VENDOR RISK ASSESSMENT CHECKLIST

VENDOR RISK ASSESSMENT PROCESS

FLOW

Understand
Establish Risk Assess Every
the Different
Criteria Vendor
Types of Risk

Segrigate Conduct
Develop Risk
Vendors based Annual
Mitigation Plan
on Risk Level Assessments

VENDOR RISK ASSESSMENT CHECKLIST

Statement Remarks
Vendor Name <Full Name>
Application Name/Outsourced Service <Name of the Application/Service Outsourced>

Vendor Address <Full Address>

Size of the Company (Number of <Total Number of individuals employed by the
Employees) prospective vendor>

Brief Description of Services provided by <Provide details of the Service>

the Vendor
 VENDOR RISK ASSESSMENT CHECKLIST
Instructions:
1. If answer to Question is No, NA or Partial, please provide detailed explanation
2. For Answer Where Yes is mentioned please provide control description

INFORMATION SECURITY
Control Statement Control Remarks
Implemented
(Yes, No,
Partial, NA)
Do you have a valid third-party
information security/cybersecurity
attestation or certification.
Do you have company-wide, publicly
available information security policies in
place
Whether the Information Security Policy
is reviewed at planned intervals, or if
significant changes occur to ensure its
continuing suitability, adequacy and
effectiveness.
What mechanisms are in place to ensure
your policies are enforced within your
supply chain.
Are the roles and responsibilities
pertaining to information security
defined and communicated to all
employees.

ASSET MANAGEMENT
Control Statement Control Remarks
Implemented
(Yes, No,
Partial, NA)
Do you have an asset management
program approved by management for
your IT assets.
What are your methods to manage IT
assets on the network.
How do you manage other IT hardware
and software assets which are not
network connected, regardless of
network presence.
What are your methods of verifying
acceptable use of assets, including
verified asset return, for your network-
connected assets.
 VENDOR RISK ASSESSMENT CHECKLIST
Do you have documented policies or
procedures to manage enterprise assets
throughout their lifecycle.
Do you have policies or procedures to
ensure your enterprise software
platforms applications, and hardware
assets, are classified according to their
criticality.
Do you have policies or procedures to
ensure appropriate controls are in place
for internal or third-party cloud services.
Do you maintain an up-to-date inventory
of hardware and software assets to
ensure their accountability and integrity.
Do you have acceptable use of assets
policy documented.
Do you have processes or procedures in
place to ensure that devices and
software installed by users external to
your IT department are being discovered,
properly secured, and managed.
Do you have processes or procedures for
secure disposal of your assets.
Are media containing information
(customer data, personal data, bank
data) protected against unauthorized
access, misuse or corruption during
transportation beyond the organization’s
physical boundary.
Do you maintain information labelling
and handling procedures. Are
documented information agged/labelled
as per your asset classification schema.

IDENTITY AND ACCESS MANAGEMENT

Control Statement Control Remarks
Implemented
(Yes, No,
Partial, NA)
Are Procedures defined and followed for
provisioning access (logical and Physical)
to information systems and information
processing facilities.
Are Procedures defined and followed for
provisioning access to Network and
Network devices.
Are Procedures defined and followed for
provisioning access (logical and Physical)
to information systems and information
processing facilities.
 VENDOR RISK ASSESSMENT CHECKLIST
Are Procedures defined and followed for
provisioning access to Network and
Network devices.
Are procedures defined and followed for
management of privilege access rights.
Do you have specific procedures
established and maintained to avoid the
unauthorized use of generic
administration user IDs (super admin,
super user IDs), according to systems’
configuration capabilities.
While provisioning access rights and
privileges on information and
information systems do you determine if
access rights, and privileges are based
upon business needs/requirements and
that these provide for adequate
segregation of duties.
Are user access provisions monitored
and reviewed on an ongoing basis to
ensure additions, deletions and changes
to the accounts and access rights are
properly tracked.
Are procedures defined and followed for
removal of all access rights (Logical
Access and Physical Access).
whether all Infra (Router, Switch, Firewall,
Servers, Endpoints etc.,) are integrated
with the Service provider Domain and
that a central IDAM solution or TACACS
(Radius) is implemented for managing
access.
Do you have procedures defined and
followed for Password management
(covering password strength, password
history, password expiry, password reset,
etc.) for accessing information and
information assets.

Have you deployed password security

controls within the environment on
application, OS, database and network
layers.
Do you have a secure log-on procedure
documented.
Are general notices/message banner
displayed upon login into the
application, network, database systems.
Does the User Account get automatically
Locked out after predetermined
unauthorized attempts.
Do you terminate inactive sessions (idle)
after a defined period of inactivity.
 VENDOR RISK ASSESSMENT CHECKLIST
Are there automated mechanisms such
as password protected screensaver to
protect unattended equipment.

