This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
A sample partner trust assessment
- Has a SAS 70 certification been completed? (Provide copy)
- Are security operations, policies, procedures and standards in alignment with the ISO 17799 or ISO 27000 series standards?
- Are security policies, procedures and standards documented? (Provide copies)
- How are background checks on employees and contractors performed prior to hiring?
- Describe security training and awareness programs
- Describe physical facility and floor area on which services for Sun will be performed
- Describe controls to address physical security of hardware, software and data communications equipment
- Describe how network servers and components are secured from unauthorized access, physically and logically
- Can an agent room, dedicated server room and network be allocated exclusively to support Sun's project requirements?
- Describe patch management processes
- Describe user identification, authentication and authorization processes
- How is application and network authentication performed with their customer environment?
- Describe server hardening methodologies and tools to
- maintain server security
- What data exchange needs to happen between Sun and partner to support this project?
- What data storage will be done at the partner location?
- How is sensitive data secured during data exchange, at rest and in the backup process?
- Is Sun's data separated from other customer data held by partner?
- Describe your data backup and archive procedure
- Describe network topology, including external connectivity, server locations and physical/logical network partitioning as it matters from the security perspective
- Provide a topology diagram of the network architecture, including application and database servers infrastructure with network connectivity and data flow
- Describe your incident response procedures
- Describe your virus protection procedure
- Describe your system administration procedure
- Describe the encryption methodology being used within your network
This was first published in July 2007