Skip to content

Instantly share code, notes, and snippets.

@liuderchi

liuderchi/vendor-risk-stratification-questionnaire-part-of.md

Last active August 21, 2020 01:50
Show Gist options
  • Save liuderchi/eeced019a660763b59335f3bbb3dbafe to your computer and use it in GitHub Desktop.
Save liuderchi/eeced019a660763b59335f3bbb3dbafe to your computer and use it in GitHub Desktop.
Download ZIP
Vendor Risk Stratification Questionnaire
Raw
vendor-risk-stratification-questionnaire-part-of.md

Vendor Risk Stratification Questionnaire

Ref: https://docs.google.com/forms/d/e/1FAIpQLScoEwqevT6ncHWRBa2cHCJUhFOoOflUcrFAKVkxDTjsubST1Q/viewform

General Information

Vendor Name

Roundforest

B. Please describe the service and/or product the vendor provides and the purpose of the service and/or product *

SEO enhancement

C. What type of relationship does vendor have with Oath? If other, please specify. *

  • No Partnership
  • Resellers
  • Service/Data Exchange
  • Ad Content Provider/Publisher
  • Oath Customer
  • System supplier
  • Other:

D. Which business unit will this service and/or product be provided to? *

  • Business Management
  • Communications Data and Search
  • Consumer and Global Platforms
  • Core Platforms & Services
  • Corporate Development Strategy and Consumer Ops
  • Technology
  • Media Brands and Products

E. Type of service and/or product (SaaS, IaaS, PaaS provider etc.) *

  • Data Center
  • SaaS (which offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser.)
  • IaaS (which offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems and applications.)
  • PaaS (which offers the capability to deploy onto the cloud infrastructure customer-created or -acquired applications that are created using programming languages and tools supported by the provider.)
  • Professional Service (which is an intangible product that a contractor or product vendor sells to help a customer manage a specific part of their business. Because professional service providers have specialized knowledge about niche areas of interest, such as law, advertising, marketing or accounting, they allow the customer to focus on core business concerns.)
  • Hardware (which refers to the physical components of a computer system.)
  • Commercial Off-the-Shelf software (Not SaaS) (which refers to the products that are ready-made and available for sale to the general public.)
  • Other:

F. Is the vendor the primary service provider or does it subcontract the service and/or product out to a fourth party? *

When a third-party outsources certain functions to another company, that company is considered a fourth-party vendor to Oath.

  • Subcontracted
  • Primary

F.1. If yes, who is the fourth party/subcontractor? *

G. What is the intended engagement length/duration? *

Duration in months. Ex: 2 years as 24 months

3

H. Will the vendor have physical access to Oath's facilities? *

  • Yes
  • No

Has Oath engaged with the vendor previously? *

  • Yes
  • No

Commercial Off The Shelf Software (Not SaaS)

Software products that are ready-made and available for sale to the general public (Example - Microsoft Word and Adobe Suite). COTS does NOT include software that is customized specifically for Oath as well as open source software/add-on such as Chrome extensions. SaaS: offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser.

If this is an open source software or Chrome extensions, this process does not apply. Please do not proceed forward with this sheet. You must reach out to Ashley Wolf or Gil Yehuda for these specific requests.

1 - Is this a commercial off the shelf software (Not SaaS )? *

  • Yes
  • No

1.1 - Please provide the name of the application and a brief description *

1.2 - Will this software be hosted in Oath's networks and/or systems? *

Example: Employee's local machine (i.e. laptop, desktop) is part of Oath's networks

  • Yes
  • No

*4th party premises includes Amazon Web Service, Google Cloud Platform, Microsoft Azure, or other sub-contractors, etc.

1.2.1 - Where will the software be hosted? *

  • On Vendor premise
  • A 4th party (sub-contractor) premise

1.2.2 - Will Oath be managing the host networks and/or systems? *

  • Yes
  • No

1.3 - If the vendor provides support, what method will vendor provide support through? *

Oath Custom Software

2. Will the vendor develop custom software for Oath? *

*Custom software is software that is designed, developed, and/or implemented specifically for Oath. Custom software does NOT include customization on commercial software (COTS or Saas).

