1. Risk identification 1. What services will you provide to Amwins 2. Do you collect, store, or transmit personally identifiable information (PII) or Protected Health Information (PHI)? 1. Where do you store PII or PHI, and on what type of devices? 3. Who provides IT support for your systems and organization? 1. Internal 2. External 1. (if External) Are any external IT support functions fully vetted to comply with minimal security and compliance requirements? 2. Technical controls 1. Summary of anti-virus and anti-spam protections for the network, servers, and workstations. 2. Provide details of any policies governing the management of passwords, including password length, format, expiry, use of unique user IDs, and user lockout and Multifactor Authentication 3. 3. Process controls 1. Do you have a documented Business Continuity Plan 1. How often is it updated 2. How often is it tested 2. Do you have a disaster recovery Plan 1. How often is it updated 2. How often is it tested 3. Please provide details of any IT security vulnerability testing undertaken (including frequency) – i.e., penetration testing. 4. How often system back-ups are performed? 5. If required, can you assist us with eDiscovery and forensics in the case of a security event that involves our data 6. Has the company ever undergone a security audit of its control environment in line with recognized auditing guidelines, e.g., ISO27001, SSAE16, SOC conducted by an independent 3rd party? 4. User training and access 1. Do you perform security training for your employees 1. If yes what kind and frequency 5. Industry Questions 1. Has the company been subject to any enforcement actions, investigations, or litigation related to privacy or information security over the past 5 years?