INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
The University of Toledo
Information Security Questionnaire
“Onsite Hosted Solution”
Please also attach any flow diagrams, configurations,
documentation, and certifications when returning this
completed form.
Information Security Questionnaire – The University of Toledo
Page 1 of 10
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
A. General Information: Vendor Demographics and Product Information
1. Business Name and Address:
2. Name and Contact Info of Vendor Representative completing questionnaire:
- Name:
-Phone Number:
-Email:
3. Date Completed: mm/dd/yyyy
4. URL of vendor website(s) that UT will access: www.webaddress.com
5. What is the name and version of the application/system being assessed?
-Application Name:
-Version Number:
6. On which hardware platform(s) and operating system(s) will this application/system reside on?
Windows, Version:
Linux, Version:
Apple, Version:
IOS, Version:
Other, Name:
Optional Comments:
UNIX, Version:
Version:
7. Does this application/system store AND/OR transmit any sensitive data? (ePHI, FERPA, financial
transactions, etc.)
Yes, Stores confidential data
Yes, Transmits confidential data
No, confidential data is stored or transmitted
Data Type:
Patient data
Personal Identifiable / Employee data
Optional Comments:
Confidential business (planning, financial, etc.)data
Credit Card (CHD), Merchant ID (MID), CVV2 or CVC2
8. Have other UT locations deployed this application/system yet?
If Yes, list locations:
Information Security Questionnaire – The University of Toledo
Page 2 of 10
Yes
No
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
9. Will this application/system, if purchased by UT, be supported by a UT Health analyst or by the
vendor after implementation?
This application/system will be supported by [Organization] after implementation
This application/system will be supported by the vendor after implementation
By both but there will be a separation of duties
Explain:
10. Is this an FDA regulated system (if applicable)?
- If yes, when can you supply us a copy of the MDS2 form?
This is not an FDA regulated system
This is an FDA regulated system
B. Onsite Resources
1. What type of UT Hosted resources will you need and their purpose? (Servers, VPN, Mirth, etc):
2. What are the requirements for the UT Hosted resources? (Server Specs, etc)
3. What Access to these resources will Vendor need? (VPN, Site to Site, Dedicated Line?)
4. Are there any limitations to regularly installing the latest OS and application service packs/security
patches for this system?
Yes
No
If Yes please explain:
5. Many server manufacturers (Dell, HP, IBM, etc.) provide server management software (Dell Open
Manage, HP Proliant Essentials, etc.) that are used to manage the server itself. Can we use the
latest version of these tools with your system?
Yes
No, that will be a problem. Please explain:
6. Are there any limitations to performing hardening of the system?
a. Turning off unused services
Yes
No
b. Enabling host firewalls
Yes
No
c. Disabling default accounts
Yes
No
d. Adjusting default permissions
Yes
No
e. Changing default vendor account passwords
If Yes please explain:
Information Security Questionnaire – The University of Toledo
Yes
Page 3 of 10
No
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
7. Who will be managing the OS level patching?
Continue if being patched by Vendor:
University of Toledo
Vendor
a. What is the patching frequency you will set up for this system?
Monthly
Quarterly
Biannually
Annually
Other | Please Explain :
b. Do you apply critical “out-of-band” security updates? If so please describe.
Comments:
Yes
No
c. Will the vendor provide a monthly list of patches that have been applied to the system?
Yes
No
Comments:
C. Antivirus Protection / Workstation
1. UT Anti-virus/Anti-Malware (AV) to be installed on all PCs and Servers. Will this be a problem?
Yes
No
If Yes, Please Explain:
2. Does your application/system require any special configuration or file exclusions for AV?
If yes, UT will need a comprehensive list of the exclusions and documentation demonstrating justification for the
exclusions (i.e. real-time scanning, file or folder exclusions).
Yes
No
The list of AV exclusions has been provided.
List of Exclusions if not provided:
3. Please answer the following if AV exclusions are necessary:
a. Are these exclusions for “real-time” scanning only?
Yes
No
b. If “real-time” is excluded, can [Organization] still plan to do weekly scheduled full scans?
Yes
No
c. Are these exclusions expected indefinitely?
Permanent
Temporary Until:
d. Do your developers have plans to work on a future version that allows AV to work on the
system without exclusions?
Information Security Questionnaire – The University of Toledo
Yes
No
Page 4 of 10
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
e. If the problems that AV causes are related to performance issues (as opposed to causing data
corruption) is it permissible to turn on “real-time” scanning on a temporary basis in order to
assist in resolving malware incidents?
Yes
No
4. Who will manage AV on this system?
University of Toledo
Vendor
a. If managed by the vendor, Can you provide monthly reports that show infections, AV /
Malware database is current and that AV is working?
Yes
No
5. UT Health deploys Microsoft System Center protection on all endpoints. Has this application(s)
been tested with SCEP?
Optional Comments:
Yes
No
6. Will an application/add-on need to be installed on the workstations?
a. If Yes what are the Supported Operating System/System Specs?
b. Does your Program require clients to use Web browser?
If Yes list supported browsers and versions are supported:
7.
Yes
Yes
No
No
c. Will it require any additional 3rd party software? (Flash, Java, Adobe Reader):
Yes
rd
If Yes please list the required 3 party software and the most recent supported versions:
No
d. Will you notify us if a recent update to a 3rd party software has known issues:
No
Yes
Is there any known issues with the workstations using encryption on them? We currently run
McAfee, Winmagic and Bit locker.
Yes
No
D. Network Services
1. What network services are required to support this application? (e.g., SMTP, FTP, HTTP, FTP, File
sharing, SNMP, etc.). PLEASE INCLUDE DATA FLOW DIAGRAMS. LIST ALL TCP, UDP, ICMP NEEDED
PARTS AND EXPLAIN PURPOSE
Please List all:
2. If unsecure services are used (HTTP, FTP, Telnet, SNMP v1&2, etc.) can the secure alternatives be
used instead (HTTPS, SFTP, SSH, SNMP v3, etc.)?
Information Security Questionnaire – The University of Toledo
Yes
Page 5 of 10
No
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
Comments:
3. If the more secure alternatives cannot be used at this time, are there any actual plans to move to
the more secure alternatives in the near future?
If Yes please give an expected timeframe:
Yes
No
4. Are network shares required?
Yes
No
If Yes, Please provide share details including file and folder permissions needed:
5. What directory services does the application require? (e.g., DNS, LDAP, etc.)?
List all that apply:
6. Is transmission of data between endpoints encrypted?
Yes
No
If yes, please describe the algorithms and key strengths your solutions is capable of supporting:
7. If data transmission is not encrypted, can a third-party encryption solution be used to provide this
layer of security?
Yes
No
8. UT currently uses a Network Load balancer called F5. Will this be utilized in any way for your
application?
Yes
No
9. Will your application require any ports open in our outside firewall?
Please list all Ports and their purpose:
E.
Authentication and Access Control
1. Does the application / system use hard coded passwords?
Yes
No
a. If yes, are the passwords encrypted when transmitted?
Yes
No
2. Will there be any problems with changing ANY default or factory set passwords/passcodes?
Yes, we have passwords/passcodes that are hard-coded
No, all passwords/passcodes may be changed
3. How will user authentication take place for this system?
You may use University of Toledo Active Directory to manage user authentication and authorization
This system has its own authentication and authorization mechanism
4. If this system utilizes its own user authentication process, please describe that process and how it
works:
Information Security Questionnaire – The University of Toledo
Page 6 of 10
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
5. If this system utilizes its own user authentication process, do controls exist to enforce secure
password policies? Please check all that apply:
Minimum Length
Password Complexity
Expiration
Password History
6. Which methods are used to authenticate users to this application? Please check all that apply:
Unique User ID
Password
Challenge Questions
Hardware Token
None at all
Software Token
Other | List Others:
7. Who will be responsible for creating and managing user accounts?
UT
Vendor
8. If this system utilizes its own user authentication process, please describe the process of how an
account can be suspended or revoked if needed.
