Ref: https://docs.google.com/forms/d/e/1FAIpQLScoEwqevT6ncHWRBa2cHCJUhFOoOflUcrFAKVkxDTjsubST1Q/viewform
Roundforest
B. Please describe the service and/or product the vendor provides and the purpose of the service and/or product *
SEO enhancement
- No Partnership
- Resellers
- Service/Data Exchange
- Ad Content Provider/Publisher
- Oath Customer
- System supplier
- Other:
- Business Management
- Communications Data and Search
- Consumer and Global Platforms
- Core Platforms & Services
- Corporate Development Strategy and Consumer Ops
- Technology
- Media Brands and Products
- Data Center
- SaaS (which offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser.)
- IaaS (which offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems and applications.)
- PaaS (which offers the capability to deploy onto the cloud infrastructure customer-created or -acquired applications that are created using programming languages and tools supported by the provider.)
- