Information Security Survey

PL2 Information

Group Questions Answers Comments

Yes No N/A

Application & Interface Security Do you use OWASP guidelines or another standard to build How do you know the application is built
1 Application Security your application securely? securely?

Do you review your application for security vulnerabilities and We receive 3000+ attacks per second at our
address any issues prior to deployment? firewall. How do you know your application is
2
secure against these attacks?

Do you have capability to recover CSU data in the case of a Do we need to mitigate the possible loss of
3 failure or data loss? service?
Do you have the capability to restrict the storage and routing of We need to ensure our student's data remains
4 CSU data to the United States? private across the network.
Are you aligned with professional organizations or have a legal How do you stay advised of changes in
5 retainer to be advised of FERPA and other privacy law changes? regulations?

Business Continuity Management Is physical protection against damage (e.g., natural causes, How long would it take to recover our
& Operational Resilience natural disasters, deliberate attacks) anticipated in your application if you should experience total
6 Environmental Risks disaster recovery plan? failure?

Business Continuity Management If using virtual infrastructure, can you perform an independent Will all customers be affected if you have to do
& Operational Resilience hardware restore and recovery? a restore from backup? This is the main
7 Equipment Maintenance protection against ransomware.

Do you have a documented procedure for responding to We need to be notify in order to have the
8 requests for CSU data from governments or third parties? opportunity to oppose.

Do you test your backup or redundancy mechanisms at least We need to have a level of assurance of the
9 annually? system restore time.
10
Change Control & Configuration Are there procedures in place to triage and remedy reported How do you manage vulnerabilities?
10 Management bugs and security vulnerabilities?
Quality Testing

June 9, 2016 Page 1 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Change Control & Configuration
Management Yes No N/A
Quality Testing
Are mechanisms in place to ensure that all debugging and test Are there unecessary backdoors into the code
code elements are removed from released software versions? that could be used by attackers? If yes, can you
11 turn them on/off in the production instance?

12
Data Security & Information Do you have a procedure for sanitizing all computing resources We need to ensure all data is removed once it
Lifecycle Management of CSU data, once the contract has ended and all invoices are is no longer needed.
12
Secure Disposal paid?

Datacenter Security Are physical security perimeters (e.g., fences, walls, gates, How do you prevent unauthorized access to
Controlled Access Points electronic surveillance, physical authentication mechanisms, systems?
13 reception desks and security patrols and/or alarms)
implemented at the data center storing CSU data?

Datacenter Security Do you restrict physical access to information assets and How do you limit authorized access to systems
14 User Access functions by users and support personnel? to need-to-know as required by FERPA.

Do you maintain key management procedures? How are you able to access and protect
15 encryption keys?
Encryption & Key Management Do you encrypt tenant data at rest (on disk/storage) within How do you prevent unauthorized access to
Encryption your environment? data stored on 1) backups and 2) stolen
16 desktops/laptops?

Do you encrypt data and virtual machine images during How do you prevent unauthorized access to
17 transport across and between networks and hypervisor data as it is being transported between
instances? networks/hypervisor instances?

Encryption & Key Management Does your platform and data encryption meet FIPS 140 How do you know that the encryption
18 Storage and Access standards: algorithm is strong?
http://csrc.nist.gov/groups/STM/cavp/validation.html

Governance and Risk Management Do you have documented information security baselines for all How do you know these devices are securely
Baseline Requirements components of your infrastructure (e.g., hypervisors, operating built?
19 systems, routers, DNS servers, etc.)?

June 9, 2016 Page 2 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Yes No N/A

Governance and Risk Management Do you maintain an Information Security Management Program How do you manage information security
20 Management Program (ISMP)? uniformly across your organization?
Do you review your Information Security Management Program How often do you review your ISMP?
21 (ISMP) annually?
Governance and Risk Management Do your information security and privacy policies align with ISO How do you know your ISMP is complete?
22 Policy 27001 or NIST standards?
Do you have agreements to ensure your providers adhere to How do you assess your providers level of risk,
23 your information security and privacy policies? and how it affects your offering?
Governance and Risk Management Is a formal disciplinary or sanction policy established for How do you motivate employees to maintain
24 Policy Enforcement employees who have violated security policies and procedures? security and discipline them when they exhibit
risky behavior?

