Third party assessment document

Download Blank Third Party Assessment

Type            :             Vendor Assessment
Short NameQuestion / DescriptionAnswer / Value
NameEnter the name
TPA: Project NameWhirlpool project name requesting third party or service provider connection*
TPA: Project OwnerWhirlpool project owner requesting third party or service provider connection*
TPA: Business AreaWhirlpool business area or process supported by the third party or service provider*
TPA: Service Provider NameService provider company name*
TPA: Service Provider ContactService provider or third party contact*
TPA: Target Implementation DateTarget implementation date*
TPA: CISOVendor Chief Information Security Officer (CISO) or equivalent*
TPA: User DirectoryChoose the user directory used to manage security and provisioning of access on your internal network*
TPA: OS and databaseList the operating system and database used to manage Whirlpool dataSelect any number*
Mainframe
Unix
AS400
Windows
Oracle
DB2/UDB
MS SQL
Other
TPA: Datacenter locationList the location of the datacenter that hosts Whirlpool data*
Short NameQuestion / DescriptionAnswer / ValueComments
WVA: Organizational Security and Privacy 1Has a complete and current Information Security policy been established?Yes*
WVA: Organizational Security and Privacy 2Are retention and destruction requirements documented and followed  for different classifications of data?Yes*
WVA: Organizational Security and Privacy 3Are  documented guidelines  followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls?Yes*
WVA: Organizational Security and Privacy 4Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers?Yes*
WVA: Organizational Security and Privacy 5Are documented policies followed for enforcing segregation of duties?Yes*
What types of audits are performed?2
WVA: Organizational Security and Privacy 6Are audits performed to ensure compliance of systems with organizational security policies and standards?Yes, external audits are performed on a periodic basis.*SAS-70 , SOX Audit
WVA: Organizational Security and Privacy 7How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement?Semi-annually*
WVA: Employment Security 1Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment?Yes*
WVA: Employment Security 2Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants?Yes for all applicants and is required by contract by any third party vendors*
WVA: Employment Security 3Are documented guidelines followed for providing security awareness training (SAT) to all personnel?Yes, training is required at least annually*
WVA: Business Continuity 1Are controls in place  to ensure that back-ups of business information are completed on a regular basis?Yes, full back-ups are performed weekly*
WVA: Business Continuity 2Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location?Yes, back-up are retained off-site at a distance greater than 15 miles*
WVA: Business Continuity 3Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site?Yes, controls are in place are greater than the main site*
WVA: Physical Security 1Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only?Yes, documented approval required with physical access controlled by an electronic card key*
WVA: Physical Security 2Are documented guidelines followed for granting access to visitors?Yes, sign in and data center manager approval required*
When are the audits performed?2
WVA: Physical Security 3How often are reviews of access rights to secure areas are conducted?Access rights  are reviewed semi-annually*After Every 6 month(dec and july)
WVA: Physical Security 4Are controls in place to address the possibility of damage from fire in secure areas?Yes, fire detection in place  with automated fire suppression system in place*
WVA: Physical Security 5Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures?Yes, equipment protected by UPS and generator back-up*
WVA: Software Development 1Are documented guidelines followed to separate development, test and production (operational) environments?Yes*
WVA: Software Development 2Are all security requirements identified and justified during the requirements phase of projects?Yes*
WVA: Software Development 3Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes?Yes*
WVA: Software Development 4Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to productionN/A*
WVA: Software Development 5Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications?Yes, all three types of testing are deployed at every release*
WVA: Software Development 6Have controls been established to protect the storing of confidential data on local devices ?Yes, local encryption required*
WVA: Security Operations 1How often are security logs reviewed?Security logs  contain user ID, failed log-ins, and other security events and are reviewed weekly*
WVA: Security Operations 2Are documented guidelines followed to ensure access controls of mobile devices  (Laptops, PDA’s Etc.) ?Yes, encryption required*
WVA: Security Operations 3Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service?Yes*
WVA: Security Operations 4Are cryptographic systems and techniques used for storage of information that is considered confidential?Yes, for all confidential data*
WVA: Security Operations 5Have controls been established to ensure the handling of compromised keys?Yes, compromised key is revoked*
WVA: Security Operations 6How often are security or vulnerability patches applied?Patches are applied more frequently than monthly*
WVA: Security Operations 7Have controls been established to ensure installation and regular update of anti-virus  software to protect computers on a precautionary or routine basis?Yes, virus definitions are updated daily*
WVA: Security Operations 8Do the media handling procedures ensure the safe and secure storage of media containing confidential information?Yes*
WVA: Security Operations 9Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information?Yes, media is disposed in a way that renders the data irretrievable*
