2 Are information and assets classified? Si Yes D. Asset Management
D.2.1 Is there an information asset classification policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes D. Asset Management
D.2.2 Is there a procedure for handling of information and assets? If yes, does it include: Si Yes D. Asset Management
D.2.2.1 Data ownership? Si Yes D. Asset Management
D.2.2.2 Data access controls including authorization? Si Yes D. Asset Management
D.2.2.3 Data labeling? Si Yes D. Asset Management
D.2.2.4 Data on removable media? Si Yes D. Asset Management
D.2.2.5 Data in transit? Si Yes D. Asset Management
D.2.2.6 Data encryption? Si Yes D. Asset Management
D.2.2.7 Data in storage? Si Yes D. Asset Management
D.2.2.8 Data reclassification? Si Yes D. Asset Management
D.2.2.9 Data retention? Si Yes D. Asset Management
D.2.2.10 Data destruction? Si Yes D. Asset Management
D.2.2.11 Data disposal? Si Yes D. Asset Management
D.2.2.12 Reviewed at least annually? Si Yes D. Asset Management
D.2.2.13 Data handling based on classification? Si Yes D. Asset Management
D.2.2.14 Physical media destruction? Si Yes D. Asset Management
D.2.2.15 Reuse of physical media (tapes, disk drives, etc.)? Si Yes D. Asset Management
E.1 Are security roles and responsibilities of constituents defined and documented in accordance with the respondent?s information security policy? Si Yes E. Human Resource Security
E.2 Is a background screening performed prior to allowing constituent access to Scoped Systems and Data? If yes, does it include: Si Yes E. Human Resource Security
E.2.1 Criminal? Si Yes E. Human Resource Security
E.2.2 Credit? Yes E. Human Resource Security
E.2.3 Academic? Si Yes E. Human Resource Security
E.2.4 Reference? Si Yes E. Human Resource Security
E.2.5 Resume or curriculum vitae? Si Yes E. Human Resource Security
E.2.6 Drug Screening? Si Yes E. Human Resource Security
E.3 Are periodic background checks conducted? If yes, do they include the following individuals: Si Yes E. Human Resource Security
E.3.1 Senior Management? Si Yes E. Human Resource Security
E.3.2 Subcontractors? Si Yes E. Human Resource Security
E.3.3 All other employees? Si Yes E. Human Resource Security
E.4 Are new hires required to sign any agreements upon hire? If yes, does it include: Si Yes E. Human Resource Security
E.4.1 Acceptable Use? Si Yes E. Human Resource Security
E.4.2 Code of Conduct / Ethics? Si Yes E. Human Resource Security
E.4.3 Non-Disclosure Agreement? Si Yes E. Human Resource Security
E.4.4 Confidentiality Agreement? Si Yes E. Human Resource Security
E.4.5 Terms of Use for Mobile Devices? Si Yes E. Human Resource Security
E.4.6 Are constituents required to sign annual acknowledgements? If yes, do they include: Si Yes E. Human Resource Security
E.4.6.1 Acceptable Use? Si Yes E. Human Resource Security
E.4.6.2 Code of Conduct / Ethics? Si Yes E. Human Resource Security
E.4.6.3 Non-Disclosure Agreement? Si Yes E. Human Resource Security
E.4.6.4 Confidentiality Agreement? Si Yes E. Human Resource Security
E.5 Is there a security awareness training program? If yes, does it include: Si Yes E. Human Resource Security
E.5.1 Security policies, procedures and processes? Si Yes E. Human Resource Security
E.5.2 Scored test to evaluate successful completion? Si Yes E. Human Resource Security
E.5.3 New Hire and annual participation? Si Yes E. Human Resource Security
E.5.4 Training commensurate with levels of responsibilities and access? Si Yes E. Human Resource Security
E.5.5 Additional training for those responsible for information security? Si Yes E. Human Resource Security
E.5.6 Mobile Device security awareness? Si Yes E. Human Resource Security
E.6 Do information security personnel have professional security certifications? Si Yes E. Human Resource Security
E.7 Is there a disciplinary process for non-compliance with information security policies? Si Yes E. Human Resource Security
E.8 Is there a constituent termination or change of status process? Si Yes E. Human Resource Security
E.8.1 Is there a documented termination or change of status policy or process that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes E. Human Resource Security
E.8.2 Does HR notify security / access administration of constituent termination for access rights removal? If yes, is notification provided: Si Yes E. Human Resource Security