Governance and Risk Management Would you notify CSU if you make material changes to your We need the opportunity to remove our data
Policy Reviews information security and/or privacy policies? and cancel the contract if the privacy standard
25 is substandard to our requirements.

Governance and Risk Management Do you have a risk assessment process, performed at least How do you know you have identified and
Assessments annually, calculating the likelihood and impact of all identified managed risks appropriately?
26 risks?

Human Resources Are systems in place to monitor for privacy breaches and notify How will you notice breaches and notify us in
27 Asset Returns CSU expeditiously if our data is exposed or compromised? reasonable time to minimize the harm and
protect our students data?

Human Resources Are all employees, contractors and third parties with access to How do you prevent from hiring a known or
Background Screening data, systems, and networks, subject to background suspected criminal?
28 verification?

Human Resources Do you train your employees regarding their information How do you ensure they are aware of their
29 Employment Agreements security roles and responsibilities? roles/responsibilities?
Are all personnel required to sign NDA or Confidentiality How do you ensure employees agree to their
30 Agreements as a condition of employment to protect responsibilities for security?
customer/tenant information?

June 9, 2016 Page 3 of 13

 Information Security Survey
Human Resources PL2 Information
Employment Agreements
Group Questions Answers Comments

Yes No N/A

Are personnel trained and provided with awareness programs How do you ensure employees are kept up to
31 at least once every 3 years? date on current security issues?
Human Resources Are documented policies, procedures and guidelines in place to How are you able to able to ensure that
32 Employment Termination govern change in employment and/or termination? termination/changes in employment are
communicated to all areas?

Do the above procedures and guidelines account for timely How are you able to deprovision employees
revocation of access and return of assets? upon termination/employment change in a
33 timely manner?

Human Resources Do you access and share CSU data/metadata? We need to authorize all access to our data.
34 Acceptable Use
Do you allow tenants to opt out of having their data/metadata We need to authorize all access to our data.
35 accessed via inspection technologies?

Identity & Access Management Do you restrict, log and monitor access to your information We need to ensure your network is monitored
Audit Tools Access security management systems? (E.g., hypervisors, firewalls, for any breaches
36
vulnerability scanners, network sniffers, APIs, etc.)

Do you monitor and log privileged access (administrator level) We need to ensure your network is monitored
37 to information security management systems? for any breaches
Identity & Access Management Do you maintain a list of all personnel who have access to the IT We need to ensure you are reviewing the list
38 Policies and Procedures infrastructure, including their level of access? periodically to ensure all
terminated/separated/transferred employees
Identity & Access Management Are controls in place to prevent unauthorized access to your Access to these
are removed items should be on a need to
promptly
39 Source Code Access Restriction application, program or object source code? know basis
Identity & Access Management Do you provide multi-failure disaster recovery capability? There is critical timing with use of your product
40 Third Party Access and we need to know it will be available when
needed

Do you have more than one provider for each service you There is critical timing with use of your product
41 depend on? and we need to know it will be available when
needed

Identity & Access Management Do you review entitlements for all employee system users and This is the minimum time we allow for account
42 User Access Reviews administrators at least annually? reviews

June 9, 2016 Page 4 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Yes No N/A

Identity & Access Management Do you revoke or modify access upon any change in status of Access to these items should be on a need to
User Access Revocation employees, contractors, business partners or involved third know basis
43 parties (termination, transfer or contract end)?

