Q# | Question |
1 | Are All Web based communication (with the exception of public pages) to the SaaS solution over secure protocols TLS or SFTP (for data/file transfer), including but not limited to: A. Authentication/ Login Page. B. File transfer to databases or disk storage C. Web forms in support of Avery’s application and data, etc |
2 | Are Personnel trained on your Information Security Program? If yes, please describe how Personnel are trained. |
3 | Are there any browser pluggin requirements (Java, Flash, etc) and which version (minimum)? |
4 | Are there clear instructions in your contracts detailing what happens to the data at the end of the contract period? |
5 | Are you willing to provide the reuslts of any recent penetration or vulnerability scans? |
6 | As most SaaS solutions provide applications that can be used with a Mobile device (iPad, Android devices, etc), without proper analysis of the application’s behavior and operation, users should not be allowed to use them until a detailed assessment has been done. Does the application cache any data on the device? When the device is backed-up, where is the data stored (local storage, Cloud, etc.) If the application is removed, does it remove the data? Is data encypted when sent to a mobile device? Is data encrypted when stored on a mobile device? |
7 | Briefly describe what security portion of security are Avery Dennison’s responsibility and what portion is vendor’s. |
8 | Could you share the latest 3rd Party attestation report for the attained Security Certification? |
9 | Describe any additional security measures you employ to ensure the availabiity, integrity, and confidentiality of our Data (IPS/IDS, Antivirus software, UTMs, etc.)? |
10 | Describe your change management process and how do you communicate this to your customers? |
11 | Describe your schedule for reviewing and updating your policies for processing data on behalf of your data controllers. |
12 | Do you allow a third party Penetration Test of your application? |
13 | Do you assess / audit the effectiveness of the Information Security Program (e.g., vulnerability assessments, gap analysis, internal audits)? Please describe how. |
14 | Do you conduct regular Penetration Testing of the application? If so, could you share the latest results? |
15 | Do you encrypt all customer data in transmission and ‘at rest’? If not all, what, if any, information is encrypted in transmission and ‘at rest’? Please describe the level and type of encryption used. |
16 | Do you have a documented policy regarding management of Encryption Keys? If so, please summarize this policy. |
17 | Do you have a documented procedures to ensure that deleted customer information has been removed? If so, please summarize. |
18 | Do you have a policy to notify your customers if legal / law enforcement requests data? |
19 | Do you have a security program? Please describe |
20 | Do you offer periodic reports confirming compliance with security requirements and SLAs? |
21 | Do you offer SAML/SSO capabilities for authentication?. If so, is SAML required for all accounts? |
22 | Do you offer training for this solution? |
23 | Do you perform background checks on Personnel, contractors and sub-contractors? If so, describe the nature, scope (roles) and timing of such checks. |
24 | Do you prohibit Personnel from storing customer’s data any mobile computing devices (e.g., laptops, smartphones) or on any removable media (e.g., thumb drives, CDs, external hard drives)? Please describe how this is enforced |
25 | Do you require contractors and sub-contractors to maintain the same safe guards as set out in the Service Provider’s Information Security Program? If yes, please describe how. |
26 | Do you segregate customer’s data at rest from all other customer’s data? If yes, please explain how the data will be segregated. |
27 | Do you use customer’s data in any non-production environments?.. If yes, please describe how and what security process is follows to protect sensitive data. |
28 | Does any staff member has access to unencrypted customer’s Data? If so, what roles have access and what systems / constraints are in place to enforce restriction to those roles? |
29 | During those potential events do you provide company owned equipment to allow for remote work or do you allow employees to use their own equipment |
30 | Explain the data privacy and security training employees in your organization receive, and on what schedule. |
31 | Has your company been involved or customers been involved in a breach as a result of the use of your service? |
32 | How do you dispose of end-of-life hardware? |
33 | How do you dispose of failed data storage devices? |
34 | How do you guarantee operational functionality/support in the event of global disrupting events (pandemics, war, flods, etc) |
35 | How do you guarantee the proper level of security/data protection during that period of time |
36 | How do you respond to legal / law enforcement requests for data related to other customers without disclosing Avery Dennison’s data? |
37 | How long did it take to restore services? |
38 | How many copies of our data are stored, and where are they stored? |
39 | How many dedicated IT Security Professionals do you have? |
40 | How much control does Avery Dennison retain over our data? |
41 | How reliable is your network infrastructure and what certifications do you currently hold for your data centers? Could you share the latest report? |
42 | How soon do you inform your customers of any security breaches, especailly data? |
43 | In the event of a breach, how quickly can you disable access to our data? |
44 | In the event SAML (SSO) is not supported, what settings can we leverage for user credentials and password policies? |
45 | In which country (or countries) is our data stored in – both on your infrastructure and for backups? |
46 | Is your solution based on a dedicated instances/infrastructure (single tenant) or shared instances/infrastructure (muti-tenant)? |
47 | Please describe status of CCPA readiness/compliance. |
48 | Please describe your processes for detecting and communicating data breaches. |
49 | Please identify your appointed Data Protection Officer and their specific responsibilities. |
50 | Should Avery Dennison decide to terminate the contract with your company or the term of the contract reaches an end, what is your policy and procedures around data extraction and move (potentially to another vendor)? |
51 | What actions do you have in place to prevent unauthorized viewing of customer information? |
52 | What are the available RTO/RPO options for recovery? |
53 | What are your disaster recovery processes? |
54 | What are your methods for backing up our data? |
55 | What auditing capabilities are provided? (e.g., Admin/MGMT, Billing, System Information, etc.). |
56 | What certifications for data protection have you achieved (ISO 27001, SSAE16/18 SOC2 or FedRAM certification)? |
57 | What happens in the event of data corruption? |
58 | What is your data retention policy concerning customers data when they are no longer your customers? For how long is the data retained before being purged? |
59 | What is your data retention policy concerning logs, audit trails, and historical transaction? Do we need to provide information for regulatory compliance? |
60 | What is your process for responding to a legal hold request? |
61 | What is your system availability (up time) and SLA? |
62 | What mechanism are in place to detect a data breach? |
63 | What offerings are available to back up data? |
64 | What process or method do you use to assess your Information Security Program? |
65 | What processes and methods are you using to properly anonymize and encrypt personal data? |
66 | What tools are in place to manage the identification, tracking, and destruction of personal data associated with an individual? |
67 | What type of data is consumed/used for your services? (E.g., Marketing, pricing, PII etc.). What GDPR or CCPA related fields/data is stored (First name, Last Name, E-Mail address, etc) |
68 | What types of multifactor authentication do you support? |
69 | When was the last time your system failed, preventing customer to have access to their data/information? |
70 | Where does your organization store the digital personal information you are managing on our behalf? If stored with a third-party subprocessor, please identify them and where data is stored. |
71 | Where is your data center, and what physical security measures are in place? |
72 | Which Security Framework do you use to implement the necessary security control to protect customer’s data assets (NIST, ISO, CSF, COBIT, etc)? |
73 | Which Web browsers (minimum version) are required for proper application functionality? |
74 | Who can see or have access to our information? |
75 | Will our internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on our behalf? |