# VENDOR SECURITY QUESTIONNAIRE **Vendor Name:** [Vendor Company Name] **Service/Product Evaluated:** [Service Name] **Assessment Date:** [Date] **Assessed By:** [Name/Title] --- ## INSTRUCTIONS FOR VENDORS Please answer the following security questions completely. For any "No" or "In Progress" answers, provide a brief description of alternative security controls or target remediation dates in the **Comments** column. --- ## 1. INFORMATION SECURITY PROGRAM & GOVERNANCE | ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan | | :--- | :--- | :--- | :--- | | 1.1 | Do you maintain a documented Information Security Program approved by leadership? | | | | 1.2 | Do you possess a valid third-party security certification (e.g., SOC 2 Type II, ISO 27001, CMMC)? If yes, attach the latest report. | | | | 1.3 | Do you perform annual cybersecurity training for all staff members who access customer data? | | | | 1.4 | Do you carry active Cyber Liability Insurance? If yes, list coverage limits. | | | --- ## 2. DATA PROTECTION & PRIVACY | ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan | | :--- | :--- | :--- | :--- | | 2.1 | Is customer data encrypted in transit using industry-standard protocols (e.g., TLS 1.2 or higher)? | | | | 2.2 | Is customer data encrypted at rest inside your databases and backup repositories? | | | | 2.3 | Do you isolate customer data inside your hosting infrastructure to prevent cross-tenant access? | | | | 2.4 | What is your data retention policy for customer records upon contract termination? (Specify timeline in Comments). | | | --- ## 3. ACCESS CONTROL & IDENTITY MANAGEMENT | ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan | | :--- | :--- | :--- | :--- | | 3.1 | Is multi-factor authentication (MFA) mandatory for all employees accessing hosting environments? | | | | 3.2 | Do you enforce the principle of least privilege, limiting access to database environments to authorized staff? | | | | 3.3 | Do you immediately revoke access credentials for terminated employees? | | | | 3.4 | Do you perform quarterly access reviews of accounts with administrative privileges? | | | --- ## 4. VULNERABILITY MANAGEMENT & RESPONSIVENESS | ID | Evaluation Question | Answer (Y / N / NA) | Comments / Remediation Plan | | :--- | :--- | :--- | :--- | | 4.1 | Do you perform regular vulnerability scanning of your external networks and applications? | | | | 4.2 | Do you conduct annual external penetration testing performed by an independent third-party firm? | | | | 4.3 | Do you have a documented Incident Response Plan? | | | | 4.4 | What is your guaranteed notification window to customers in the event of a suspected data breach? (Specify hours in Comments). | | | --- ## VENDOR SIGN-OFF *I represent that the answers provided above are accurate and complete reflections of our organization's current security posture.* **Authorized Signatory:** ___________________________ **Printed Name:** [Signatory Name] **Title:** [Signatory Title] **Date:** [Date Signed]