75 câu hỏi đánh giá nhà cung cấp phần mềm SaaS

Ngày nay, việc sử dụng sản phẩm phần mềm on cloud dưới dạng SaaS ( software as a service ) không còn là điều lạ. Tuy nhiên, việc không đánh giá đầy đủ các rủi ro về thông tin sẽ khiến doanh nghiệp gặp nhiều vấn đề lớn. Khi triển khai các dịch vụ phần mềm, doanh nghiệp cần đánh giá toàn diện năng lực của các nhà cung cấp. Danh sách 75 câu hỏi dưới đây sẽ đem đến cho bộ phận IT cái nhìn đầy đủ trong quá trình đánh giá này. Chúng tôi xin phép được giữ nguyên bản nội dung này bằng tiếng Anh, để đảm bảo chữ nghĩa được rõ ràng, vì phần lớn thuật ngữ kỹ thuật có thể được hiểu trực tiếp bằng tiếng Anh.

75 Questionairs for SaaS vendor
Q#	Question
1	Are All Web based communication (with the exception of public pages) to the SaaS solution over secure protocols TLS or SFTP (for data/file transfer), including but not limited to: A. Authentication/ Login Page. B. File transfer to databases or disk storage C. Web forms in support of our’s application and data, etc
2	Are Personnel trained on your Information Security Program? If yes, please describe how Personnel are trained.
3	Are there any browser pluggin requirements (Java, Flash, etc) and which version (minimum)?
4	Are there clear instructions in your contracts detailing what happens to the data at the end of the contract period?
5	Are you willing to provide the reuslts of any recent penetration or vulnerability scans?
6	As most SaaS solutions provide applications that can be used with a Mobile device (iPad, Android devices, etc), without proper analysis of the application’s behavior and operation, users should not be allowed to use them until a detailed assessment has been done. Does the application cache any data on the device? When the device is backed-up, where is the data stored (local storage, Cloud, etc.) If the application is removed, does it remove the data? Is data encypted when sent to a mobile device? Is data encrypted when stored on a mobile device?
7	Briefly describe what security portion of security are our responsibility and what portion is vendor’s.
8	Could you share the latest 3rd Party attestation report for the attained Security Certification?
9	Describe any additional security measures you employ to ensure the availabiity, integrity, and confidentiality of our Data (IPS/IDS, Antivirus software, UTMs, etc.)?
10	Describe your change management process and how do you communicate this to your customers?
11	Describe your schedule for reviewing and updating your policies for processing data on behalf of your data controllers.
12	Do you allow a third party Penetration Test of your application?
13	Do you assess / audit the effectiveness of the Information Security Program (e.g., vulnerability assessments, gap analysis, internal audits)? Please describe how.
14	Do you conduct regular Penetration Testing of the application? If so, could you share the latest results?
15	Do you encrypt all customer data in transmission and ‘at rest’? If not all, what, if any, information is encrypted in transmission and ‘at rest’? Please describe the level and type of encryption used.
16	Do you have a documented policy regarding management of Encryption Keys? If so, please summarize this policy.
17	Do you have a documented procedures to ensure that deleted customer information has been removed? If so, please summarize.
18	Do you have a policy to notify your customers if legal / law enforcement requests data?
19	Do you have a security program? Please describe
20	Do you offer periodic reports confirming compliance with security requirements and SLAs?
21	Do you offer SAML/SSO capabilities for authentication?. If so, is SAML required for all accounts?
22	Do you offer training for this solution?
23	Do you perform background checks on Personnel, contractors and sub-contractors? If so, describe the nature, scope (roles) and timing of such checks.
24	Do you prohibit Personnel from storing customer’s data any mobile computing devices (e.g., laptops, smartphones) or on any removable media (e.g., thumb drives, CDs, external hard drives)? Please describe how this is enforced
25	Do you require contractors and sub-contractors to maintain the same safe guards as set out in the Service Provider’s Information Security Program? If yes, please describe how.
26	Do you segregate customer’s data at rest from all other customer’s data? If yes, please explain how the data will be segregated.
27	Do you use customer’s data in any non-production environments?.. If yes, please describe how and what security process is follows to protect sensitive data.

Tải danh sách đầy đủ

Vui lòng để lại thông tin dưới đây để nhận danh sách đầy đủ 75 câu hỏi