Unicis vendor questionnaire is based on MVSP controls and provides a clear set of requirements for enterprise-ready products and services.
Please answer each question with a “yes” or “no”, and provide a brief description of the process or controls in place if the answer is “yes”.
Please submit all the answers to as a txt or md file format or use the function to export to PDF.
Do you have a process in place to accept and process external reports of security issues in your products and/or services?
If yes, please describe the process.
Do you allow customers to safely and effectively perform testing against your products and/or services?
If yes, please describe the process.
Do you perform annual reviews of your application security controls for each qualifying product or service to identify corrective actions or areas of continued improvement?
If yes, please describe the process.
Do you schedule and perform regular third-party penetration testing against your products and/or services?
If yes, please describe the process.
Do you provide regular and ongoing security awareness training for your employees?
If yes, please describe the process.
Do you identify and complete relevant compliance obligations based on your industry and regulatory requirements?
If yes, please describe the process.
Do you have processes in place to ensure the smooth handling of security and privacy incidents?
If yes, please describe the process.
Do you have a process in place to handle data stored on removable or decommissioned hardware?
If yes, please describe the process.
2. Application Design Controls
Do you provide customers with the option to use single sign-on to access your product and/or service?
If yes, please describe the process.
Do you ensure sensitive data is encrypted in transit between the end-user and your product and/or service?
If yes, please describe the process.
Do you enforce appropriate browser protections within your product and/or service to protect against common web threats?
If yes, please describe the process.
Do you have a strong password policy in place to protect users who opt to use password-based authentication?
If yes, please describe the process.
Do you use standardized libraries to improve the security of your product and/or service?
If yes, please describe the process.
Do you have processes in place to identify and maintain up-to-date components within your product and/or service?
If yes, please describe the process.
Do you store appropriate logs to assist with debugging and incident response activities?
If yes, please describe the process.
Do you store sensitive data in an encrypted format?
If yes, please describe the process.
3. Application Implementation Controls
Do you have information on the type and amount of data handled by your product and/or service available for threat modeling or incident response purposes?
If yes, please describe the process.
Do you have information on the flow of data through systems available for threat modeling or incident response purposes?
If yes, please describe the process.
Do you provide training on common security issues to your development and quality assurance teams?
If yes, please describe the process.
Do you patch identified vulnerabilities within a reasonable time frame, and inform customers where appropriate?
If yes, please describe the process.
Is your build process fully scripted/automated and generating provenance?
If yes, please describe the process.
Do you have physical security controls in place to protect sensitive data stored or accessible from trusted locations?
If yes, please describe the process.
Do you have logical access controls in place to protect sensitive data and limit access to authorized users?
If yes, please describe the process.
Do you understand where you may be sharing data with third-party sub-processors, and validate their security posture?
If yes, please describe the process.
Do you have processes in place to ensure backup and recovery of your product and/or service in the event of a disaster?
If yes, please describe the process.