75 câu hỏi đánh giá nhà cung cấp phần mềm SaaS 

Ngày nay, việc sử dụng sản phẩm phần mềm on cloud dưới dạng SaaS ( software as a service ) không còn là điều lạ. Tuy nhiên, việc không đánh giá đầy đủ các rủi ro về thông tin sẽ khiến doanh nghiệp gặp nhiều vấn đề lớn. Khi triển khai các dịch vụ phần mềm, doanh nghiệp cần đánh giá toàn diện năng lực của các nhà cung cấp. Danh sách 75 câu hỏi dưới đây sẽ đem đến cho bộ phận IT cái nhìn đầy đủ trong quá trình đánh giá này. Chúng tôi xin phép được giữ nguyên bản nội dung này bằng tiếng Anh, để đảm bảo chữ nghĩa được rõ ràng, vì phần lớn thuật ngữ kỹ thuật có thể được hiểu trực tiếp bằng tiếng Anh. 

75 Questionairs for SaaS vendor
1Are All Web based communication (with the exception of public pages) to the SaaS solution over secure protocols TLS or SFTP (for data/file transfer), including but not limited to:
A. Authentication/ Login Page.
B. File transfer to databases or disk storage
C. Web forms in support of our’s application and data, etc
2Are Personnel trained on your Information Security Program? If yes, please describe how Personnel are trained.
3Are there any browser pluggin requirements (Java, Flash, etc) and which version (minimum)?
4Are there clear instructions in your contracts detailing what happens to the data at the end of the contract period?
5Are you willing to provide the reuslts of any recent penetration or vulnerability scans?

As most SaaS solutions provide applications that can be used with a Mobile device (iPad, Android devices, etc), without proper analysis of the application’s behavior and operation, users should not be allowed to use them until a detailed assessment has been done.

Does the application cache any data on the device?
When the device is backed-up, where is the data stored (local storage, Cloud, etc.)
If the application is removed, does it remove the data?
Is data encypted when sent to a mobile device?
Is data encrypted when stored on a mobile device?

7Briefly describe what security portion of security are our responsibility and what portion is vendor’s.
8Could you share the latest 3rd Party attestation report for the attained Security Certification?
9Describe any additional security measures you employ to ensure the availabiity, integrity, and confidentiality of our Data (IPS/IDS, Antivirus software, UTMs, etc.)?
10Describe your change management process and how do you communicate this to your customers?
11Describe your schedule for reviewing and updating your policies for processing data on behalf of your data controllers.
12Do you allow a third party Penetration Test of your application?
13Do you assess / audit the effectiveness of the Information Security Program (e.g., vulnerability assessments, gap analysis, internal audits)? Please describe how.
14Do you conduct regular Penetration Testing of the application? If so, could you share the latest results?
15Do you encrypt all customer data in transmission and ‘at rest’? If not all, what, if any, information is encrypted in transmission and ‘at rest’? Please describe the level and type of encryption used.
16Do you have a documented policy regarding management of Encryption Keys? If so, please summarize this policy.
17Do you have a documented procedures to ensure that deleted customer information has been removed? If so, please summarize.
18Do you have a policy to notify your customers if legal / law enforcement requests data?
19Do you have a security program? Please describe
20Do you offer periodic reports confirming compliance with security requirements and SLAs?
21Do you offer SAML/SSO capabilities for authentication?. If so, is SAML required for all accounts?
22Do you offer training for this solution?
23Do you perform background checks on Personnel, contractors and sub-contractors? If so, describe the nature, scope (roles) and timing of such checks.
24Do you prohibit Personnel from storing customer’s data any mobile computing devices (e.g., laptops, smartphones) or on any removable media (e.g., thumb drives, CDs, external hard drives)? Please describe how this is enforced
25Do you require contractors and sub-contractors to maintain the same safe guards as set out in the Service Provider’s Information Security Program? If yes, please describe how.
26Do you segregate customer’s data at rest from all other customer’s data? If yes, please explain how the data will be segregated.
27Do you use customer’s data in any non-production environments?.. If yes, please describe how and what security process is follows to protect sensitive data.

Tải danh sách đầy đủ

Vui lòng để lại thông tin dưới đây để nhận danh sách đầy đủ 75 câu hỏi