Third Party IT and Cyber Questionnaire
THIRD PARTY AND OUTSOURCED ATTESTATION
First Name
*
Last Name
*
Phone Number
*
Email
*
Business Name
*
Data Privacy and Governance
Does the business have a governance, compliance and risk framework?
Yes
No
Partial
Are any of the activities or services provided outside of Australia? Provide details.
Yes
No
If yes, please povide details.
Have you been subject to an internal / external IT audit review in the past 12 months? Have any issues from this review been remediated?
Yes
No
If yes, please specify.
Does the business have a business continuity plan (BCP)?
Yes
No
Does the business have a disaster recovery plan (DRP)?
Yes
No
When was the last time the Service Provider tested the BCP and DRP?
For the last DRP and BCP tests conducted, what were the results: passed or failed?
Data Location
How is data managed by the service provider and where is the location of the data?
Is our data replicated to another country or state in any way?
Information and Data Security
Does the Service Provider have a Privacy Policy and IT Security Policy?
Yes
No
If yes, please specify the policy.
Please provide evidence and detail of the following or a copy of your Information and data security policy. Evidence of system security; reasonable steps to ensure that Personal Information it holds is protected against misuse, loss, corruption and from unauthorised access (e.g. network security, monitoring of employee email activity, anti-virus software, firewall infrastructure, penetration testing, monitoring of access, user access revalidation to key system), modification or disclosure.
Copy of your Information and data security policy
Browse
Do you have Cyber Insurance? Please provide brief details of cover
Physical Security Controls
Details of the physical security controls which have been designed and embedded to protect client information and, unauthorised access to information.
Known Cyber Risk and Security Breaches
In the last 12 months, have you had any instances where the Physical Security Controls or IT Security controls were breached by an internal / external malicious user?
Yes
No
If this has occurred, please provide further detail of the breach and, steps incorporated to ensure that such breaches do not rematerialize.
International standards
What certifications are you able to provide e.g. ISO standards? ISO27001 certification is the international framework that demonstrates a certain level of legal, physical and technical controls.
How regularly are these renewed?. If the software provider is storing credit card information, you must be compliant with PCI/DSS.
DETAILED QUESTIONS: IF YES TO CYBER INCIDENTS
Is my data being backed up?
Yes
No
If yes, where and how often? What is the restore processes and how regularly are they tested?
Please specify the encryption parameters of my data for each of the following:
Yes
No
At rest
Yes
No
In Transit
Yes
No
Offline Backup
Yes
No
What security liabilities will you accept for data and cyber issues?
What type of security training do you offer your staff?
Do you offer role-based access?
What type of audit trails do you offer?
Do you have experience working with businesses in Financial services?
Are penetration tests performed by a qualified third-party vendor? If so, how often are they performed and when was the last test performed?
Is there a formal information security program in place? If so, can we view information about it?
What due diligence is performed on your contractors and vendors before and after the contract stage? (Performing due diligence on your vendor’s third party (your fourth party) is especially important if they have access to your data. You want to make sure they have a secure environment to help keep your information secure.)
Please wait, files are uploading..
Submit