Medigy Intelligence

Vendor Risk Assessment

Netspective Vendor Risk Assesment
Question/Request
Assessee Name Shahid N. Shah
Assessee Job Title CEO
Assessee Contact Information 2313 Falling Creek Rd, Silver Spring, MD 20904, United States, Phone: +1 202-713-5409
Names and titles/functions of individuals who contributed to this questionnaire
Date of Response 20-Jan-10
Company Profile
Name of the holding or parent company
Company/business name Citrus Informatics (India) Pvt Ltd
Publicly or privately held company Private Company
If public, what is the name of the Exchange
If public, what is the trading symbol
Type of legal entity and state of incorporation Kerala State, India
How long has the company been in business 13 Year
Are there any material claims or judgments against the company No
If yes, describe the impact it may have on the services in scope of this document
Has your company suffered a data loss or security breach within the last 3 years? No
If yes, please describe the loss or breach.
Has any of your Third Party Vendors suffered a data loss or security breach within the last 3 years? No
If yes, please describe the loss or breach.

Netspective Vendor Risk Assesment

Note: If Sr.#4 answer is yes and your organization can upload or send ISO or SOC2 report then no need to answer remaining questions. As these are covered in ISO/SOC2.

Sr.No Clause No. Details Sub Clause Question Applicable Answer Total Vendor Score Total Score achieved Legend
Management Direction, Leadership
1 A5 5.1.2 Have all information security policies and standards been reviewed in the last 12 months? Yes 1
2 5.1.1 Is there a set of information security policies that have been approved by management, published and communicated to constituents? No 0
3 5.1.2 Describe the cybersecurity deployed with the system, to include infrastructure, application (for example, encryption), and transport. Security and encryption must be FIPS 140-2 compliant Yes 1
4 5.1.2 Are you compliant with relevant cybersecurity standards (e.g., NIST, ISO 27000, NIST CSF,SOC2) No 0
Organization Responsibilities and Roles
5 A6 6.1.2 Is there a policy that defines roles, responsibilities and authorities of information security? Yes 1
6 6.1.2 Is there segregation of duties for granting access and approving access to Scoped Systems and Data? Yes 1
Human Resource
7 A7 7.1.1 Do Human Resource policies include Constituent background screening criteria? Yes 1
8 7.2.2 Does the security awareness training program include new hire and annual participation? Yes 1
9 7.2.3 Does the Human Resource policy include a disciplinary process for non-compliance? Yes 1
Asset Management
10 A8 8.1.3 Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate Constituents and assigned an owner to maintain and periodically review the policy? Yes 1
11 8.1.4 Is there a process to verify return of constituent assets (computers, cell phones, access cards, tokens, smart cards, keys, etc.) upon termination? Not Applicable 0
12 8.2.1 Is there a policy or procedure for information handling (storing, processing, and communicating) consistent with its classification that has been approved by management, communicated to appropriate constituents and assigned an owner to maintain and periodically review? Yes 1
13 8.2.1 Does the policy or procedure for information handling include storage requirements including authorized use of Public Cloud storage? Yes 1
14 8.3.2 Is there a data retention/destruction requirement that includes information on live media, backup/archived media, and information managed by Employees? Yes 1
15 8.2.2 Is all Scoped Data sent or received electronically encrypted in transit while outside the network? Yes 1
Access Control
16 A9 9.2.1 Is electronic access to systems containing scoped data removed within 24 hours for terminated constituents? Yes 1
17 9.2.1 Is access on applications, operating systems, databases, and network devices provisioned according to the principle of least privilege? Yes 1
18 9.2.1 Is there a process to request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data? Yes 1
19 9.4.2 Is Multi-factor Authentication deployed? Yes 1
20 9.4.2 Does system policy require logoff from terminals, PC or servers when the session is finished? Yes 1
21 9.2.5 Are user access rights reviewed periodically? Yes 1
22 9.2.5 Are access rights reviewed when a constituent changes roles? Yes 1
23 9.2.5 Are privileged user access rights reviewed periodically? Yes 1
24 9.3.1 Is there a password policy for systems that transmit, process or store Scoped Systems and Data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? If no, please explain in the 'Additional Information' field. Yes 1
25 9.3.1 Does password policy include minimum password length at least eight characters? Yes 1
26 9.3.1 Are complex passwords (mix of upper case letters, lower case letters, numbers, and special characters) required on systems transmitting, processing, or storing Scoped Data? Yes 1
27 9.3.1 Does password policy prohibit a PIN or secret question as a possible stand-alone method of authentication? Yes 1
28 9.3.1/9.4.1 Does password policy require initial and temporary passwords to be changed upon next login? Yes 1
29 9.3.1/9.4.1 Does password policy require initial and temporary passwords to be random and complex? Yes 1
30 9.3.1 Does your solution have features that prevent unauthorized access to the system or system data. For example, limit user security database access to authorized system administrators only Yes 1
31 9.3.1/9.4.1 Are user IDs and passwords communicated/distributed via separate media (e.g., e-mail and phone)? Yes 1
32 9.1.1 Are mechanisms established so that access to personal information is limited to authorized personnel based upon their assigned roles and responsibilities? Yes 1
33 9.4.5 Is there a control to protect personal information stored on portable media or devices from unauthorized access? Not Applicable 0
34 9.4.5 Does your solution provide user name/login and password capabilities for all users, including those members of outside Agencies - for web-based applications/portions of the solution. Yes 1
35 9.4.5 Does your solution include role-based functional security, configurable to allow the County to restrict access to some reports, functions, screens, etc. For example, External Agency; Detention Admin; Detention View Only; System Admin. Security should be additive for a single user across the entire solution. Not Applicable 0
36 9.4.5 Does your solution have a lock-out provision that will lock-out access to an account after an organizationally-defined number (at least three) of unsuccessful logins by the user Yes 1
Cryptography
37 A10 10.1.1 Does the policy or procedure for information handling include encryption requirements? Yes 1
38 10.1.1 Are encryption keys managed and maintained for Scoped Data? Yes 1
Physical and Environmental security
39 A11 11.1.1 Are there physical security and environmental controls in the data center and office buildings? Not Applicable 0
40 11.1.1 Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review? Not Applicable 0
41 11.1.1 Do physical access control procedures include collection of access equipment (badges, keys, change pin numbers, etc.) upon termination or status change? Not Applicable 0
42 11.1.3 Do physical access control procedures include lost or stolen access card/key reporting required? Not Applicable 0
43 11.1.4 Do the physical security and environmental controls include electronic controlled access system (key card, token, fob, biometric reader, etc.)? Not Applicable 0
Operations Management
44 A12 12.2.1 Does Scoped Data sent or received electronically include protection against malicious code by network virus inspection or virus scan at the endpoint? Yes 1
45 12.2.1 Do scans performed on incoming and outgoing email include phishing prevention? Yes 1
46 12.7.1 Are locking screensavers on unattended system displays or locks on consoles required within the data center? Not Applicable 0
47 12.7.1 Does your solution have features that prevent computer viruses, hidden logic bombs, back doors, or any such code that could be activated inadvertently or otherwise at a later date or time Not Applicable 0
48 Is your solution able to automatically generate an application log file for application error messages identifying hardware/software problems, security violations, and attempted breaches Yes 1
49 12.1.2 Do changes to the production environment including network, systems, application updates, and code changes subject to the change control process? Yes 1
50 12.1.1/12.1.2 Is there an operational change management/Change Control policy or program that has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy? Yes 1
51 12.1.2 Does the change control process include a formal process to ensure clients are notified prior to changes being made which may impact their service? Yes 1
52 12.5.1 Does the change control process include a scheduled maintenance window? Yes 1
53 12.1.2 Does the change control process include a scheduled maintenance window which results in client downtime? Yes 1
54 12.3.1 Are backups of Scoped Systems and Data performed? Yes 1
55 12.3.1 Is there a policy or process for the backup of production data? Yes 1
56 12.3.1 Are backup media and restoration procedures tested at least annually? Yes 1
57 12.3.1 Are backup and replication errors reviewed and resolved as required? Yes 1
58 12.3.1 Is backup media stored offsite? Not Applicable 0
59 12.3.1 Are backups containing Scoped Data stored in an environment where the security controls protecting them are equivalent to the production environment? Yes 1
60 12.2.1 Is there an anti-malware policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Yes 1
61 12.2.1 Does the anti-malware policy or program include defined operating systems that require antivirus? Yes 1
62 12.2.1 Does the approved anti-malware policy or program mandate an interval between the availability of a new anti-malware signature update and its deployment no longer than 24 hours? Yes 1
63 12.2.1 Is there a vulnerability management policy or program that has been approved by management, communicated to appropriate constituent and an owner assigned to maintain and review the policy? Yes 1
64 12.4.1 Is sufficient detail contained in Operating System and application logs to support security incident investigations (at a minimum, successful and failed login attempts, and changes to sensitive configuration settings and files)? Yes 1
65 12.1.1 Are all systems and applications patched regularly? Yes 1
66 12.1.1 Are there any Operating System versions in use within the Scoped Services that no longer have patches released? If yes, please describe in the 'Additional Information' section. No 0
67 12.1.1 Does the Cloud Hosting Provider provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services? Yes 1
Network Security
68 A13 13.1.1 Do you have logical or Physical segregation between web, application and database components? i.e., Internet, DMZ, Database? Yes 1
69 13.1.2 Is HTTPS enabled for all web pages? Yes 1
70 13.1.3 Are non-company managed PCs used to connect to the company network? Yes 1
71 13.1.1 Are there security and hardening standards for network devices, including Firewalls, Switches, Routers and Wireless Access Points (baseline configuration, patching, passwords, Access control)? Yes 1
72 13.2.1 Is there an approval process prior to installing a network device? Yes 1
73 13.2.1 Is every connection to an external network terminated at a firewall? Not Applicable 0
74 13.1.2 Do network devices deny all access by default? Yes 1
75 13.1.2 Do the firewalls have any rules that permit 'any' network, sub network, host, protocol or port on any of the firewalls (internal or external)? Yes 1
76 13.1.2 Are default passwords changed or disabled prior to placing the device into production? Yes 1
77 13.1.2 Is there a remote access policy for systems transmitting, processing and storing Scoped Systems and Data that has been approved by management and communicated to constituents? Yes 1
78 13.2.2 Are encrypted communications required for all remote connections? Yes 1
79 13.3.3 Is remote terminal technology (e.g., RDP, Citrix) used to access Scoped Systems and Data remotely? Yes 1
80 13.2.1 Are all available high-risk security patches applied and verified on network devices? Yes 1
81 13.1.1 Is there sufficient detail contained in network device logs to support incident investigation? Yes 1
82 13.1.1 Are Network Intrusion Detection capabilities employed? Yes 1
83 13.1.1 Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Not Applicable 0
84 13.1.1 Does the Wireless Security Policy require wireless connections to be secured with WPA2, and encrypted using AES or CCMP? Not Applicable 0
85 13.1.3 Are wireless networking devices connected to networks containing Scoped Systems and Data? Not Applicable 0
86 13.1.1 Is there a documented privacy policy or procedures maintained for the protection of information collected, transmitted, processed, or maintained on behalf of the client? Yes 1
87 13.1.1 Are privacy risks identified and associated mitigation plans documented in a formal data protection or privacy program plan that is reviewed by management? Yes 1
88 13.1.1 Is conspicuous notice provided in clear and plain language about privacy policies and procedures related to client scoped data? Yes 1
89 13.2.1 Do privacy notices identify the purposes for which personal information is collected, used, processed, retained, maintained, and disclosed? Yes 1
90 13.1.1 Is there an ongoing process to regularly review and update privacy policies and notices on a periodic basis? Yes 1
91 13.1.1 Are notices communicated to inform individuals regarding awareness of privacy obligations, retention periods of data collected, and opt-out choices applicable to the services? Yes 1
92 13.1.3 Is a website, mobile, or digital service privacy policy developed, maintained, published, and communicated to users on devices or applications that have access to client-scoped privacy data? Yes 1
93 13.1.1 Are network Vulnerability Scans performed against internal networks and systems? Yes 1
94 13.1.1 Are network vulnerability scans performed against internet-facing networks and systems? Yes 1
95 13.1.1 Do network Vulnerability Scans occur at least Monthly? Yes 1
96 13.1.1 Are Servers used for transmitting, processing or storing Scoped Data? Yes 1
97 13.1.1 Are server security configuration standards documented and based on external industry or vendor guidance? Yes 1
98 13.1.1 Are server security configuration reviews performed regularly to validate compliance with documented standards? Yes 1
99 13.1.3 Are all servers configured according to security standards as part of the build process? Yes 1
100 13.1.3 Are all unnecessary/unused services uninstalled or disabled on all servers? Yes 1
101 13.1.3 Are vendor default passwords removed, disabled or changed prior to placing any device or system into production? Yes 1
Software Development
102 A14 14.2.1 Do all projects involving Scoped Systems and Data go through some form of information security assessment? Yes 1
103 14.2.6 Are Constituents able to view client's unencrypted Data? No 0
104 14.2.6 Is there a formal Software Development Life Cycle (SDLC) process? Yes 1
105 14.2.4 Is there a documented change management/change control process for applications with Scoped Data? Yes 1
106 14.2.8 Are applications evaluated from a security perspective prior to promotion to production? Yes 1
107 14.2.1 Is open source software or libraries used to transmit, process or store Scoped Data? Yes 1
108 14.2.8/14.2.9 Is a Secure Code Review performed regularly? Yes 1
109 14.2.8/14.2.9 Do secure code reviews include regular analysis of vulnerability to recent attacks? Yes 1
110 14.2.8/14.2.9 Are identified security vulnerabilities remediated prior to promotion to production? Yes 1
111 14.2.8/14.2.9 Is a web site supported, hosted or maintained that has access to Scoped Systems and Data? Yes 1
Supplier Management
112 A15 15.1.1 Are there any dependencies on critical third party service providers? Not Applicable 0
113 15.1.2 Do agreements with third parties who have access to or potential access to client Scoped Data address confidentiality, audit, security, and privacy, including but not limited to incident response, ongoing monitoring limitations on data use, limitations on data sharing, return of data, and secure disposal of privacy data? Not Applicable 0
114 16.1.1 Is there an established incident management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? Not Applicable 0
115 16.1.1 Is there a formal Incident Response Plan? Yes 1
116 16.1.1 Does the Incident Response Plan include guidance for escalation procedure? Yes 1
117 16.1.2 Does the Incident Response Plan include actions to be taken in the event of an information security event? Yes 1
Business Continuity
118 A17 17.1.1 Is there an established business resiliency program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program? No 0
119 17.2.1 Does the business resiliency program include a formal annual (or more frequent) executive management review of business continuity key performance indicators, accomplishments, and issues? No 0
120 17.1.3 Is there a periodic (at least annual) review of your Business Resiliency procedures? No 0
121 17.1.3 Is communication in the event of a disruption that impacts the delivery of key service provider products and services required? Yes 1
Compliance Management
122 A18 18.1.4 Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data? Yes 1
123 18.1.4 For client-scoped Data, is personal data collected directly from an individual on behalf of the client or provided to the organization directly by the client? Yes 1
124 18.1.4 Is there a documented records retention policy and process with defined schedules that ensure that Personal Information is retained for no longer than necessary? Yes 1
99

Medigy Innovation Network

Connecting innovation decision makers to authoritative information, institutions, people and insights.

Medigy Logo

The latest News, Insights & Events

Medigy accurately delivers healthcare and technology information, news and insight from around the world.

The best products, services & solutions

Medigy surfaces the world’s best crowdsourced health tech offerings with social interactions and peer reviews.


© 2022 Netspective Media LLC. All Rights Reserved.