E.8.2.1 On the actual date? Si Yes E. Human Resource Security
E.8.2.2 Two to seven days after termination? No Yes E. Human Resource Security
E.8.2.3 Greater than seven days after termination? No Yes E. Human Resource Security
E.8.3 Does HR notify security / access administration of a constituent change of status for access rights removal? If yes, is notification provided: Si Yes E. Human Resource Security
E.8.3.1 On the actual date of the change of status? Si Yes E. Human Resource Security
E.8.3.2 Two to seven days after the change of status? No Yes E. Human Resource Security
E.8.3.3 Greater than seven days after the change of status? No Yes E. Human Resource Security
E.8.4 Are constituents required to return assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon: E. Human Resource Security
E.8.4.1 Termination? Si Yes E. Human Resource Security
E.9 Is there a succession and redundancy planning for key management and support personnel? If yes, does it include: Si Yes E. Human Resource Security
E.9.1 Senior Management? Si Yes E. Human Resource Security
E.9.2 Key support, operations and development areas? Si Yes E. Human Resource Security
F.1 Is there a physical security program? Si Yes F. Physical and Environmental
F.1.1 Is there a documented physical security policy approved by management, communicated to constituents and an owner assigned to maintain and review the policy? Si Yes F. Physical and Environmental
F.1.2 Are reasonable physical security and environmental controls present in the building/data center that contains Scoped Systems and Data? If yes, does it include: Si Yes F. Physical and Environmental
F.1.2.1 Signage to identify the operations of the facility (data center)? Si No F. Physical and Environmental
F.1.2.2 Other tenants using the building? Si No F. Physical and Environmental
F.1.2.3 Access restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.1.2.4 Electronic system (key card, token, fob, biometric reader etc.) to control access? Si Yes F. Physical and Environmental
F.1.2.5 Cipher locks (electronic or mechanical) to control access within or to the facility? If yes, is there a process to: Si Yes F. Physical and Environmental
F.1.2.5.1 Change the code(s) at least every 90 days? Si Yes F. Physical and Environmental
F.1.2.5.2 Change the code(s) when an authorized individual is terminated or transferred to another role? Si Yes F. Physical and Environmental
F.1.2.6 Security guards that provide onsite security services? Si Yes F. Physical and Environmental
F.1.2.7 Perimeter physical barrier (such as fence or walls)? Si Yes F. Physical and Environmental
F.1.2.8 Entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards? Si Yes F. Physical and Environmental
F.1.2.9 A mechanism to prevent tailgating / piggybacking? Si Yes F. Physical and Environmental
F.1.2.10 External lighting? Si Yes F. Physical and Environmental
F.1.2.11 Lighting on all doors? Si Yes F. Physical and Environmental
F.1.2.12 Exterior doors with external hinge pins? N/A Yes No aplica puesto que todas las puertas se encuentran automatizadas y vigiladas por el ?rea del COS. F. Physical and Environmental
F.1.2.13 Windows with contact or break alarms on all windows? Si Yes F. Physical and Environmental
F.1.2.14 CCTV with video stored at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.2.15 Fluid or water sensor? Si Yes F. Physical and Environmental
F.1.2.16 Air conditioning and humidity controls? Si Yes F. Physical and Environmental
F.1.2.17 Heat detection? Si Yes F. Physical and Environmental
F.1.2.18 Smoke detection? Si Yes F. Physical and Environmental
F.1.2.19 Fire suppression? Si Yes F. Physical and Environmental
F.1.2.20 Multiple power feeds? Si Yes F. Physical and Environmental
F.1.2.21 Multiple communication feeds? Si Yes F. Physical and Environmental
F.1.2.22 Physical access control procedures? If yes, is there: Si Yes F. Physical and Environmental
F.1.2.22.1 Segregation of duties for issuing and approving access to the facility (keys, badge, etc.)? Si Yes F. Physical and Environmental
F.1.2.22.2 Access reviews at least every six months? Si Yes F. Physical and Environmental
F.1.2.22.3 Collection of access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? Si Yes F. Physical and Environmental
F.1.2.22.4 A process to report lost or stolen access cards / keys? Si Yes F. Physical and Environmental
