Are you data centers and security infrastructure owned or maintained by you or a third party?

What are the End-Of-Life protocols that you follow for Hardware and Software disposal? Do you subscribe to Third Party audits for Security Controls implemented on your infrastructure? Can you share those report Can you share Standard Operating Procedures or Procedure Manuals that you may have in place for security and related even How do you secure data while at rest or in motion? What levels of security are applicable to variety of environments such as How are data secured between tenants on single pod / data center server? How are web-services, flat-files made secure with Can you briefly describe how and when you generate, encrypt and retrieve backups? What procedures do you follow for safe What protocols do you have in place for data access for personnel at your end? How do you determine (need-to-know, vettin What are the cryptographic protocols that you use? Are they widely known in the industry and yet unbroken? What are the different channels (onsite, offsite, mobile, third party) of access to your data centers. Please describe the securi How do you keep security controls (automatic, manual) of your infrastructure up-to-date? How often do you perform securit How do you keep abreast of latest security mechanism, threats, and use that information to fashion a response? Do you have in place a real time security event monitoring? What are the protocols (people informed, information shared) as Can you provide activity, audit logs on demand (email, ticket) or preferably through the SaaS portal itself? What are the methods of integration with Single-Sign-On that you support? If not SSO-enabled, how are login credentials man How do you help users to reset their own passwords - password challenges, user-defined questions, secure URLs, Text Messa How widely is the ERD and Schema-related information available? Do you share these with your customers, if they are not ot How do you integrate and / or interact with email servers (Microsoft Exchange) and / or email clients (Microsoft Outlook, Ou If your system has an email client add-in / plug-in, does it enforce the same level of security as you other components? How c

How are business process-specific intrinsic security needs handled by the system - such as for email requesting feedback, info Can you system securely segregate data according to site / group / department / hierarchy / authorization so that visibility is How does your system strike a balance between SSO (if available) and log-in security?

ture? Can you share those reports with us? place for security and related events? o variety of environments such as Sandbox, Test, Production etc.? rvices, flat-files made secure within, between clients? procedures do you follow for safeguarding media containing backed-up data? u determine (need-to-know, vetting, controls etc.) who should have access to the data? and yet unbroken? enters. Please describe the security controls imposed on those channels. How often do you perform security-related patching, upgrades etc.? o fashion a response? informed, information shared) associated with detection of an event, whether on-going, or postfact? S portal itself? led, how are login credentials managed? uestions, secure URLs, Text Messages, combinations? your customers, if they are not otherwise available? ail clients (Microsoft Outlook, Outlook Webmail)? as you other components? How can we ascertain that it does what we meant for it to do (i.e., not eavesdropping)?

or email requesting feedback, information on PIP? / authorization so that visibility is strictly limited based on policies, protocols and authorizations (unless delegated)?

sdropping)?

delegated)?