9. For the authorization aspect of this system, please list the various account types native to this
system and what their capabilities are (e.g., admin, user, super user, etc.):
10. Does this application allow role based access?
Yes
No
If Yes please provide documentation on each role and their rights or list below:
F. Data Security
1. Does your solution provide any validation techniques to ensure integrity when processing/storing
data into the system?
Yes
Please describe if applicable:
No
2. Do any mechanisms exist to ensure the integrity of historically stored data?
Please describe if applicable:
Yes
3. Is disk or file/folder encryption natively used within your system for stored data?
If yes, please describe which algorithms and key strengths the system is capable of:
No
Yes
No
4. If sensitive data is stored within this application/system, has the application been audited for
compliance with federal or industry regulations and standards (HIPAA, PCI, etc.)?
IF YES – FILL OUT PCI AND CONTROL ADDENDUM
Yes
No
G. System Logging
Information Security Questionnaire – The University of Toledo
Page 7 of 10
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
1. What activity can be audited through the system logs? (Check all that apply)
Date and time of login
User account that logged on
(Reading, Modifying, Deleting)
Date and time of logout
Specific activities performed by users
Other (please describe)
2. Which data types are stored in the system logs?
Patient data
Personal Identifiable / Employee data
Credit Card (CHD), Merchant ID (MID), CVV2 or CVC2 data
Confidential business (planning, financial, etc. )data
3. Are sensitive data stored in the log files? (e.g., passwords, SSN’s, etc.)
Yes
No
4. Does the application/system have the capability of utilizing a centralized logging mechanism?
Yes
No
5. Are the log files archived for protection and future needs?
Yes
No
6. Is encryption used to protect the confidentiality and integrity of the stored logs? If yes, what
algorithms and key strengths.
Yes and the algorithms and key strengths are
7. Can UT access the user activity / audit logs without vendor intervention?
If Yes please explain the process:
No
Yes
No
H. Webpage Security (Skip if application has no website functionality)
1. Does your system utilize webpage based access for users or administrators as opposed to installing
specialized client software for access?
Yes
No, client software must be installed. Webpages are not used in this system. If No, skip the remaining
questions in this section.
2. If a web server is part of this system setup, which web server(s) are used?
Apache
IIS
Other | Specify:
3. Will the latest version of this web server be used?
Yes, the latest will be used
No, the version we use is:
4. Which web protocol will be used with this system?
Information Security Questionnaire – The University of Toledo
Page 8 of 10
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
HTTP
HTTPS
Both, depending on what part of the site is accessed
5. Can the HTTP settings be set to redirect all traffic from port 80 to port 443 and use HTTPS
exclusively?
Yes
No
6. What version(s) of SSL/TLS does this web server/application support? Select all that apply:
None
SSL v1
SSL v2
SSL v3
TLS v1
TLS v1.1 and above
7. Can earlier versions of SSL that have been identified as vulnerable be disabled?
Yes
No
8. Will the webpage of this system be available through the Internet or is this an internal use only
system?
Internal only
This system will have an Internet facing presence
I. Compliance and Privacy
1. Are you willing to sign a BAA with of our language?
Comments:
2. Do you use Depersonalized data from our users?
Yes
Yes
No
No
a. If Yes, can you please share what purpose and how this is done.
3. Our policy mandates that once the system is built and configured, a vulnerability scan will be
performed against each server in the implementation. We will need the vendor team available to assist
in addressing the results of this scan as quickly as possible. Will this be a problem?
Comments:
Yes
No
J. End of Life
1. Is there an end of life for this current version?
Yes
a. If so when is it predicted? Date or time frame:
b. Is there a known cost for upgrades?
Comments:
Information Security Questionnaire – The University of Toledo
Yes
No
No
Page 9 of 10
Version 1.0
INFORMATION SECURITY QUESTIONNAIRE
Onsite Hosted Solution
Information Security Questionnaire – The University of Toledo
Page 10 of 10
Version 1.0