F.1.3 Are visitors permitted in the facility? If yes, are they required to: Si Yes F. Physical and Environmental
F.1.3.1 Sign in and out? Si Yes F. Physical and Environmental
F.1.3.2 Provide a government issued ID? Si Yes F. Physical and Environmental
F.1.3.3 Be escorted through secure areas? Si Yes F. Physical and Environmental
F.1.3.4 Wear badge distinguishing them from employees? Si Yes F. Physical and Environmental
F.1.3.5 Are visitor logs maintained for at least 90 days? Si Yes F. Physical and Environmental
F.1.4 Is there a loading dock at the facility? If yes, is there: Si Yes F. Physical and Environmental
F.1.4.1 Any other tenants using the loading dock? No Yes F. Physical and Environmental
F.1.4.2 A security guards at each point of entry? Si Yes F. Physical and Environmental
F.1.4.3 Smoke detector? Si Yes F. Physical and Environmental
F.1.4.4 Fire alarm? Si Yes F. Physical and Environmental
F.1.4.5 Fire suppression? Si Yes F. Physical and Environmental
F.1.4.6 CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.4.7 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.5 Is there a battery/UPS room? If yes, does it contain: Si Yes F. Physical and Environmental
F.1.5.1 Hydrogen sensors? No Yes F. Physical and Environmental
F.1.5.2 Monitored fire alarm? Si Yes F. Physical and Environmental
F.1.5.3 Fire suppression system? Si Yes F. Physical and Environmental
F.1.5.4 CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.5.5 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.5.6 Does UPS support N+1? Si Yes F. Physical and Environmental
F.1.6 Is there a generator or generator area? If yes, is there: Si Yes F. Physical and Environmental
F.1.6.1 A fuel supply readily available to ensure uninterrupted service? Si Yes F. Physical and Environmental
F.1.6.2 Adequate capacity to supply power for at least 48 hours? Si Yes F. Physical and Environmental
F.1.6.3 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.6.4 CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.7 Is there a mailroom that handles Scoped Data? If yes, is access: Si Yes F. Physical and Environmental
F.1.7.1 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.7.2 CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.8 Is there a media library to store Scoped Data? If yes, is access: Si Yes F. Physical and Environmental
F.1.8.1 Restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.1.8.2 CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.9 Is there a separate room for telecom equipment? If yes, is access: Si Yes F. Physical and Environmental
F.1.9.1 Monitored with CCTV and the video stored for 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.1.9.2 Restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.2 Do the Scoped Systems and Data reside in a data center? If yes, is there: Yes Viene de manera muy general. F. Physical and Environmental
F.2.1 Fluid or water sensor? Si Yes F. Physical and Environmental
F.2.2 Air conditioning? Si Yes F. Physical and Environmental
F.2.3 Heat detection? Si Yes F. Physical and Environmental
F.2.4 Smoke detection? Si Yes F. Physical and Environmental
F.2.5 Vibration alarm / sensor? Si Yes F. Physical and Environmental
F.2.6 Monitored fire alarm? Si Yes F. Physical and Environmental
F.2.7 Fire suppression (e.g., dry, chemical, wet pipe)? Si Yes F. Physical and Environmental
F.2.8 Multiple power feeds? Si Yes F. Physical and Environmental
F.2.9 Multiple communication feeds? Si Yes F. Physical and Environmental
F.2.10 Are there generator(s)? Si Yes F. Physical and Environmental
F.2.11 Is access to the data center restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.2.11.1 Badge readers at points of entry? Si Yes F. Physical and Environmental
F.2.11.2 Locked doors requiring a key or PIN at points of entry? N/A Yes F. Physical and Environmental
F.2.11.3 Access request procedures? Si Yes F. Physical and Environmental
F.2.11.3.1 Segregation of duties for issuing and approving access? Si Yes F. Physical and Environmental
F.2.11.3.2 Access reviews conducted at least every six months? Si Yes F. Physical and Environmental
F.2.11.4 Is there a mechanism to thwart tailgating / piggybacking into the data center? Si Yes F. Physical and Environmental
F.2.12 Are there security guards at points of entry? Si Yes F. Physical and Environmental
F.2.12.1 Do the security guards monitor security systems and alarms? Si Yes F. Physical and Environmental
F.2.13 Are visitors permitted in the data center? Si Yes F. Physical and Environmental
F.2.13.1 Are they required to sign in and out of the data center? Si Yes F. Physical and Environmental
F.2.13.2 Are they escorted within the data center? Si Yes F. Physical and Environmental
F.2.14 Are all entry and exit points to the data center alarmed? Si Yes F. Physical and Environmental
F.2.14.1 Are there alarm motion sensors monitoring the data center? Si Yes F. Physical and Environmental
F.2.15 Is access to the Data center monitored with CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.2.16 Walls extending from true floor to true ceiling? Si Yes F. Physical and Environmental
F.2.17 Windows or glass walls along the perimeter? No Yes F. Physical and Environmental
F.2.18 Do the Scoped Systems and Data reside in a caged environment within a data center? If yes, is there a: Si Yes F. Physical and Environmental
F.2.18.1 Lock requiring a key or PIN used at points of entry? Si Yes F. Physical and Environmental
F.2.18.2 Process for requesting access? Si Yes F. Physical and Environmental
F.2.18.2.1 Segregation of duties for granting and storage of access devices (badges, keys, etc.)? Si Yes F. Physical and Environmental
F.2.18.3 List maintained of personnel with cards / keys to the caged environment? Si Yes F. Physical and Environmental
F.2.18.4 Process to report lost access cards / keys? Si Yes F. Physical and Environmental
F.2.18.5 Process to review access to the cage at least every six months? Si Yes F. Physical and Environmental
F.2.18.6 Process to collect access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access? Si Yes F. Physical and Environmental
F.2.18.7 Are visitors permitted in the caged environment? If yes, are they: Si Yes F. Physical and Environmental
F.2.18.7.1 Required to sign in and out? Si Yes F. Physical and Environmental
F.2.18.7.2 Escorted? Si Yes F. Physical and Environmental
F.2.18.8 Monitored with CCTV and the video stored for at least 90 days? No Yes Se almacenan solo 30 d?as F. Physical and Environmental
F.2.19 Do the Scoped Systems and Data reside in a locked cabinet? If yes, is there: Si Yes F. Physical and Environmental
F.2.19.1 Shared cabinets? No Yes Todos son individuales F. Physical and Environmental
F.2.19.2 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.2.19.3 Access request procedures? Si Yes F. Physical and Environmental
F.2.19.4 Segregation of duties for issuing, approving access and storing devices (badges, keys, etc.)? Si Yes F. Physical and Environmental
F.2.19.5 A list of personnel with cards / keys to the cabinet? Si Yes F. Physical and Environmental
F.2.19.6 A process to report lost access cards / keys? No Yes F. Physical and Environmental
F.2.19.7 Collection access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access? No Yes F. Physical and Environmental
F.2.19.8 Cabinets monitored with CCTV and the video stored for at least 90 days? Si Yes F. Physical and Environmental
F.2.20 Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center? Si Yes F. Physical and Environmental
F.2.21 Is there a procedure for equipment removal from the data center? Si Yes F. Physical and Environmental
F.2.22 Is there a preventive maintenance or current maintenance contracts for: F. Physical and Environmental
F.2.22.1 UPS system? Si Yes F. Physical and Environmental
F.2.22.2 Security system? Si Yes F. Physical and Environmental
F.2.22.3 Generator? Si Yes F. Physical and Environmental
F.2.22.4 Batteries? Si Yes F. Physical and Environmental
F.2.22.5 Monitored fire alarm? Si Yes F. Physical and Environmental
F.2.22.6 Fire suppression systems? Si Yes F. Physical and Environmental
F.2.22.7 HVAC? Si Yes F. Physical and Environmental
F.2.23 Are the following tested: F. Physical and Environmental
F.2.23.1 UPS system - annually? Si Yes F. Physical and Environmental
F.2.23.2 Security alarm system - annually? Si Yes F. Physical and Environmental
F.2.23.3 Fire alarms - annually? Si Yes F. Physical and Environmental
F.2.23.4 Fire suppression system - annually? Si Yes F. Physical and Environmental
F.2.23.5 Generators - monthly? No Yes Se tienen agendados los mantenimientos de acuerdo al calendario anual. F. Physical and Environmental
