Audit Questionnaire

General Level

This document is an effort made by MasterBase® to report on specific security issues. For this we have chosen the questionnaire format because it is the most useful in audits from our clients.

The document version is 201908.1.

For maximum clarity, the following concepts are defined, to which reference will be made in the questionnaire:

  • Supplier: MasterBase® company.
  • Client: The company that has contracted a service provided by MasterBase®.
  • Third party: Some company that provides services related to MasterBase®.
Id tema Tema
1 Policies and Standards
2 Authentication, Authorization, and Access (Vendor Personnel)
3 Authentication, authorization, and access to the service (customer users)
4 Confidentiality and Integrity
5 Incident Detection and Response
6 Personnel Safety
7 Awareness and Training
8 Firewalls and Intrusion Detection Systems
9 System Development and Maintenance
10 Operational Risk
11 Physical Security
12 Business Continuity
13 Suppliers
14 Compliance / Laws and Regulations
15 Transporting Electronic Media
16 Transporting Valued/Confidential Documents
17 Internet Web Hosting
18 Accounting Financial Control Management
19 AOperations and Communications Management
20 Regarding services
Id subject Question Answer Comment
1 Has the provider created an information security policy with a periodic frequency of review? YES
2 Are manufacturers' default accounts deleted or deactivated, or are their initial passwords changed on systems and/or devices before they are put into production? YES
2 Is authentication required for systems that store, process, or transport customer data? YES
2 Are there security rules for building passwords for vendor systems and applications? YES
2 Are vendor employees required to periodically change their passwords? YES For the critical tasks defined
2 Is a procedure in place for managing provider access profiles? YES
2 Is there a formal and documented procedure for granting/deleting/modifying logical access to provider systems and applications that contain or process customer information? YES
3 Do users have unique identifiers for application access? YES
3 Are new users given a randomly generated initial password? YES
3 Are new users forced to change their password after the first access? YES
3 Is resetting user passwords restricted to authorized persons and/or an automatic tool? YES The service offers it automatically
3 Is there a user management procedure that ensures that access is granted according to roles? functionalities and minimum privileges? YES The service offers the customer all the granularity it req
3 Are there security rules for building passwords to access services? YES
4 Are there confidentiality agreements signed between the supplier and the customer? YES
4 Has the provider taken measures that reasonably ensure the privacy of the information they receive from its customers and service users, in accordance with the current regulations on the matter? YES
4 Does the provider have an information classification scheme (Restricted/Confidential/Internal/Public) or similar? YES
4 Are return/regression mechanisms provided for the service and data in case of contract termination? N/A Your data is under customer management
4 Does the supplier have procedures for disposing, removing, and reusing backup equipment and media, so that any device or storage medium that is decommissioned, bottled or auctioned does not contain customer information, nor can the information be recovered by third parties? YES
4 Does the provider encrypt all the electronic information of the customer that it transmits or transports?. Describe the encryption used or the controls that replace it if the encryption is not used. YES HTTPS protocol
4 Is there a procedure for releasing patches and updates for vendor systems and applications? YES
5 Do you have a formalized security incident management policy (including a documented plan for identification, response, scaling, and solving) ? YES
5 Is the documentation relating to incidents and solutions to them recorded and stored? YES
5 Are responsibilities for reviewing and monitoring security incidents clearly identified? YES
5 Has the provider established a formal procedure for the care of security incidents, which also considers resolution plans according to the criticality of the event/problem detected? YES
6 Does the supplier have policies, rules and/or procedures for staff selection? YES
6 Has the provider's roles and responsibilities in information security been clearly defined? YES
7 Do you regularly receive appropriate knowledge training and update on Information Security policies? YES
8 Has the provider protected its internal networks from external connections through firewalls? YES
8 Are there measures to ensure the level of service against DoS/DDoS denial-ofservice attacks? YES
9 Are developers restricted from accessing the production environment? YES
9 In the event that the provider develops systems or applications that are busy to deliver customer service, respond Is there a methodology for development, testing (Quality Assurance)? Example, production step-to-production authorization, etc. YES
9 Is it prohibited within the provider organization to use a database with customer information for use in development or testing? YES
10 Does the supplier have internal and/or external fraud prevention controls to avoid possible economic damage to the customer? YES
10 Can the provider conduct fraud investigations, either internal or external, to support customer investigations? YES
11 Does the supplier have formal physical security control procedures for their facilities? YES
11 Does the provider have formal physical security control procedures for your Datacenter(s)? YES
11 Does the supplier maintain physical controls for your Datacenter(s) and environmental controls according to equipment specifications (e.g. humidity, temperature, electrical, etc.)? YES
11 Does the provider keep track of income to your Datacenter(s)? YES
11 Does the provider have controls to prevent asset loss, damage or theft, including protecting equipment from physical and environmental threats? YES
11 Does the provider have Internal/External CCTV with image storage system on their Datacenter(s)? YES
11 Are the provider's facilities protected by intruder detection alarms? YES
12 Does the vendor have a formal business continuity policy, model and management implemented and updated? YES Partially
12 Have you experienced any security incidents that require the activation of the Disaster Recovery Plan in the last 3 years? NO
12 Is there an annual Disaster Recovery test schedule? NO Developing
12 Does the Vendor Business Continuity Plan include all the core processes that support customer processing? YES
13 Does the supplier have controls that ensure that contracts with its suppliers include confidentiality, auditability, business continuity, service levels, fines, and other industry compliance clauses? YES
14 Does the supplier have regulatory or regulatory bodies that govern it in the field of compliance? (e.g. SOX, OSFI, etc.) NO We are governed by best practices in terms of personal
14 Does the company have a defined area of Information Security? YES
15 Does the provider have a procedure for the Transportation of Electronic Media (Tapes, CDs, DVDs, etc.) that contain customer information? N/A No customer information is transported
16 The supplier has a procedure for the transportation of customer-rated or confidential documents? N/A No customer information is transported
17 Does the provider have procedures for identifying and resolving network environment failures (routers, switches, firewalls, DNS, servers, etc.)? YES
17 To your WebHosting applications and Internet infrastructure, does the provider perform quality assurances before going into production? YES
19 Does the provider have documented procedures for the use of specific platforms that have an impact with the services provided to the customer? YES
19 Are the supplier's sub-contractors aligned in safety issues and according to their standards? YES
19 The provider has established the policy of the good use of equipment, including e-mail? YES
19 Does the vendor have an antivirus system with centralized management and the latest signatures? YES By definition, central administration is not used
20 ¿Are the systems where customer data is processed or stored monitored to ensure service availability? YES
20 Service requires connection to customer infrastructure? NO

Start to automatized

Get MasterBase free Talk to sales

MasterBase® Process Automation Platform helps organizations transform information-intensive business processes, reduce manual work and errors, minimize costs and improve customer engagement.

We assist companies, regardless of their size, industry or business function to ease implement our automation process solutions to deliver dramatic results that mitigate compliance risk and increase competitiveness, growth and profitability.

Our social networks

Download our app

Sign up to receive our communications.

Subscribe to our newsletter