View Page

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
pub:trust_center:vendor_questionnaires [25.09.2024 12:29] – removed - external edit (Unknown date) 127.0.0.1pub:trust_center:vendor_questionnaires [25.09.2024 12:29] (current) – ↷ Page moved from vendor_questionnaires to pub:trust_center:vendor_questionnaires Predrag Tasevski
Line 1: Line 1:
 +====== Vendor Questionnaires ======
  
 +Unicis vendor questionnaire is based on [[https://mvsp.dev/mvsp.en/|MVSP controls]] and provides a clear set of requirements for enterprise-ready products and services.
 +
 +<WRAP info> Please answer each question with a //“yes”// or //“no”//, and provide a brief description of the process or controls in place if the answer is //“yes”//.\\
 +
 +Please submit all the answers to as a ''%%txt%%'' or ''%%md%%'' file format or use the function to export to ''PDF''.</WRAP>
 +
 +
 +++++ 1. Business Controls |
 +
 +=== 1.1 External Vulnerability Reports ===
 +
 +Do you have a process in place to accept and process external reports of security issues in your products and/or services?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.2 Customer Testing ===
 +
 +Do you allow customers to safely and effectively perform testing against your products and/or services?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.3 Self-Assessment ===
 +
 +Do you perform annual reviews of your application security controls for each qualifying product or service to identify corrective actions or areas of continued improvement?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.4 External Testing ===
 +
 +Do you schedule and perform regular third-party penetration testing against your products and/or services?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.5 Training ===
 +
 +Do you provide regular and ongoing security awareness training for your employees?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.6 Compliance ===
 +
 +Do you identify and complete relevant compliance obligations based on your industry and regulatory requirements?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.7 Incident Handling ===
 +
 +Do you have processes in place to ensure the smooth handling of security and privacy incidents?
 +
 +//If yes, please describe the process.//
 +
 +=== 1.8 Data Handling ===
 +
 +Do you have a process in place to handle data stored on removable or decommissioned hardware?
 +
 +//If yes, please describe the process.// ++++
 +
 +++++ 2. Application Design Controls |
 +
 +=== 2.1 Single Sign-On ===
 +
 +Do you provide customers with the option to use single sign-on to access your product and/or service?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.2 HTTPS-only ===
 +
 +Do you ensure sensitive data is encrypted in transit between the end-user and your product and/or service?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.3 Security Headers ===
 +
 +Do you enforce appropriate browser protections within your product and/or service to protect against common web threats?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.4 Password Policy ===
 +
 +Do you have a strong password policy in place to protect users who opt to use password-based authentication?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.5 Security Libraries ===
 +
 +Do you use standardized libraries to improve the security of your product and/or service?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.6 Dependency Patching ===
 +
 +Do you have processes in place to identify and maintain up-to-date components within your product and/or service?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.7 Logging ===
 +
 +Do you store appropriate logs to assist with debugging and incident response activities?
 +
 +//If yes, please describe the process.//
 +
 +=== 2.8 Encryption ===
 +
 +Do you store sensitive data in an encrypted format?
 +
 +//If yes, please describe the process.//
 +
 +++++
 +
 +++++ 3. Application Implementation Controls |
 +
 +=== 3.1 List of Data ===
 +
 +Do you have information on the type and amount of data handled by your product and/or service available for threat modeling or incident response purposes?
 +
 +//If yes, please describe the process.//
 +
 +=== 3.2 Data Flow Diagram ===
 +
 +Do you have information on the flow of data through systems available for threat modeling or incident response purposes?
 +
 +//If yes, please describe the process.//
 +
 +=== 3.3 Vulnerability Prevention ===
 +
 +Do you provide training on common security issues to your development and quality assurance teams?
 +
 +//If yes, please describe the process.//
 +
 +=== 3.4 Time to Fix Vulnerabilities ===
 +
 +Do you patch identified vulnerabilities within a reasonable time frame, and inform customers where appropriate?
 +
 +//If yes, please describe the process.//
 +
 +=== 3.5 Build Process ===
 +
 +Is your build process fully scripted/automated and generating provenance?
 +
 +//If yes, please describe the process.//
 +
 +++++
 +
 +++++ 4. Operational Controls |
 +
 +=== 4.1 Physical Access ===
 +
 +Do you have physical security controls in place to protect sensitive data stored or accessible from trusted locations?
 +
 +//If yes, please describe the process.//
 +
 +=== 4.2 Logical Access ===
 +
 +Do you have logical access controls in place to protect sensitive data and limit access to authorized users?
 +
 +//If yes, please describe the process.//
 +
 +=== 4.3 Sub-Processors ===
 +
 +Do you understand where you may be sharing data with third-party sub-processors, and validate their security posture?
 +
 +//If yes, please describe the process.//
 +
 +=== 4.4 Backup and Disaster Recovery ===
 +
 +Do you have processes in place to ensure backup and recovery of your product and/or service in the event of a disaster?
 +
 +//If yes, please describe the process.//
 +
 +++++