F.2.23.6 Generators full load tested - monthly? No Yes Se tienen agendados los mantenimientos de acuerdo al calendario anual. F. Physical and Environmental
G.1 Are management approved operating procedures utilized? If yes, are they: Si Yes G. Communications and Ops Mgmt
G.1.1 Documented, maintained, and made available to all users? Yes G. Communications and Ops Mgmt
G.2 Is there an operational change management/change control policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the polic Si Yes G. Communications and Ops Mgmt
G.2.1 Documentation of changes? Yes G. Communications and Ops Mgmt
G.2.2 Request, review and approval of proposed changes? Yes G. Communications and Ops Mgmt
G.2.3 Pre-implementation testing? Yes G. Communications and Ops Mgmt
G.2.4 Post-implementation testing? Yes G. Communications and Ops Mgmt
G.2.5 Review for potential security impact? Yes G. Communications and Ops Mgmt
G.2.6 Review for potential operational impact? Yes G. Communications and Ops Mgmt
G.2.7 Communication of changes to all relevant constituents? Yes G. Communications and Ops Mgmt
G.2.8 Rollback procedures? Yes G. Communications and Ops Mgmt
G.2.9 Maintenance of change control logs? Yes G. Communications and Ops Mgmt
G.2.10 Code reviewed by information security prior to the implementation of internally developed applications and / or application updates? Yes G. Communications and Ops Mgmt
G.2.11 Is Information security's approval required prior to implementation changes? Yes G. Communications and Ops Mgmt
G.2.12 Are the following changes to the production environment subject to the change control process: G. Communications and Ops Mgmt
G.2.12.1 Network? Yes G. Communications and Ops Mgmt
G.2.12.2 Systems? Yes G. Communications and Ops Mgmt
G.2.12.3 Application updates? Yes G. Communications and Ops Mgmt
G.2.12.4 Code changes? Yes G. Communications and Ops Mgmt
G.2.13 Is there a segregation of duties between those requesting, approving and implementing a change? Yes G. Communications and Ops Mgmt
G.3 Do Subcontractors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc.)? If yes, is the No No G. Communications and Ops Mgmt
G.3.1 Is there a documented subcontractor management process in place for the selection and oversight of third party vendors? If yes, does it include: Yes G. Communications and Ops Mgmt
G.3.1.1 Approval by management? Yes G. Communications and Ops Mgmt
G.3.1.2 Annual review? Yes G. Communications and Ops Mgmt
G.3.1.3 Review of the subcontractor's vendor management policy and procedures? Yes G. Communications and Ops Mgmt
G.3.2 Is there a process to identify and log subcontractor information security, privacy and/or data breach issues? Yes G. Communications and Ops Mgmt
G.3.3 Do subcontractor's, as part of their vendor risk management program, include the following: G. Communications and Ops Mgmt
G.3.3.1 Comprehensive financial analysis? Yes G. Communications and Ops Mgmt
G.3.3.2 Vendor reputational review? Yes G. Communications and Ops Mgmt
G.3.3.3 Compliance checks (e.g., Office of Foreign Assets Controls (OFAC), etc.)? Yes G. Communications and Ops Mgmt
G.3.3.4 Defined risk assessment and classification method for vendors? Yes G. Communications and Ops Mgmt
G.3.3.5 Management of subcontractor risk, compliance and performance? Yes G. Communications and Ops Mgmt
G.3.3.6 Ability and right to audit controls? Yes G. Communications and Ops Mgmt
G.3.3.7 Notification of new or change in subcontractors? Yes G. Communications and Ops Mgmt
G.3.3.8 Defined procedures for subcontractor management? Yes G. Communications and Ops Mgmt
G.3.3.9 Oversight and Governance of program adherence? Yes G. Communications and Ops Mgmt
G.3.3.10 Security review prior to engaging their services (logical, physical, other controls)? Yes G. Communications and Ops Mgmt
G.3.3.11 Security review at least annually? Yes G. Communications and Ops Mgmt
G.3.3.12 Risk assessments or review? Yes G. Communications and Ops Mgmt
G.3.3.13 Confidentiality and/or Non Disclosure Agreement requirements? Yes G. Communications and Ops Mgmt
G.3.3.14 Notification of changes affecting services rendered? Yes G. Communications and Ops Mgmt
G.4 Is there an anti-virus/malware policy or program (workstations, servers, mobile devices) that has been approved by management, communicated to appropriate constituents and an owner to maintain and re Si Yes G. Communications and Ops Mgmt