Identity & Access Management Do you support use of, or integration with, existing customer- We are developing a SSO
44 User ID Credentials based Single Sign On (SSO) solutions to your service?
Do you support identity federation standards (SAML, SPML, We support any standard that integrates with
45 WS-Federation, etc.) as a means of authenticating/authorizing Microsoft Azure.
users?

Do you support password (minimum length of 10, age 1 day, This is our minimum password criteria
history of greater than 25, complexity
46 upper/lower/digit/symbol) and account lockout (lockout
threshold 5 attempts, lockout duration 15 minutes or greater)
policy enforcement?
Do you allow tenants/customers to define password and If so, we request the standard listed in question
47 account lockout policies for their accounts? 46.

Do you support the ability to force password changes upon first We want to be sure our users select their own
48 logon? passwords immediately
Do you have mechanisms in place for unlocking accounts that We prefer unlock after 15 minutes
have been locked out (e.g., self-service via email, defined automatically or self-service via challenge
challenge questions, manual unlock)? questions that do not contain protected
49 information (i.e. no SSN, mother's maiden
name, etc.)

Identity & Access Management Are utilities that can manage virtualized partitions (e.g., We need to ensure your network is monitored
50 Utility Programs Access shutdown, clone, etc.) appropriately restricted and monitored? for any breaches

Do you have a capability to detect and respond to attacks that We need to ensure your network is monitored
51 target the virtual infrastructure directly (e.g., shimming, Blue for any breaches
Pill, Hyper jumping, etc.)?

Infrastructure & Virtualization Are file integrity (host) and network intrusion detection (IDS) We need to ensure you will notice and
52 Security tools implemented? respond to a breach in a timely manner
Audit Logging / Intrusion Detection

June 9, 2016 Page 5 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Infrastructure & Virtualization
Security Yes No N/A
Audit Logging / Intrusion Detection
Is physical and logical user access to audit logs restricted to We need to ensure hackers cannot delete their
53 authorized personnel? trail after a breach
Are audit logs reviewed on a regular basis for security events We need to ensure you will notice and
54 (e.g., with automated tools)? respond to a breach in a timely manner
Infrastructure & Virtualization Do you log and alert any changes made to virtual machine We need to ensure you will notice and
55 Security images regardless of their running state (e.g. dormant, off or respond to a breach in a timely manner
Change Detection running)?

Infrastructure & Virtualization Do you use a synchronized time-service protocol (e.g., NTP) to In order to have your logs and our align in case
Security ensure all systems have a common time reference? of an incident
56 Clock Synchronization

Do your system capacity requirements take into account There is critical timing with use of your product
current, projected and anticipated capacity needs for all and we need to know it will be available when
59 systems? needed

Infrastructure & Virtualization Are security vulnerability assessment tools or services We need to ensure that you can detect
Security virtualization aware? vulnerbilities and mitigate them on the VM
60 Management - Vulnerability systems
Management

Do you regularly review allowed access/connectivity (e.g., We need to ensure that only access currently
63 firewall rules) between security domains/zones within the needed is active on the firewalls
network?

Infrastructure & Virtualization Are operating systems hardened to provide only the necessary We need to ensure your systems are harden
Security ports, protocols and services to meet business needs? against attacks
64 OS Hardening and Base Conrols

Do you logically and physically segregate production and non- To ensure the production environment is never
66 production environments? overloaded by test or development
Are wireless security settings enabled with strong encryption To ensure network security if your wireless
for authentication and transmission, replacing vendor default connects to your private network
67 settings? (e.g., encryption keys, passwords, SNMP community
strings)

June 9, 2016 Page 6 of 13

 Information Security Survey
PL2 Information
Infrastructure & Virtualization
Security Group Questions Answers Comments
Wireless Security
Yes No N/A

Can you detect the presence of unauthorized (rogue) network To ensure network security if your wireless
68 devices and immediately disconnect them from the network? connects to your private network

Infrastructure & Virtualization Do your network architecture diagrams clearly identify high-risk To ensure risks are identified and managed
69 Security environments and data flows that may have legal compliance properly
Network Architecture impacts?

Do you implement technical measures and apply defense-in- To prevent or detect network breaches
depth techniques (e.g., deep packet analysis, traffic throttling
and black-holing) for detection and timely response to network-
based attacks associated with anomalous ingress or egress
70 traffic patterns (e.g., MAC spoofing and ARP poisoning attacks)
and/or distributed denial-of-service (DDoS) attacks?

Mobile Security Do you allow mobile devices (such as smartphone and tablets) If yes for more than checking email and yes for
Anti-Malware to access your private networks? connecting to the company network, then
71 additional 28 questions a-bb apply. Otherwise,
skip to question 72

Mobile Security Do you document and make available lists of approved

Application Stores application stores for mobile devices accessing or storing
71a company data and/or company systems?

Mobile Security Do you have a policy enforcement capability (e.g., XACML) to

71b Approved Applications ensure that only approved applications and those from
approved application stores be loaded onto a mobile device?

Mobile Security Does your BYOD policy and training clearly state which
71c Approved Software for BYOD applications and applications stores are approved for use on
BYOD devices?

Mobile Security Do you have a documented mobile device policy in your

Awareness and Training employee training that clearly defines mobile devices and the
71d
accepted usage and requirements for mobile devices?

June 9, 2016 Page 7 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Yes No N/A

Mobile Security Do you have a documented list of pre-approved cloud based

Cloud Based Services services that are allowed to be used for use and storage of
71e
company business data via a mobile device?

Mobile Security Do you have a documented application validation process for

Compatibility testing device, operating system and application compatibility
71f
issues?

Mobile Security Do you have a BYOD policy that defines the device(s) and
71g Device Eligibility eligibility requirements allowed for BYOD usage?

Mobile Security Do you maintain an inventory of all mobile devices storing and
Device Inventory accessing company data which includes device status (os
71h system and patch levels, lost or decommissioned, device
assignee)?

Mobile Security Do you have a centralized mobile device management solution

Device Management deployed to all mobile devices that are permitted to store,
71i
transmit, or process company data?

Mobile Security Does your mobile device policy require the use of encryption
Encryption for either the entire device or for data identified as sensitive
71j enforceable through technology controls for all mobile devices?

Mobile Security Does your mobile device policy prohibit the circumvention of
71k Jailbreaking and Rooting built-in security controls on mobile devices (e.g., jailbreaking or
rooting)?

Do you have detective and preventative controls on the device

or via a centralized device management system which prohibit
71l the circumvention of built-in security controls?

Mobile Security Does your BYOD policy clearly define the expectation of privacy,
71m Legal requirements for litigation, e-discovery and legal holds?

June 9, 2016 Page 8 of 13

 Information Security Survey
PL2 Information

Group
Mobile Security Questions Answers Comments
Legal
Yes No N/A

Do you have detective and preventative controls on the device

or via a centralized device management system which prohibit
71n the circumvention of built-in security controls?

Mobile Security Do you require and enforce via technical controls an automatic
Lockout Screen lockout screen for BYOD and company owned devices?
71o

Mobile Security Do you manage all changes to mobile device operating systems,
Operating Systems patch levels and applications via your company's change
71p
management processes?

Mobile Security Do you have password policies for enterprise issued mobile
71q Passwords devices and/or BYOD mobile devices?
Are your password policies enforced through technical controls
71r (i.e. MDM)?
Do your password policies prohibit the changing of
71s authentication requirements (i.e. password/PIN length) via a
mobile device?

Mobile Security Do you have a policy that requires BYOD users to perform
71t Policy backups of specified corporate data?
Do you have a policy that requires BYOD users to prohibit the
71u usage of unapproved application stores?
Do you have a policy that requires BYOD users to use anti-
71v malware software (where supported)?
Mobile Security Does your IT provide remote wipe or corporate data wipe for all
71w Remote Wipe company-accepted BYOD devices?
Does your IT provide remote wipe or corporate data wipe for all
71x company-assigned mobile devices?
Mobile Security Do your mobile devices have the latest available security-
71y Security Patches related patches installed upon general release by the device
manufacturer or carrier?