HUMAN RESOURCE SECURITY

Control Statement Control Remarks
Implemented
(Yes, No,
Partial, NA)
Do you have procedures defined and
followed for onboarding personnel.
Do you have procedures defined and
followed for conducting background
checks of your employees, contractors
and third parties as permitted by the
country in which you operate.
Are employees, contractors and third
parties mandated to sign a non-
disclosure or confidentiality agreement /
NDA / Code of conduct.
Do you have an information security
awareness program mandatory for all
employees contractors and third parties.
Are all staff required to take the
information security awareness trainings
and sessions upon hire and periodically
thereafter.
Is there additional security training
provided to users with elevated
privileges.
Are you aware of security training
practices performed by your sub-
suppliers to their personnel.
Do you have disciplinary
procedures/code of conduct defined and
followed for employees who have
committed a security breach.
Are the employees aware of the fact that
in case they breach security there could
be a disciplinary action taken against
them.
How often is this disciplinary
procedure/Code of Conduct updated.
Please describe the frequency.
Do you have personnel designated to
address questions or violations to the
Code of Conduct.
Do you have procedures defined and
followed for offboarding personnel.
 VENDOR RISK ASSESSMENT CHECKLIST
Does the process include a process to
transfer knowledge to other personnel.
What is the process to remove access to
all company documents, applications,
assets, etc.
What is the process to recover all
company assets.

BUSINESS CONTINUITY
Control Statement Control Remarks
Implemented
(Yes, No,
Partial, NA)
Do you maintain a formal business
continuity plan necessary to maintain
operations through disruptions and
significant loss of staff.
Do you have a Disaster Recovery Plan in
place to support recovery of key products
& services
Do you maintain a formally trained and
dedicated crisis management team,
including on-call staff, assigned to
address catastrophic or systemic risks to
your supply chain or manufacturing
processes.
Do you have a Test Calendar in place to
test Business Continuity Plan.

PHYSICAL SECURITY
Control Statement Control Remarks
Implemented
(Yes, No, Partial,
NA)
Do you have physical security
procedures defined and followed that
address the control of physical access,
environmental protection, equipment
maintenance, equipment siting, visitor
management etc.
What training do all staff receive to
address potential physical security
threats and how to respond to
emergencies (e.g., fire, weather, etc.)
Is access to sensitive areas (server
location, tape library, computer room,
etc.) physically restricted to authorized
 VENDOR RISK ASSESSMENT CHECKLIST
personnel, If yes, does the physical
access system log the access capturing
the data, time, door access, employee
coordinates during logging physical
access.
Are all physical access control logs
periodically reviewed and retained per
retention requirements.
Are visitors signed into the building by
an employee who accepts
responsibility for the visitors during the
course of their visit.
Are secure work areas adequately
protected against environmental
hazards.
Do you have fire alarm/suppression
systems installed across office (secure
areas/work areas).
Are information processing facilities
separated from other facilities.
Are photographic, video, audio or other
recording equipment, such as cameras
in mobile restricted to be carried inside
secure areas/ work areas/ information
processing facilities.
Are vacant secure areas physically
locked and periodically reviewed.
Do you use CCTV cameras to monitor
the facility on a 24x7. If Yes, are all
cameras operating and positioned
properly to view activity at all
entrances/exits to the facility and
sensitive areas (e.g.. call center,
computer room).
Are redundant power supplies available
for supplying power to critical
equipment. Is there a Uninterruptible
Power Supply (UPS) or DG set backup
for computer systems
Is lightning protection applied to the
buildings and lightning protection
filters fitted to all incoming power and
communications lines at the premise
housing work area and information
processing facilities
Are all the information systems
equipment's maintained in accordance
with the supplier’s recommended
service intervals and specifications
Are records kept of all suspected or
actual faults and all maintenance
activities performed on equipment's
 VENDOR RISK ASSESSMENT CHECKLIST
Is the maintenance carried out by
authorized personnel only
Do you have process in place to manage
movement of assets in and out of the
organization
Do you have processes in place to
prevent counterfeit parts from entering
your supply chain.
Do you have process in place to protect
unattended equipment within the
organization
Do you have a clear desk and clear
screen policy in force in the
organization.
Do you have a documented Security
Incident Response process covering
physical security incidents

