Confidential

The World Bank Group

Information Security Compliance Questionnaire
for External Service Providers

1. The following questions must be answered satisfactorily by the Prospective Service Provider prior to
signing a contract for external service provision. Satisfactory answers are those that comply with the
Bank Group’s Information Security Policies.

2. The sponsoring Business Unit Manager is responsible for ensuring that this questionnaire is
completed and verified. The Office of Information Security will provide advice as requested by the
Business Unit Manager.

Serial # Question Yes No Comments

Do you have documented information

security policies and procedures? If yes,
1.      
what national or international standards
are they based on?

Have you been assessed under SAS 70

(Type 1 or 2) or otherwise been
2.      
independently audited? Please provide
details.

Do you conduct thorough security

background checks including but not
limited to personal reference checks,
3.      
employment record verification, and
criminal background checks for your
employees?

Do you have documented Business

4. Continuity Plans? Please provide details on      
the plan and your backup processes.

If yes to above, are your Business

Continuity Plans based on any national or
5.      
international standards? Please provide
details of the standard.

Do you agree to return all World Bank

6. Group information in your possession upon      
termination of the contract?

Do you have documented change

7.      
management procedures?

Do you have documented configuration

8.      
management procedures?

Information Security Compliance Questionnaire 1 8 December 2010

 Confidential

Serial # Question Yes No Comments

Do you employ user access management

9.      
tools? Please provide details.

Do you use malicious code and/or virus

10. Kaspersky
protection systems? Please provide details.

Do you have documented patch

11. management procedures? Please provide      
details.

Do you have systems to monitor the

12. availability, usage and response time for      
applications?

Do you employ filtering technologies to

13. isolate each customer’s network      
connectivity from others?

Do you employ physical access controls for

14. Username and password
your data center? Please provide details.

Do you use environmental protection

controls and infrastructure to adequately
15. by Backup
protect systems holding Bank data? Please
provide details.

Will you collect, maintain and make

available to the World Bank relevant
16. Firewall
security and access logs including server
and security device logs (firewall/WAF)?

In order to assess the security of World

Bank websites, we plan to perform
vulnerability scanning at the application
and infrastructure layer using automated
17.      
tools before the site goes live and regularly
after the site is in production. Do we have
your permission to perform these scans? If
not, please provide a reason.

Are there any specific days of the week and

times of the day that we should NOT scan? the web portal has a 24 *
18.
If so, please list those days and times in the 7 availability
comments.

I, the undersigned, certify that I am a duly authorized officer or representative of

____________________________ (Company Name), and that all of the answers and statements made
on this form are true and complete in every respect to the best of my knowledge and belief.

Information Security Compliance Questionnaire 2 8 December 2010

 Confidential

________________________________________ _______________________________
Signature of Authorized Officer Title

________________________________________ _______________________________
Printed Name Date

Information Security Compliance Questionnaire 3 8 December 2010