Differences

This shows you the differences between two versions of the page.

--- pub:trust_center:vendor_questionnaires [07.10.2025 10:33] – Predrag Tasevski
+++ pub:trust_center:vendor_questionnaires [07.10.2025 12:44] (current) – Predrag Tasevski
@@ Line 175: / Line 175: @@
 === Submit Form ===
+ FIXME
-<questionnaire>
-# --- Vendor Information ---
-vendor_name:
-    q: Vendor Name
-    t: text
-contact_person:
-    q: Contact Person
-    t: text
-contact_email:
-    q: Contact Email
-    t: text
-contact_phone:
-    q: Contact Phone
-    t: text
-contact_website:
-    q: Vendor Website
-    t: text
-# =========================================================
-# 1. Business Controls
-# =========================================================
-external_vuln_reports:
-    q: Do you have a process in place to accept and process external reports of security issues in your products and/or services?
-    t: single
-    a:
-      - Yes
-      - No
-external_vuln_reports_desc:
-    q: If yes, please describe the process.
-    t: text
-customer_testing:
-    q: Do you allow customers to safely and effectively perform testing against your products and/or services?
-    t: single
-    a:
-      - Yes
-      - No
-customer_testing_desc:
-    q: If yes, please describe the process.
-    t: text
-self_assessment:
-    q: Do you perform annual reviews of your application security controls for each qualifying product or service to identify corrective actions or areas of continued improvement?
-    t: single
-    a:
-      - Yes
-      - No
-self_assessment_desc:
-    q: If yes, please describe the process.
-    t: text
-external_testing:
-    q: Do you schedule and perform regular third-party penetration testing against your products and/or services?
-    t: single
-    a:
-      - Yes
-      - No
-external_testing_desc:
-    q: If yes, please describe the process.
-    t: text
-training:
-    q: Do you provide regular and ongoing security awareness training for your employees?
-    t: single
-    a:
-      - Yes
-      - No
-training_desc:
-    q: If yes, please describe the process.
-    t: text
-compliance:
-    q: Do you identify and complete relevant compliance obligations based on your industry and regulatory requirements?
-    t: single
-    a:
-      - Yes
-      - No
-compliance_desc:
-    q: If yes, please describe the process.
-    t: text
-incident_handling:
-    q: Do you have processes in place to ensure the smooth handling of security and privacy incidents?
-    t: single
-    a:
-      - Yes
-      - No
-incident_handling_desc:
-    q: If yes, please describe the process.
-    t: text
-data_handling:
-    q: Do you have a process in place to handle data stored on removable or decommissioned hardware?
-    t: single
-    a:
-      - Yes
-      - No
-data_handling_desc:
-    q: If yes, please describe the process.
-    t: text
-# =========================================================
-# 2. Application Design Controls
-# =========================================================
-single_sign_on:
-    q: Do you provide customers with the option to use single sign-on to access your product and/or service?
-    t: single
-    a:
-      - Yes
-      - No
-single_sign_on_desc:
-    q: If yes, please describe the process.
-    t: text
-https_only:
-    q: Do you ensure sensitive data is encrypted in transit between the end-user and your product and/or service?
-    t: single
-    a:
-      - Yes
-      - No
-https_only_desc:
-    q: If yes, please describe the process.
-    t: text
-security_headers:
-    q: Do you enforce appropriate browser protections within your product and/or service to protect against common web threats?
-    t: single
-    a:
-      - Yes
-      - No
-security_headers_desc:
-    q: If yes, please describe the process.
-    t: text
-password_policy:
-    q: Do you have a strong password policy in place to protect users who opt to use password-based authentication?
-    t: single
-    a:
-      - Yes
-      - No
-password_policy_desc:
-    q: If yes, please describe the process.
-    t: text
-security_libraries:
-    q: Do you use standardized libraries to improve the security of your product and/or service?
-    t: single
-    a:
-      - Yes
-      - No
-security_libraries_desc:
-    q: If yes, please describe the process.
-    t: text
-dependency_patching:
-    q: Do you have processes in place to identify and maintain up-to-date components within your product and/or service?
-    t: single
-    a:
-      - Yes
-      - No
-dependency_patching_desc:
-    q: If yes, please describe the process.
-    t: text
-logging:
-    q: Do you store appropriate logs to assist with debugging and incident response activities?
-    t: single
-    a:
-      - Yes
-      - No
-logging_desc:
-    q: If yes, please describe the process.
-    t: text
-encryption:
-    q: Do you store sensitive data in an encrypted format?
-    t: single
-    a:
-      - Yes
-      - No
-encryption_desc:
-    q: If yes, please describe the process.
-    t: text
-# =========================================================
-# 3. Application Implementation Controls
-# =========================================================
-list_of_data:
-    q: Do you have information on the type and amount of data handled by your product and/or service available for threat modeling or incident response purposes?
-    t: single
-    a:
-      - Yes
-      - No
-list_of_data_desc:
-    q: If yes, please describe the process.
-    t: text
-data_flow_diagram:
-    q: Do you have information on the flow of data through systems available for threat modeling or incident response purposes?
-    t: single
-    a:
-      - Yes
-      - No
-data_flow_diagram_desc:
-    q: If yes, please describe the process.
-    t: text
-vulnerability_prevention:
-    q: Do you provide training on common security issues to your development and quality assurance teams?
-    t: single
-    a:
-      - Yes
-      - No
-vulnerability_prevention_desc:
-    q: If yes, please describe the process.
-    t: text
-time_to_fix_vulnerabilities:
-    q: Do you patch identified vulnerabilities within a reasonable time frame, and inform customers where appropriate?
-    t: single
-    a:
-      - Yes
-      - No
-time_to_fix_vulnerabilities_desc:
-    q: If yes, please describe the process.
-    t: text
-build_process:
-    q: Is your build process fully scripted/automated and generating provenance?
-    t: single
-    a:
-      - Yes
-      - No
-build_process_desc:
-    q: If yes, please describe the process.
-    t: text
-# =========================================================
-# 4. Operational Controls
-# =========================================================
-physical_access:
-    q: Do you have physical security controls in place to protect sensitive data stored or accessible from trusted locations?
-    t: single
-    a:
-      - Yes
-      - No
-physical_access_desc:
-    q: If yes, please describe the process.
-    t: text
-logical_access:
-    q: Do you have logical access controls in place to protect sensitive data and limit access to authorized users?
-    t: single
-    a:
-      - Yes
-      - No
-logical_access_desc:
-    q: If yes, please describe the process.
-    t: text
-sub_processors:
-    q: Do you understand where you may be sharing data with third-party sub-processors, and validate their security posture?
-    t: single
-    a:
-      - Yes
-      - No
-sub_processors_desc:
-    q: If yes, please describe the process.
-    t: text
-backup_disaster_recovery:
-    q: Do you have processes in place to ensure backup and recovery of your product and/or service in the event of a disaster?
-    t: single
-    a:
-      - Yes
-      - No
-backup_disaster_recovery_desc:
-    q: If yes, please describe the process.
-    t: text
-</questionnaire>