G.4.1 What is the interval between the availability of a new signature update and its deployment: G. Communications and Ops Mgmt
G.4.1.1 Hourly? Yes G. Communications and Ops Mgmt
G.4.1.2 Daily? Yes G. Communications and Ops Mgmt
G.4.1.3 Weekly? Yes G. Communications and Ops Mgmt
G.4.1.4 Monthly? Yes G. Communications and Ops Mgmt
G.5 Are system backups of Scoped Systems and Data performed? Si Yes G. Communications and Ops Mgmt
G.5.1 Is there a policy or process for the backup of production data? If yes, does it include a requirement to: Yes G. Communications and Ops Mgmt
G.5.1.1 Store backups to avoid any damage from a disaster at the main site? Yes G. Communications and Ops Mgmt
G.5.1.2 Test backup media and restoration procedures at least annually? Yes G. Communications and Ops Mgmt
G.5.2 Is backup media stored offsite? If yes, is there: Yes G. Communications and Ops Mgmt
G.5.2.1 Secure transport? Yes G. Communications and Ops Mgmt
G.5.2.2 Tracking shipments? Yes G. Communications and Ops Mgmt
G.5.2.3 Verification of receipt? Yes G. Communications and Ops Mgmt
G.6 Are firewalls in use for both internal and external network connections? Si Yes G. Communications and Ops Mgmt
G.6.1 Is every connection to an external network terminated at a firewall? Yes G. Communications and Ops Mgmt
G.6.2 Are firewalls used to segment internal networks? Yes G. Communications and Ops Mgmt
G.6.3 Do the firewalls have any rules that permit 'any' network, sub network, host, protocol or port on any of the firewalls (internal or external)? Yes G. Communications and Ops Mgmt
G.6.4 Are all firewall rules reviewed and updated at least quarterly to identify and remove any networks, sub networks, hosts, protocols or ports no longer in use? Yes G. Communications and Ops Mgmt
G.7 Are vulnerability assessments, scans or penetration tests on internal or external network connections performed at least annually? If yes, are they: No Yes G. Communications and Ops Mgmt
G.7.1 Performed by trained and experienced personnel? Yes G. Communications and Ops Mgmt
G.7.2 For internal network connections: G. Communications and Ops Mgmt
G.7.2.1 Are vulnerability assessments or scans performed? If yes, are issues: Yes G. Communications and Ops Mgmt
G.7.2.1.1 Risk ranked for importance to the system and the vulnerability identified? Yes G. Communications and Ops Mgmt
G.7.2.1.2 Documented and tracked to remediation? Yes G. Communications and Ops Mgmt
G.7.2.2 Are penetration tests performed? If yes, are issues: Yes G. Communications and Ops Mgmt
G.7.2.2.1 Risk ranked for importance to the system and the vulnerability identified? Yes G. Communications and Ops Mgmt
G.7.2.2.2 Documented and tracked to remediation? Yes G. Communications and Ops Mgmt
G.7.3 For external network connections: G. Communications and Ops Mgmt
G.7.3.1 Are vulnerability assessments or scans performed? If yes, are issues: Yes G. Communications and Ops Mgmt
G.7.3.1.1 Risk ranked for importance to the system and the vulnerability identified? Yes G. Communications and Ops Mgmt
G.7.3.1.2 Documented and tracked to remediation? Yes G. Communications and Ops Mgmt
G.7.3.2 Are penetration tests performed on external networks? If yes, are issues: Yes G. Communications and Ops Mgmt
G.7.3.2.1 Risk ranked for importance to the system and the vulnerability identified? Yes G. Communications and Ops Mgmt
G.7.3.2.2 Documented and tracked to remediation? Yes G. Communications and Ops Mgmt
G.8 Are there external network connections (Internet, extranet, etc.)? If yes, is there: Si Yes G. Communications and Ops Mgmt
G.8.1 Security and hardening standards for network devices (baseline configuration, patching, passwords, access control)? Yes G. Communications and Ops Mgmt
G.8.1.1 Regular review and/or monitoring of network devices for continued compliance to security requirements? Yes G. Communications and Ops Mgmt
G.8.2 Are network devices configured to prevent communications from unapproved networks? Yes G. Communications and Ops Mgmt
G.8.3 Do network devices deny all access by default? Yes G. Communications and Ops Mgmt
G.8.4 A process to request, approve, log, and review access to networks across network devices? Yes G. Communications and Ops Mgmt