  • Yes
  • No

2.1 - Please provide the name of the application and a brief description *

2.2 - Will this software be hosted in Oath's networks and/or systems? *

  • Yes
  • No

3 - Does Oath utilize this vendor to comply with legal and/or regulatory requirements (PCI, HIPAA, etc.)? *

  • Yes
  • No

Legal & Regulatory Compliance

3.1 - Which legal and/or regulatory requirement is this for? (PCI, HIPAA, etc.) *

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • Federal Information Security Management Act (FISMA)
  • Sarbanes-Oxley Act (SOX)
  • Dodd-Frank Act
  • Other:

3.2 - What is the potential impact of not complying with this legal and/or regulatory requirement? *

  • Loss of license or ability to operate
  • Impact to business
  • Financial impact
  • Reputational impact

3.3 - How often does Oath have to recertify with this legal and/or regulatory requirement? *

  • Annual
  • Every 2 years
  • Every 3 years
  • More than every 3 years

Oath Business Process Criticality

4. What is the level of criticality associated with the business process that the vendor supports? *

*In the answer options, business unit refers to the same as business unit in question A (e.g., Business Management, Consumer and Global Platforms Core Platforms & Services, etc.)

  • Low (Less than 25% of the business unit is affected. Outage of service results in no or negligible impact to operations, minimal impact on ability to meet business objectives and near-term initiatives.)
  • Medium (25% to 75% of the business unit is affected. Outage of service results in moderate impact to operations, minor impact on ability to meet business objectives and near-term initiatives.)
  • High (75% to 90% of the business unit is affected. Outage of Service results in major operational interruptions, resulting in major or long term unavailability of critical systems and assets.)
  • Critical (More than 90% of the business unit is affected. Outage of service results in extreme operational interruptions, resulting in unavailability of critical systems and modification of sensitive assets.)

4.1 - How often is the service used? (daily, weekly, month, monthly, annually, ad-hoc) *

  • Annually / Ad-Hoc
  • Monthly
  • Weekly
  • Daily

4.2 - What is the max financial impact this vendor would cause Oath if the vendor suffered an outage? *

Example - if a vendor is brought in and their revenue projection is $10 million for a business unit that has a revenue capability of $20 million, the critical option would selected here since the revenue projection is 50% of the of the business unit's revenue capability.

  • No Financial Impact / Low Financial Impact: < 5% of business unit's revenue capability
  • Medium Financial Impact: 5-20% of business unit's revenue capability
  • High Financial Impact: 20-50% of business unit's revenue capability
  • Critical Financial Impact: > 50% of business unit's revenue capability

4.3 - Who is the target user base of the vendor's service? *

This is specifically in reference to which user type will be accessing the system itself and not receiving information or content from the system.

  • Internal
  • External
  • Internal & External

4.4 - How many Oath internal users will use the vendor's service? *

  • <100
  • 100-500
  • 500-1000
  • >1000

4.5 - What is the approximate number of Oath internal users who will use the vendor's service? *

4.6 - How many Oath's external users will use the vendor's service? *

*Oath's external users includes Oath's customers, Oath's email service users, etc.

  • < 250
  • 250 - 1250
  • 1250 - 2500
  • > 2500

4.7 - What is the approximate number of Oath's external users who will use the vendor's service? *

*Oath's external users includes Oath's customers, Oath's email service users, etc.

25000 (TBD)

4.8 - Has a Recovery Time Objective (RTO) requirement been defined ? *

Recovery Time Objective (RTO) is the overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business functions.

  • Yes
  • No
  • N/A

Oath's Networks & Systems Logical Access

Network or systems access does NOT include public interfaces (API, SDK, etc.)

