====== Vendor Questionnaires ====== Unicis vendor questionnaire is based on [[https://mvsp.dev/mvsp.en/|MVSP controls]] and provides a clear set of requirements for enterprise-ready products and services. Please answer each question with a //“yes”// or //“no”//, and provide a brief description of the process or controls in place if the answer is //“yes”//.\\ Please submit all the answers to as a ''%%txt%%'' or ''%%md%%'' file format or use the function to export to ''PDF''. ++++ 1. Business Controls | === 1.1 External Vulnerability Reports === Do you have a process in place to accept and process external reports of security issues in your products and/or services? //If yes, please describe the process.// === 1.2 Customer Testing === Do you allow customers to safely and effectively perform testing against your products and/or services? //If yes, please describe the process.// === 1.3 Self-Assessment === Do you perform annual reviews of your application security controls for each qualifying product or service to identify corrective actions or areas of continued improvement? //If yes, please describe the process.// === 1.4 External Testing === Do you schedule and perform regular third-party penetration testing against your products and/or services? //If yes, please describe the process.// === 1.5 Training === Do you provide regular and ongoing security awareness training for your employees? //If yes, please describe the process.// === 1.6 Compliance === Do you identify and complete relevant compliance obligations based on your industry and regulatory requirements? //If yes, please describe the process.// === 1.7 Incident Handling === Do you have processes in place to ensure the smooth handling of security and privacy incidents? //If yes, please describe the process.// === 1.8 Data Handling === Do you have a process in place to handle data stored on removable or decommissioned hardware? //If yes, please describe the process.// ++++ ++++ 2. Application Design Controls | === 2.1 Single Sign-On === Do you provide customers with the option to use single sign-on to access your product and/or service? //If yes, please describe the process.// === 2.2 HTTPS-only === Do you ensure sensitive data is encrypted in transit between the end-user and your product and/or service? //If yes, please describe the process.// === 2.3 Security Headers === Do you enforce appropriate browser protections within your product and/or service to protect against common web threats? //If yes, please describe the process.// === 2.4 Password Policy === Do you have a strong password policy in place to protect users who opt to use password-based authentication? //If yes, please describe the process.// === 2.5 Security Libraries === Do you use standardized libraries to improve the security of your product and/or service? //If yes, please describe the process.// === 2.6 Dependency Patching === Do you have processes in place to identify and maintain up-to-date components within your product and/or service? //If yes, please describe the process.// === 2.7 Logging === Do you store appropriate logs to assist with debugging and incident response activities? //If yes, please describe the process.// === 2.8 Encryption === Do you store sensitive data in an encrypted format? //If yes, please describe the process.// ++++ ++++ 3. Application Implementation Controls | === 3.1 List of Data === Do you have information on the type and amount of data handled by your product and/or service available for threat modeling or incident response purposes? //If yes, please describe the process.// === 3.2 Data Flow Diagram === Do you have information on the flow of data through systems available for threat modeling or incident response purposes? //If yes, please describe the process.// === 3.3 Vulnerability Prevention === Do you provide training on common security issues to your development and quality assurance teams? //If yes, please describe the process.// === 3.4 Time to Fix Vulnerabilities === Do you patch identified vulnerabilities within a reasonable time frame, and inform customers where appropriate? //If yes, please describe the process.// === 3.5 Build Process === Is your build process fully scripted/automated and generating provenance? //If yes, please describe the process.// ++++ ++++ 4. Operational Controls | === 4.1 Physical Access === Do you have physical security controls in place to protect sensitive data stored or accessible from trusted locations? //If yes, please describe the process.// === 4.2 Logical Access === Do you have logical access controls in place to protect sensitive data and limit access to authorized users? //If yes, please describe the process.// === 4.3 Sub-Processors === Do you understand where you may be sharing data with third-party sub-processors, and validate their security posture? //If yes, please describe the process.// === 4.4 Backup and Disaster Recovery === Do you have processes in place to ensure backup and recovery of your product and/or service in the event of a disaster? //If yes, please describe the process.// ++++