WVA: Security Operations 10Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information?Yes, media is disposed in a way that renders the document irretrievable*
WVA: Security Operations 11Is access to the modify job schedules limited to authorized personnel?Yes*
WVA: Security Operations 12Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)?Yes, PGP or other enhanced encryption*
WVA: Security Operations 13Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)?Yes, secure package handling controls*
WVA: Security Operations 14Are the domains with different security needs separated by secure gateways?Yes, DMZ’s exist for internal and external network*
WVA: Security Operations 15Are documented guidelines followed for the secure exchange of confidential information to prevent  the unauthorized disclosure and misuse?Yes, documented and encryption is always required*
WVA: Security Operations 16Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks?Yes, WEP encryption*
WVA: Security Operations 17Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations?Yes, SSL/TLS is required*
WVA: Password Controls 1Does the authentication method to gain access to the network utilize passwords?Passwords are used*
WVA: Password Controls 2What is the minimum password length available to end-users?Requires at least 6 characters*
WVA: Password Controls 3How often are end-users forced to change their passwords?Quarterly*
WVA: Password Controls 4What are the minimum password complexity requirements being enforced for end-users?Mixed case alphabetic, numeric, and plus special characters*
WVA: Password Controls 5Are end-users restricted from using previous passwords (password history)?No password re-use restrictions*
WVA: Password Controls 6Are users forced to change their password during first login?Users are forced to change passwords on first login*
WVA: Password Controls 7Are passwords hidden during authentication?Passwords characters are masked*
WVA: Password Controls 8Is a complete & current mechanism in place to report & reset lost or compromised passwords?Secure self service password reset mechanism*
WVA: Infrastructure Access 1When authentication fails, is the user informed of which portion of the authentication process failed?Message indicates which portion of the authentication process failed*
WVA: Infrastructure Access 2Are authentication credentials securely communicated across the network?Authentication credentials are securely encrypted using  industry standards*
WVA: Infrastructure Access 3Are accounts locked after several failed login attempts?Locked after 3 or more failed attempts*
WVA: Infrastructure Access 4How long before the system automatically re-enables the account after an account lock out?Auto unlock after 30 minutes or more*
WVA: Infrastructure Access 5How often are accounts reviewed for deactivation (due to inactivity, termination, etc)?Recurring =<6 months*
WVA: Infrastructure Access 6Have control requirements been established for requesting, establishing, and issuing user accounts?Yes*
WVA: Infrastructure Access 7How often is a review of  accounts and related privileges conducted?Accounts with access to confidential data are reviewed =<6 months*
WVA: Infrastructure Access 8Are controls in place to ensure all user activities on IT systems are uniquely identifiable?Yes, all user accounts have unique IDs and are not shared*
WVA: Infrastructure Access 9Are access rights immediately adjusted for users who have changed jobs?Yes, as requested by management*
WVA: Infrastructure Access 10Is a documented termination procedure followed which includes the removal of access rights?Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.*
WVA: Application Password Controls 1Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure?Yes*
WVA: Application Password Controls 2Does the authentication method to gain access to the application utilize passwords?Passwords are used*
WVA: Application Password Controls 3What is the minimum password length available to end-users?Requires at least 6 characters*
WVA: Application Password Controls 4How often are end-users forced to change their passwords for the application?Quarterly*
WVA: Application Password Controls 5What are the minimum application password complexity requirements being enforced for end-users?Mixed case alphabetic, numeric, and plus special characters*
WVA: Application Password Controls 6Are end-users restricted from using previous application passwords (password history)?No password re-use restrictions*
WVA: Application Password Controls 7Are users forced to change their application password during first login?Users are forced to change passwords on first login*
WVA: Application Password Controls 8Are passwords hidden during authentication?Passwords characters are masked*
WVA: Application Password Controls 9Is a complete & current mechanism in place to report & reset lost or compromised application passwords?Secure self service password reset mechanism*
WVA: Application Access Controls 1When the application authentication fails, is the user informed of which portion of the authentication process failed?Message indicates which portion of the authentication process failed*
WVA: Application Access Controls 2Are application authentication credentials securely communicated across the network?Authentication credentials are securely encrypted using  industry standards*
WVA: Application Access Controls 3Are application accounts locked after several failed login attempts?Locked after 3 or more failed attempts*
WVA: Application Access Controls 4How long before the system automatically re-enables the application account after an account lock out?No auto unlock, manual administrator unlock only*
WVA: Application Access Controls 5How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)?Recurring =<6 months*
WVA: Application Access Controls 6Have application control requirements been established for requesting, establishing, and issuing user accounts?Yes*
WVA: Application Access Controls 7How often is a review of  application accounts and related privileges conducted?Accounts with access to confidential data are reviewed =<6 months*
WVA: Application Access Controls 8Are controls in place to ensure all user activities in the application  are uniquely identifiable?Yes, all user accounts have unique IDs and are not shared*
WVA: Application Access Controls 9Are application access rights immediately adjusted for users who have changed jobs?Yes, as requested by management*
WVA: Application Access Controls 10Is a documented termination procedure followed which includes the removal of application access rights?Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.*
WVA: Vendor Portal Access and Password Control 1Do you provide access to a web based portal?Yes*
Does is conform with Infrastructure or Application password controls?2
WVA: Vendor Portal Access and Password Control 2Does the web portal access and password controls conform to either the infrastructure or application password and access controls?Yes*Yes
WVA: Vendor Portal Access and Password Control 3Does the authentication method to gain access to the  portal utilize passwords?Passwords are used*
WVA: Vendor Portal Access and Password Control 4What is the minimum password length available to end-users?Requires at least 6 characters*
WVA: Vendor Portal Access and Password Control 5How often are end-users forced to change their passwords for the portal ?Quarterly*
WVA: Vendor Portal Access and Password Control 6What are the minimum portal password complexity requirements being enforced for end-users?Mixed case alphabetic, numeric, and plus special characters*
WVA: Vendor Portal Access and Password Control 7Are end-users restricted from using previous portal passwords (password history)?No password re-use restrictions*
WVA: Vendor Portal Access and Password Control 8Are users forced to change their portal password during first login?Users are forced to change passwords on first login*
WVA: Vendor Portal Access and Password Control 9Are passwords hidden during authentication?Passwords characters are masked*
WVA: Vendor Portal Access and Password Control 10Is a complete & current mechanism in place to report & reset lost or compromised portal passwords?Secure self service password reset mechanism*
WVA: Vendor Portal Access and Password Control 11When the portal authentication fails, is the user informed of which portion of the authentication process failed?Message indicates which portion of the authentication process failed*
WVA: Vendor Portal Access and Password Control 12Are portal authentication credentials securely communicated across the network?Authentication credentials are securely encrypted using  industry standards*
WVA: Vendor Portal Access and Password Control 13Are portal accounts locked after several failed login attempts?Locked after 3 or more failed attempts*
WVA: Vendor Portal Access and Password Control 14How long before the system automatically re-enables the portal account after an account lock out?Auto unlock after 30 minutes or more*
WVA: Vendor Portal Access and Password Control 15How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)?Recurring =<6 months*
WVA: Vendor Portal Access and Password Control 16Have portal control requirements been established for requesting, establishing, and issuing user accounts?Yes*
WVA: Vendor Portal Access and Password Control 17How often is a review of  portal accounts and related privileges conducted?Accounts with access to confidential data are reviewed =<6 months*
WVA: Vendor Portal Access and Password Control 18Are controls in place to ensure all user activities in the portal are uniquely identifiable?Yes, all user accounts have unique IDs and are not shared*
WVA: Vendor Portal Access and Password Control 19Are portal access rights immediately adjusted for users who have changed jobs?Yes, as requested by management*
WVA: Vendor Portal Access and Password Control 20Is a documented termination procedure followed which includes the removal of portal access rights?Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.*
Short NameQuestion / DescriptionAnswer / Value
Vendor Access to Whirlpool Data TypesWhat type of Whirlpool data does the vendor have access to?Select at least 1*
Employee Compensation
Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada])
Employee Health Information
Employee Criminal Information
Employee Contact Information
Employee Benefits Information
Employee Performance/Talent Ratings
Employee Emergency Contact Information
Employee Demographic Information
Credit Card Information
XConsumer Contact Information
Customer Service Center Call History
Prospective Customer Information
Consumer Demographic Information
Pre-release Financial Information
Business Development Information
Board and Executive Committee Materials
Restructuring Information
Corporate Strategy
Regional Trade Sensitive Information
Aggregate Corporate Forecast and Planning Information
Historical Earnings Information
Capital Plan and Spend Information
Treasury Information
Tax Information
Internal Audit Information
Supply Chain Cost Information
IS Security Incident Information
IS Vulnerability Information
Application Code and Documentation
System Performance Information
Detailed System Information
Vendor Access to Whirlpool DataWhat type of access does the vendor have to Whirlpool data?Select at least 1*
XSystemic
Adhoc or Limited
Read Only Access
Whirlpool Corporation                                                                                                  Page 1 of 1                                                                                                                                        Confidential
No, back-up copies are stored onsite
Yes, DMZ’s exist for internal and external network
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis