The contents of this article provide many questions that have been answered with regard to Request for Proposals (RFP), Request for Information (RFI), and Request for Quote (RFQ).
Please utilize this article for assistance in finding the answers for your RFPs.
TIP: You can press CTRL+F to search for keywords within this web page to find answers similar to the questions on your RFPs.
NOTE: This information is provided to you at no cost. If you are unable to find the answers to certain questions within this free resource and you need the assistance of the FRS team, then please submit a Consulting Work Order (CWO) from the Help Menu in FRS and someone from our team can assist you, however this will fall under chargeable support and will incur the standard consulting charges for this assistance.
Previous Audit Questions (Possible RFPs)
1. Does the organization have a formal security program? (Yes/No)
— Yes
1a. Please describe the details of the organization’s security program:
- — The organization has formal security policies to which all systems and employees must adhere.
- — There are periodic internal audits to confirm compliance and spot checks for individual controls.
- — Systems are protected using Firewalls, HIDS, and other security tools.
- — All systems and perimeter devices are continuously monitored, with events immediately mitigated
- — All systems are scanned for vulnerabilities weekly and managed for patch compliance
1b. How many full-time staff members are dedicated to the organization’s overall security program?
— 1 full time, with 6 other involved on a weekly basis.
2. Does the organization conduct security vulnerability assessments? (Yes/No)
— Yes
2a. At what frequency are security vulnerability assessments conducted?
— Core systems are scanned weekly, with workstations scanned monthly.
2b. Describe what security vulnerability assessment tools are used and the name of any 3rd party used to perform vulnerability assessments:
— The organization is currently using Rapid7 Nexpose for their scanning.
3. Describe senior management’s involvement in the organization’s information security efforts.
— The VP of Operations and Technology is the champion and oversees the company information security efforts. All reporting and remediation information is coordinated with the entire senior management team.
4. Does the organization conduct security awareness training for all employees and contractors? (Yes/No)
— Yes
4a. Explain how the effectiveness of the security awareness training is measured and reported?
— The security awareness training is chosen by the senior management team. The security awareness training is administered and recorded by the HR department and attached to employee records.
5. Has the organization’s information security program been audited by a trusted and reputable 3rd party? (Yes/No)
— No
6. Does the organization utilize co-location or managed hosting data center(s)? (Yes/No)
— Yes
6a. Provide the name of the co-location provider. Describe the organization’s use of the co-location provider’s services and any other 3rd parties used to manage information systems.
— The organization has secured cabinet space at Flexential Data Center (www.flexential.com).
7. Check all the information security policies actively used to govern the organization. (Checkbox)
- — Data Classification
- — Acceptable Use
- — Patch Management
- — Log Management
- — Email Security
- — Security Governance
- — Portable Storage Media
- — Data Destruction
- — Access Control
- — Remote Access
- — Incident Response
- — Data Retention
8. Do we have the following:
8a. Server Hardening
— The FRS team has established the minimum services that are required for each type of server and each new server is configured following those protocols. These are based on industry best practices for hardening servers.
8b. Current Security Patches for Servers
— All servers are patched regularly (shortly after patch Tuesday) after the team has reviewed the importance and impact of the available patches
8c. Network Time Protocol
— All servers and network devices are synched to NIST servers for NTP
8d. Server and Application Event Logging Policy
— All servers are configured to log system and security events. Network devices are managed by a third party and all events are logged and we are notified of events.
8e. Camera in Data Center
— The data center is configured with multiple levels of access control to the building, general data center area, specific data center, and rack. Throughout the facility and at key points there are cameras that are monitored 24×7.
8f. Raised Floor Environment
— The floors are raised for cable management and the racks are configured with hot and cold zones. Additionally there is redundant power, and CRAC systems with full monitoring of these services.
9. Are backups of the data performed and where are backup data sets located? What access (local/remote) is provided to backup data sets?
— Backups are performed on a bare metal level and those backups are stored on site at the secure data center. Access to those backups is restricted to specific system administrators and direct access is only available over the point to point VPN from the FRS offices or from a console at the data center.
– Are the backups encrypted?
— No
10. Is the setup ‘hot’, ‘warm’, or ‘cold’?Is it used in regular operating conditions and/or DR?
— Data is in a live DataCenter, with backups being cold. They are managed using Bare metal Quest Rapid Recovery. Backups are currently done on FRS systems and eClientlink websites and reside exclusively on our secured rack space at the Flexential Data Center.
11. Is there network-layer monitoring (IDS/IPS)?
— Yes
12. Is there critical file monitoring on the servers to detect unauthorized changes to system or application files?
— Not at this time. Users are granted limited access to systems and only system administrators have the ability to perform this activity. Elevated account activities are logged and monitored for suspicious actions.
13. Is there an in-house or third-party security monitoring 24×7?
— Yes
14. Is there a security incident response plan?
— Yes
15. Is there a breach notification policy and procedure?
— Yes, this is included in the CSIRT plan and Security Policy.
16. Is the sensitive customer data allowed on mobile devices, including laptops? If yes, how is this controlled, and are all the mobile devices encrypted?
— No, all data is retained within the datacenter environment and only accessible via locked down RDP sessions. Reports can be generated containing subject information, but that is redacted by default.
17. Are there any third-party security audits and/or penetration tests done of managed server and corporate environment at least annually? If yes, can we have copies or summaries of the reports?
– Yes The data center performs SOC audits on a regular basis and is ISO 27001 certified. These reports and certificate are available upon written request.
18. Are the server and network admin accounts separate from the employee user accounts?
— Yes
19. Are there any location restrictions implemented for admin access (e.g. only from the corporate offices)?
— No
20. For each data center utilized for the systems this client uses or to house this client’s data:
Flexential – South Charlotte Data Center
8910 Lenox Pointe Drive, Suite A
Charlotte, NC 28273
21. Who manages the data center (if an outside company)
— Flexential
22. Which certifications are maintained for the data center? (e.g. SOC2, ISO 27001, etc.).
Please list all certifications/audits conducted
— The data center performs SOC1, SOC2, ISO 27001 audits on a regular basis. These reports are available upon written request.
23. Have you suffered any outages in this data center? Please explain circumstances, how clients were impacted, and changes since.
— There has been a network outage at the datacenter in April of 2015. The outage was caused by an attack at a specific URL and caused several short periods in which access to the client data was impacted. No other impact was incurred as a result of the outage. Additional controls have been put in place to mitigate these outages and there have been no impact from any subsequent efforts by malicious players to date.
24. Please explain any issues or concerns that your team had about this data center during Hurricane Sandy and/or Hurricane Irene, or other major natural disasters.:
— None.
25. Describe exactly what data and information is being stored in support of Background Investigations to include assessment of sensitivity and format of data.
- Background Screening Vendor contact information
- Position descriptions
- Notices and consent forms
- Subject information (some subset of the following)
o Name
o Address
o DOB
o SSN
o Employment History
o Education History
o Conviction information (publicly available) including possibly disposition
o MVR information
o Drug screening results
26. Describe where the information is stored and how it is protected at rest.
— The live and archive information from the FRS systems is stored in a combination of MS-Visual PoxPro and MS-SQL databases. Database access is restricted to System Administrators and through the application. Users have no browsing capability to the database locations.
27. Is any of the data listed above stored outside of the United States?
— No
28. How is the information protected while in transit?
— Systems are accessed in one of two ways.
- – Either through an RDP session into the server, wherein the user accesses the data directly on the server or
- – Through a web interface that employs HTTPS protocols for secure transmission of information. Note: this is only available for lower level access and provides restricted access to the system. This is implemented with AES-256 encryption.
29. Describe any remote access to information systems where Website data is stored and/or processed.
- — Remote administrative access to the production environment that houses eClientlink website data is only available through the point to point VPN.
- – User access is as described above via RDP (role based and limited access) and HTTPS portal.
30. Multi-Factor Authentication:
Describe where and how any instances of multi-factor authentication are in use within the information systems discussed above.
Is the use of a physical token required for the authentication of all privileged and non-privileged user accounts?
— At this point the only MFA “in use” is that the RDP session and the application login are different.
It is not a truly MFA model at this point. There are no other MFA solutions in place at this time. We are evaluating the feasibility of employing them in various areas of the organization.
31. How does the organization ensure that all application layer firewalls and IDPS protection services are properly configured and continuously monitored for unauthorized access?
— Security is managed by BAE systems. We review the firewall configurations (which are under change control) and IDS rules monthly as well.
32. Does the organization continuously monitor the information systems for security-relevant artifacts and events? What events are monitored?
— Yes. In addition to continuous perimeter event monitoring, which is provided by BAE systems, FRS monitors system and application level events. Events monitored include both system level (system, security, IIS, and application logs) and application level artifacts and events.
FRS also has employed an AlienVault system to provide alerts for various higher profile events.
33. Who conducts this monitoring function and how are the results communicated to management?
- BAE systems monitor the perimeter events and reports them both by phone call and email to management and support staff.
- The Client Services team at FRS monitors the other events and provides immediate alerting to management on important events, while remediating lower level events.
34.Continuous Monitoring: Does the organization maintain a Continuous Monitoring Plan?
At a minimum, the CMP should identify all operational visibility points (i.e. information security monitoring points) and delineate all security-relevant artifacts to be monitored on a continuous basis and after any significant changes.
This plan should identify and provide timely system health reports in accordance with the following guidelines:
34a. Ongoing Continuously Monitored Events
— On site, managed by FRS
34b. Weekly Monitoring Reports
— Weekly Vulnerability management reports
34c. Monthly Monitoring Reports
— Vulnerability and IDS reports
34d. Other reports greater than Monthly periodicity
— Not at this time.
35. Secure Software, Flaw Remediation and Change Control:
Does the organization implement procedures for hardening / patching / maintenance of all OSs and applications?
Does this Flaw Remediation Plan also cover software that is developed in-house?
Does the organization maintain a change control process for "Security-Significant" configurations?
Does the organization employ a standard secure software development methodology or framework such as BSIMM (Build Security In Maturity Model) or OWASP (Open Web Application Security Project)?
Is software development conducted in a separate environment from production systems? - FRS has procedures for monitoring, patching, and the maintenance of all systems in their environment.
— Flaw remediation also includes systems supporting MITLL and is managed through the CWO, TESS (bug tracking), and issue management tools.
— FRS records security significant changes into the issue management tool prior to deployment
— Other general patching of systems is tracked by our system administrator outside of any tool at this point
— Software development has historically not been under any framework. All development is performed in adherence to the following steps:
1) Requirements Analysis,
2) Design, and Specifications,
3) Development
4) Code Review (peer),
5) Unit, Regression, Integration Testing,
6) QA,
7) Beta Testing / Client Acceptance Testing,
8) Documentation / Release Management
The development team has received orientation and is beginning the creation of processes following OWASP and BSIMM frameworks and methodologies.
This includes the deployment of strict version control and release management tools, test based design and development, and automated testing at all levels. The company is currently evaluating penetration testing options.
All development and QA are conducted outside of the production environment.
36. Incident Response, Data Preservation, and Reporting:
Does the organization maintain a set of procedures that specifically pertain to data breaches, where a “breach” includes the loss of control, compromise, unauthorized acquisition, unauthorized access, or any similar term referring to situations where any unauthorized person has access or potential access to FRS client data, whether in electronic or non-electronic form, for any unauthorized purpose? Does the Incident Response Plan (IRP) contain the following?
36a. Identify steps to be taken in order to mitigate or remedy the breach, including time periods for taking such steps.
— FRS has a CSIRM (Cyber Security Incident Response Manual) that includes procedures related to intrusions, data breaches, the management of the event, communication, and root cause analysis.
36b. What procedures are in place to notify parties of a security incident?
— The CSIRM includes procedures for notifying appropriate personnel in the event of any identified security incident. At this time, the notification would be to our client, who would then engage directly with their clients
36c. Does the organization provide local operational direction and support for CND within their infrastructure and service offerings?
— FRS maintains local operational direction and support for the management of security events with participation of our clients authorized agents through all stages of any security event.
Information Security Management Plan (ISMP):
Does the organization maintain an Information Security Management Plan that ensures all security controls associated with the information systems described above are assessed, operationally tested, and implemented on a regular basis.
Please note some of the areas of focus listed below can be straightforward. For example, intrusion detection may be performed through the development of a list of Indicators of Compromise (IOCs) that are maintained within an Intrusion Detection and Prevention System (IDPS). This plan should cover the following areas of focus:
Application Development and Interface Security – Data Security / Data Integrity
— Data Security Plan, Web Application Policy, Database Credentials Policy, Server Security Policy
Audit Planning / Audit Assurance and Compliance – Change Control and Configuration
— Risk Assessment Policy
Datacenter Security / Asset Physical Security – Encryption and Key Management
— Access Control Policy, Server Security Policy, Remote Access, Remote Access Tools Policy
Business Continuity and Operational Resilience – Human Resources/Personnel Security
— DR Plan, Pandemic Response Policy
Virtualization Security and Hypervisor Hardening – Identity and Access Management
— Acceptable Use Policy, Data Security Policy, Password Protection Policy, Database Credentials Policy, Access Control Policy
Governance and Risk Management Policy – Audit Logging / Intrusion Detection
— Risk Assessment Policy, Logging Policy
Mobile Device Management and Security – OS Hardening and Base Controls
— Workstation Security Policy, Removable Media Policy, Wireless Communication Policy, Acceptable Use Policy
Network Security and Network Segmentation – Threat and Vulnerability Management
— Risk Assessment Policy, Router and Switch Security Policy
Security Incident Management – Vulnerability Scanning
— Risk Assessment Policy, Security Response Plan
Cyber Forensics and Incident Reporting – Penetration Testing
— Risk Assessment Policy, Logging Policy, Security Response Plan, Software Installation, Web Application Security Policy
Information Lifecycle Management (Data Inventory / Information Flows)
— Data Security Policy, Email Retention Policy, Acceptable Use Policy, Employee Internet Use Monitoring and Filtering Policy, Access Control, Password Protection Policy