SUPPLY CHAIN SECURITY

Control Statement Control Remarks
Implemented
(Yes, No, Partial,
NA)
Do you perform due diligence on
vendors before onboarding.
Do you have written Supply Chain Risk
Management (SCRM) requirements in
your contracts with your suppliers.
Does your business take into account
supplier diversification to prevent
reliance on a single source and to lessen
the likelihood that suppliers may face
the same risks to their resilience.
Does your business take into account
alternative providing delivery channels,
such as cloud, network,
communications, transportation, and
packaging, to offset prolonged supplier
outages.
 VENDOR RISK ASSESSMENT CHECKLIST
OPERATIONS SECURITY
Control Statement Control Remarks
Implemented
(Yes, No, Partial,
NA)
Have you deployed any encryption
mechanism (data in transit and rest) to
secure data in rest and motion.
Are applications and operating system
software implemented after extensive
and successful security testing.
Is there a log maintained to track
installation of operational software on
workstations.
Do operational systems hold only
approved Software’s and there is a
periodic audit to track Software
Compliance.
Are users disallowed to install software
on their workstations.
Are external drives such as CDs and USB
drives disabled on all desktops and
laptops, servers containing personal
data, customer data, business data.
Are audit logs maintained that record
user activities, exceptions, success and
failure logons, policy changes, events,
and information security events in order
to assist in future investigations and
access control monitoring.
Are system administrator and system
operator activities monitored and
logged.
Can system administrator activities be
tracked to individual system
administrators.
Do you have a policy/procedure on
change management.
Are all changes to production
environment recorded and follows the
change management procedure.
Do you maintain a policy, operational
plan and procedures for teleworking
activities and whether teleworking
activity is authorized and controlled by
management and does it ensure that
suitable arrangements are in place for
this way of working.
Has a formal policy been developed that
addresses the risks of working with
mobile computing facilities, including
requirements for physical protection,
 VENDOR RISK ASSESSMENT CHECKLIST
access controls, cryptographic
techniques, back-up, and virus
protection.
Does patch management process
ensure all system are installed with
latest security patches (OS layer,
Application layer, Data base layer,
Network layer).
Do you have a formal vulnerability
assessment and penetration testing
(VAPT) process / procedure / policy /
manual is documented and operational.
Do you have security hardening
(technical specification, minimum
baseline security MBSS guidelines for all
infrastructure elements such as
Application, OS, Network and Database).
Have you deployed controls to protect
computer systems against virus and
spywares, malwares, Trojans, malicious
codes, etc.
Have you implemented data protection
and privacy measures such DLP, IRM /
DRM etc.
Have you deployed any encryption /
protection mechanism (data at rest) on
databases, file servers, desktops and
laptops handling business data,
customer data, personal data (account
numbers, employee details, bank
accounts, password, card magnetic
stripe data, etc.) in compliance with all
relevant rules, laws, regulations, legal
and contractual obligations, country
specific data privacy laws, sector
specific data privacy laws.
Have you deployed any encryption
mechanism (data in transit and rest) to
secure data in rest and motion.
Is there a clear desk and clear screen
policy in force in the organization.
Do you agree to allow Auditors or
Contracted Third Parties conduct IS
Audit at your premise.
Do you agree to allow Surprise Audits to
be conducted by Auditors or
Contracted Third Parties.
Do you have documented procedures
for the identification, capture, tracking,
escalation and resolution of operational
problems/incidents (all systems,
applications or facility-related
 VENDOR RISK ASSESSMENT CHECKLIST
problems).
Whether any Firewall, deep packet
inspection solution, IPS/IDS, DLP, Anti
APT, SIEM, Anti Spoofing and other
such security solutions (Perimeter,
Endpoint, Web, Infrastructure) have
been implemented in the network
infrastructure.
Are Users Handling organization data
given access to Corporate / Public
Mails.
If Yes, are there any restrictions on
domains to which the mails can be
sent.
Are users handling organization data
provided access to the Internet.

Is there a Proxy / Content Filtering

Solution in place for controlled access
to Internet.
Are Proxy / Content Filtering Solution
logs monitored and reviewed.
Are the system clocks of all information
processing system within the
organization or security domain
synchronized with an agreed accurate
time source.
Are the system utility programs that
could be used to override system and
application controls strictly controlled
and their use restricted and that admin
privileges are not assigned to all users.

SECURE DESIGN AND ENGINEERING PRACTICES

Control Statement Control Remarks
Implemented
(Yes, No, Partial,
NA)
Do you have an organization-wide
strategy for managing development,
acquisition, life cycle support, and
disposal of systems, system
components.
Do you establish explicit organizational
roles and regulations that govern the
application and supervision of Secure
 VENDOR RISK ASSESSMENT CHECKLIST
Engineering throughout the product
development or manufacturing process.
What industry-standard or security
control framework is utilized to
determine the security capabilities of
the product offering.
Does your organization document and
communicate security control
requirements for your hardware,
software, or solution offering.
Does your company offer a method for
confirming the integrity of software
releases, including patch updates for
your software product offering.
How does your company safeguard your
product or service against fraudulent
and/or fake IP components.
To reduce security risks, does your
company define, adhere to, and validate
safe coding and manufacturing
practices.
Does your organization verify that third-
party software provides required
security requirements/controls.
Does your company have a program in
place for reporting and responding to
product security incidents (PSRT).
VENDOR RISK ASSESSMENT CHECKLIST