June 9, 2016 Page 9 of 13

 Information Security Survey
PL2 Information

Group
Mobile Security Questions Answers Comments
Security Patches
Yes No N/A

Do your mobile devices allow for remote validation to

71z download the latest security patches by company IT personnel?

Mobile Security Does your BYOD policy clarify the systems and servers allowed
71aa Users for use or access on the BYOD-enabled device?
Does your BYOD policy specify the user roles that are allowed
71bb access via a BYOD-enabled device?
Security Incident Management, E- Do you maintain liaisons and points of contact with local We need to ensure that you can contact
Discovery & Cloud Forensics authorities to contact immediately in the case of a serious authorities immediately if an incident should
72 Contact / Authority Maintenance attack or incident (e.g. DDoS or Ransomeware)? occur

Security Incident Management, E- Do you have a documented security incident response plan? We need to ensure that you have a well
Discovery & Cloud Forensics thought out plan to respond to incidents in
Incident Management order to scope, contain, maintain chain of
73
evidence, and restore effectively.

Supply Chain Management, Do you have cloud supply chain providers (i.e. company SaaS If yes for additional subcontractors, then
74 Transparency and Accountability sits on top of a PaaS or IaaS provided by a 3rd party)? additional 10 questions a-j apply. Otherwise
Data Quality and Integrity skip to item 75

Do you design and implement controls to mitigate and contain

data security risks through proper separation of duties, role-
74a based access, and least-privileged access for all personnel
within your supply chain?

Supply Chain Management, Do you collect capacity and use data for all relevant
74b Transparency and Accountability components of your cloud service offering?
Network / Infrastructure Services
Do you provide tenants with capacity planning and use reports?
74c

Supply Chain Management, Do you perform annual internal assessments of conformance

Transparency and Accountability and effectiveness of your policies, procedures, and supporting
74d Provider Internal Assessments measures and metrics?

June 9, 2016 Page 10 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Yes No N/A

Supply Chain Management, Do you select and monitor outsourced providers in compliance
74e Transparency and Accountability with laws in the country where the data is processed, stored
Third Party Agreements and transmitted?

Do you select and monitor outsourced providers in compliance

74f with laws in the country where the data originates?

74g Does legal counsel review all third-party agreements?

Do third-party agreements include provision for the security
74h and protection of information and assets?
Supply Chain Management, Do you review the risk management and governanced
Transparency and Accountability processes of partners to account for risks inherited from other
74i
Supply Chain Governance Reviews members of that partner's supply chain?

Supply Chain Management, Do you assure reasonable information security across your In particular, please provide an assessment of
Transparency and Accountability information supply chain by performing an annual review? their SSL certificates from
74j Third Party Assessment https://www.ssllabs.com/ssltest/.

Threat and Vulnerbility Do you have anti-malware programs installed on all of your We need to ensure you have current
Management systems, with at least daily updates? protections against malware
75 Antivirus / Malicious Software

Threat and Vulnerbility Do you conduct vulnerability scans at least monthly? We need to ensure that you can identify and
76 Management mitigate vulnerabilities to prevent breaches
Vulnerability / Patch Management

Do you conduct application-layer vulnerability scans at least We need to ensure that you can identify and
77 semi-annually? mitigate vulnerabilities to prevent breaches

Can you rapidly deploy patches across all of your computing We need to ensure that you can prevent Zero
78 devices, applications and systems? day incidents from occuring

Derived from the 2014 Cloud

Security Alliance

June 9, 2016 Page 11 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Yes No N/A

June 9, 2016 Page 12 of 13

 Information Security Survey
PL2 Information

Group Questions Answers Comments

Yes No N/A

June 9, 2016 Page 13 of 13