This submit offers a template to encourage the design of your personal vendor safety questionnaire mapping to NIST SP 800-53. For an editable model of a vendor questionnaire mapping to NIST 800-53 revision 5, obtain this NIST 800-53 danger evaluation template.
Vendor Questionnaire Template: NIST SP 800-53Note: Cybersecurity gives a NIST 800-53 vendor questionnaire that robotically highlights alignment gaps based mostly on vendor responses to assist an environment friendly compliance technique. For probably the most reliable provide chain danger administration program, it’s extremely beneficial to handle your vendor safety questionnaires on a scalable resolution like Cybersecurity.
Learn the way Cybersecurity streamlines Vendor Threat Administration >
Safety and Privateness Packages AssessmentThis part evaluates the power of a vendor’s set of insurance policies governing their safety and privateness packages.1. Does your organization have a developed safety program in place?1 (a). In the event you answered Sure, does this program deal with the whole scope of digital data being processed within the group?Safety ControlThis part evaluates the power of a vendor’s safety management technique and its skill to guard non-public information from compromise.1. Do you present a discover to your prospects advising them the way you deal with and shield personally identifiable data PII?1(a). In the event you answered Sure, present a duplicate of this coverage, both by pasting it within the free textual content area beneath or appending it to this accomplished questionnaire.1 (b). In the event you answered No, describe compensating controls which are in place or clarify why you don’t take into account this to be a safety danger.1 (c). In the event you’re within the strategy of implementing an exterior coverage describing the way you deal with and shield personally identifiable data, advise the estimated timeframe for when this will likely be accomplished.2. Do you might have inside documentation outlining the best way to safely deal with delicate buyer information?2 (a). In the event you answered No, describe compensating controls which are in place or clarify why you don’t take into account this to be a safety danger.3. How usually are inside audits of your safety and privateness program carried out?Each three monthsEvery six monthAnnuallyFree Textual content Field4. Do you might have a coverage in place for mitigating the safety dangers posed by cell units?5. Have you ever applied a danger evaluation program?5 (a). In the event you answered Sure, how usually are danger assessments accomplished for every vendor?QuarterlyBi-AnnuallyAnnuallyOther (specify beneath)Free Textual content Discipline
For an summary of an idealistic danger evaluation workflow, watch this video.
Get a Free Trial of Cybersecurity >
6. Do you might have a coverage for prioritizing vital distributors in danger evaluation plans?6 (a). In the event you answered Sure, how do you identify which distributors have to be prioritized?7. Do you might have a cybersecurity resolution for steady monitoring of assault surfaces to find rising dangers, both internally or throughout your service supplier community (real-time monitoring)?7 (a). Do you might have a vulnerability scanning instrument in place for locating rising assault vectors throughout all internet-facing property?8. Do you might have safety insurance policies for mitigating insider risk dangers?9. How do you guarantee onboarded distributors meet your safety necessities as outlined by your danger urge for food?10. Do you might have any distributors at the moment exceeding your danger urge for food baseline?11. Do you incorporate penetration testing in your technique for sustaining a resilient management baseline?11 (a). In the event you answered Sure, how usually do you carry out penetration exams?QuarterlyBi-AnnuallyAnnuallyOther (specify beneath)Free Textual content FieldPersonnel SecurityThis part evaluates the likelyhood of workers facilitating safety incidents.1. Do you retain an up-to-date document of all worker consumer accounts and their respective entry management ranges?2. Do you might have a coverage in place guaranteeing delicate information is simply accessed on a need-to-know foundation?3. Do you might have a coverage in place guaranteeing solely licensed customers have entry to delicate sources?4. Do you might have a strategy in place for shielding privileged consumer accounts?5. Do you might have contingency plans in place for when privileged consumer accounts are compromised?6. Are authorities contractors and data safety assessors required to signal congenitally agreements to make sure buyer information stays protected?7. Do you might have formal administration processes of system safety plans for shielding account authentication data, similar to passwords and digital certificates?8. Are consumer account entry ranges usually reviewed?8.1. In the event you answered Sure, how usually do these critiques occur?QuarterlyBi-AnnuallyAnnuallyOther (specify beneath)Free Textual content Field9. Do your workers full cyber risk consciousness coaching usually?9 (a). In the event you answered Sure, how usually does this coaching happen?QuarterlyBi-AnnuallyAnnuallyOther (specify beneath)Free Textual content Field9 (b). In the event you answered Sure, present an overview of what’s lined in every coaching module.9 (c). In the event you answered Sure, does your program administration coverage usually replace this coaching?For an editable model of a vendor questionnaire mapping to NIST 800-53 revision 5, obtain this NIST 800-53 danger evaluation template.10. Does your bodily and environmental safety coverage guarantee all technique of bodily and digital entry to your community are revoked from offboarded contractors and workers, together with distant entry?Regulatory ComplianceThis part will make it easier to consider the extent of danger your distributors pose to your regulatory compliance efforts.1. Checklist the entire rules you’re sure to2. Do you might have a course of in place for monitoring rising regulatory necessities?3. Do you might have a course of in place for monitoring regulatory compliance gaps, internally and throughout your vendor network4. Do you might have a system for prioritizing vital regulatory compliance danger remediation duties?Infrastructure SecurityThese questions will make it easier to uncover safety dangers related to a vendor’s IT Infrastructure.1. Do you might have configuration administration instruments enabling safe configuration settings?2. Do you facilitate distant entry to your infrastructure?2 (a). In the event you answered Sure, do these distant entry mechanisms endure safety testing to uncover doubtlessly exploitable vulnerabilities?3. Do you might have a patch administration program for conserving your community infrastructure secured with the most recent patches?3 (a). In the event you answered Sure, do you automate patch updates?4. Do you conduct safety management assessments for evaluating the cybersecurity of your cloud infrastructures?4 (a). In the event you answered Sure, how usually do these assessments happen?MonthlyQuarterlyBi-annuallyAnnuallyOther (specify beneath)Server SecurityThis part evaluates the chance of a vendor’s servers appearing as assault vectors facilitating information breaches.1. Do you comply with a server hardening protocol?1 (a). In the event you answered Sure, present an summary of the hardening course of.2. How do you guarantee your servers are protected with the most recent safety patches?3. Which working techniques are your servers operating on?Unix (together with Linux, Solaris, and so forth.)4. Are servers housing delicate information segmented and inaccessible by common entry customers?
Study extra about community segmentation >
5. How usually is your record of privileged entry customers audited?MonthlyQuarterlyBi-annuallyAnnuallyOther (specify beneath)6. Describe how your server backups are saved
For instance, on disks, detachable drives, different servers, and so forth.
7. Checklist the entire geographical areas of your servers (together with backup servers).8. How usually are these backups examined?MonthlyQuarterlyBi-annuallyAnnuallyOther (specify beneath)Free Textual content FieldEmail SecurityThese questions will make it easier to perceive the chance of a vendor being compromised by an email-based cyberattack.1. Describe the safety controls you might have in place for defending in opposition to email-based assaults.2. Have you ever suffered any email-based assaults within the final 12 months?2 (a) If in case you have, have been any of those assaults profitable?
If that’s the case, describe the impression of the assault.
3. Are your emails encrypted whereas in transit?
For instance, utilizing Transport Layer Safety (TLS).
Shopper Workstation SecurityThis part will uncover the chance of endpoints appearing as assault vectors and uncover safety enhancement potentials.1. How do you guarantee shopper workstations and distant endpoints are hardened in opposition to cyber threats?2. Does your Incident Response Plan deal with conditions the place distant endpoints are compromised?3. Choose the varieties of units and data system elements lined with malware safety.Cell DevicesWindows workstationsNon-windows workstations4. Do any distant endpoints or workstations share passwords?5. Do any workstations use default administrative passwords?6. Do you might have a media safety coverage defending in opposition to malware injections from exterior units (similar to USBs and exhausting drives)?Information ManagementThis part evaluates the safety of the seller’s information administration technique.1. Do you employ an energetic listing instrument to trace delicate data throughout expertise techniques?1 (a). In the event you answered Sure, does this energetic listing instrument additionally monitor delicate information shared with third-party providers?2. Do you might have separate community segments to your sensiitve information and delicate information belonging to your prospects?Asset ManagementThis part evaluates the power of the seller’s asset administration technique, which might reveal missed assault floor areas susceptible to compromise.1. How do you guarantee your IT asset stock stays up-to-date?2. Do you might have an assault floor administration program in place to guard IT property from compromise?2 (a). In the event you answered Sure, how do you monitor the performance and efficacy of your ASM program?3. Do you usually maintain stakeholders knowledgeable of your assault floor administration efforts?4. How do you guarantee system and data integrity is maintained throughout your IT property when a cyber risk breaches your community?
For an summary of how an Assault Floor Administration technique might scale back your danger of struggling an information breach, watch this video.
Get a Free Trial of Cybersecurity >
Streamline NIST 800-53 Questionnaire Administration with Cybersecurity
The Cybersecurity platform gives customizable safety questionnaires mapping to the NIST particular publication 800-53 and lots of different well-liked rules and requirements, together with DORA, NIST CSF and ISO 27001.
Questionnaires on the Cybersecurity platform.
To start out monitoring vendor compliance with NIST 800-53, you may obtain this free NIST 800-53 danger evaluation template.
Able to see Cybersecurity in motion?
Prepared to avoid wasting time and streamline your belief administration course of?
