Vendor / Partner Security Self Rate Check Sheet

Security Controls
1 2 3 4 5 6 7 8 9

Enterprise Operations Rating

Production Operations Rating

Implementation Details from Company Security/Management Representative

Note: Choose from drop-down selections for columns to the left. Add additional details to clarify usage for each Note: Please elaborate on details around use and implementation specific to the line item in this column

Security Operations Are Owned/Managed by a Dedicated Security Manager/Executive Network Perimeter Ingress & Egress Control of Ports & Services Measures to Combat Denial of Service Attacks On Perimeter Services Periodic Review/Audit of Firewall Rule Sets Dedicated Security Patching Operations For Servers and DBMS Dedicated Security Patching Operations For Layer 2 and 3 Network Devices Two-Factor Authentication used for Any Remote Administration Allowed TACACS+/Radius Authentication/Authorization For Admin of Layer 2/3 Network Devices Logging and Periodic Audit of All Remote Access

Not Applicable Unknown Usage Some Usage Extensive Usage Not in Use

10 Centralized Jump Servers or Security Gateways for ALL System Administration Access 11 Periodic Vulnerability Scanning/Assessment of ALL Servers 12 Periodic Vulnerability Scanning/Assessment of ALL Layer 2/3 Devices 13 Periodic Host Security Configuration Assessment of Servers & Layer 2/3 Devices 14 Periodic Internal & External Perimeter Penetration Testing of Systems and Services 15 Periodic Security Reviews/Assessments Performed by Independent Party 16 Security Reviews Conducted/Overseen by Dedicated Internal Security Org 17 IT Operations Are Periodically Reviewed by an Internal Audit Org 18 Network-Based Intrusion or Anomaly Detection/Prevention Systems 19 Network Level Content Control Systems (spam, virus, malware, etc) 20 Incident Response Process & Procedures Established & Periodically Reviewed 21 Systems & Services are Logically Compartmentalized/Segregated in the Network
Copyright 2010 Mike Horton - All Rights reserved - Creative Commons BY-NC 3.0

22 External Web, Application, and Database Services Run on Separate Systems 23 Server Security Baseline Configuration Sets Are Used & Maintained 24 Layer 2/3 Device Security Baseline Configuration Sets Are Used & Maintained 25 Host-Based IDS/IPS or OS Integrity Checking Tools 26 Dedicated Change and Configuration Management Systems and Operations 27 System Physical Backup Media is Handled According to Documented Security Procedures 28 Firewall & Router Configurations Under Change/Configuration Management 29 Communications Encryption for All Systems Administration/Management 30 Periodic Review/Audit of Server & Network Device Accounts & Privilege Levels 31 Strict Two-Factor Authentication For All Physical Access to Network Operations Facilities 32 Testing and Monitoring for Unauthorized Wireless Access Points 33 Secondary, Centralized Logging of Real-time or Near Real-time System Event Logging 34 Subsidiary or Offshore Vendor Operations Adhere to Corporate Security Standards 35 All Partner Network Connections Are Logically Segregated In/From Production 36 Web Application Layer Security Tools For External Facing Services 37 Secure SDLC Practices Systematically Utilized for Production Applications/Services

Copyright 2010 Mike Horton - All Rights reserved - Creative Commons BY-NC 3.0

Vendor / Partner Secure SDLC Processes Questionnaire

To what extent has a formalized, secure software development lifecycle process been implemented for your product development cycles?
1

To what extent is a threat modeling process conducted as part of the SDL on new or modified software code and/or hardware components created for customer use?
2

Which static code analysis tools are utilized, and to what extent, for security in the development cycle for customer or production oriented software code?
3

To what extent is any manual secure code review conducted, and on what basis, on customer or production oriented software code by either internal members or external parties?
4

If static, dynamic, or manual secure code analysis is being conducted on customer or production oriented software code, to what extent is the effort performed in conjunction with formalized threat modeling of design architecture?

To what extents have developers working on customer or production oriented software code received formalized training on secure coding practices?
6

To what extent are any open source code and third party modules utilized in customer products or production services reviewed with static, dynamic, or manual secure code analysis tools and techniques for security purposes?

To what extent and when is any penetration/vulnerability testing conducted on pre-release products/services by internal staff or external parties as part of an established process?
8

Copyright 2010 Mike Horton - All Rights reserved - Creative Commons BY-NC 3.0

To what extent is there a visible communication channel for outside researchers and customers/consumers to submit product/service security vulnerability specific issues to your company?
9

To what extent is a product security representative in place to coordinate and/or work with the security lifecycle of product development releases as part of their primary job duties?
10

To what extent is customer or production oriented software code that is created by outsourced development resources put through the same or similar secure software development process identified?
11

How are any offshore development teams utilized for the development of customer or production oriented software code effectively integrated into the companys own secure SDLC activities?
12

The purpose of this questionnaire is to help provide The Company with needed information toward understanding the current maturity level of security practices used in your software/product development lifecycle. Please answer and describe in as much detail as necessary.

Copyright 2010 Mike Horton - All Rights reserved - Creative Commons BY-NC 3.0