5. Will the vendor have logical access to Oath's Networks & Systems? *

  • Yes
  • No

5.1 - Please select the option(s) that best describes the connection type. *

  • Third Party connections (Third Party-managed channels, systems, or application hosting)
  • Storage of Oath confidential and/or highly confidential data (local storage or hosting)
  • Unescorted physical access to Oath facilities only (no systems or data access)
  • Oath managed electronic access (such as cloud tools, SFTP, file-sharing)
  • Staff Augmentation using Oath managed devices only
  • Access to Internet Site
  • Use of APIs
  • Client VPN
  • Site to Site VPN

5.2 - Will the vendor have continuous logical access to Oath's business networks & systems? *

*Logical access is the ability to read, write, or execute records or data contained in the information system.

  • Yes
  • No

5.3 - Is the system and/or network access privileged? *

*Privileged access is to have allocated powers within Oath systems/networks which are significantly greater than than those available to the majority of users.*For example, local admin, domain admin, Identity & Access Management admin, database admin, service admin, system admin, root account, etc.

  • Yes
  • No

5.4 - How many users from the vendor will have access to Oath systems or networks? *

  • <5
  • 5-20
  • >20

5.5 - What is the approximate number of users from vendors who will have access to Oath systems or networks? *

n/a

6. Will the vendor access, transmit, process and/or store Oath data? *

*Data access refer to software and activities related to storing, retrieving, or acting on data directly or indirectly from Oath. *Data transmission refers to the process of sending data over a communication medium to one or more computing, network, communication or electronic devices. *Data processing refers to operations on data to retrieve, transform, or classify information. *Data storage refers to recording or archiving information in a storage medium.

  • Yes
  • No

6.1 - Does the vendor access, transmit, process, and/or store Oath Highly Confidential Data? *

Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard.

  • Yes
  • No

6.2 - Does the vendor access, transmit, process, and/or store Oath Confidential Data? *

Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard.

  • Yes
  • No

6.2.1 - What are the Oath confidential data types? Please select all that apply *

  • Direct Contact Information (DCI)
  • PII (Personal Identifiable Information) and user registration information, including full name, address, phone Number(s), alternate email addresses, and date of birth
  • Public Profile Data
  • Passwords (employee or customer)
  • Affiliate Agreements/Data
  • IP Address
  • Data Associated with an Anonymized or Non-Anonymized Identifier (B-Cookie ID or SID)
  • Collected User Behaviour Data
  • Proprietary Source Code
  • Other:

6.2.2 - For the Confidential data, how many records of data is the vendor accessing, processing, and/or storing? *

*Record is any form of digitally recorded material generated, transmitted, received and/or stored that is designated a record by data owner or law, based on content and/or subject matter.This includes but is not limited to electronic digital interchange, email, digital/text voice messages, instant messages and text messages.

  • <25 records
  • 25 -500 records
  • >500 records

6.2.3 - What is the approximate number of records of Confidential data that the vendor is accessing, processing, and/or storing? *

25000

6.3 - Does the vendor access, transmit, process, and/or store Oath Private Data? *

Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard.

  • Yes
  • No

6.3.1 - What are the Oath private data types? Please select all that apply. *

  • If Question 6.1 is Confidential
  • Internal Memorandum
  • Employee Handbook
  • Aggregated reports
  • Customer Account number
  • End User Meta Data
  • Anonymized or aggregated Insights derived from Public Profile Data
  • Anonymous/aggregated interest segments
  • Other:

6.3.2 - For the Private data, how many records of data is the vendor accessing, processing, and/or storing? *

If Question 6.1 is Confidential

  • <2500 records
  • >2500 records

6.3.3 - What is the approximate number of records of Private data that the vendor is accessing, processing, and/or storing? *

25000 (TBD)

6.4 - Does the vendor access, transmit, process, and/or store Oath Public Data? *

Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard

  • Yes
  • No

6.4.1 - What are the Oath public data types? Please select all that apply. *

  • If Question 6.1 is Confidential
  • Press releases
  • Published Financial reports
  • Approved Marketing brochures
  • Customer’s Domain
  • Ratings
  • Reviews
  • Other:

6.5 - What is the cost of record / impact for data loss?

*According to Ponemon 2018 Cost of Data Breach Study, Average cost per lost or stolen record $148

  • <$74
  • $74-$148
  • $148-$222
  • >$222
  • N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment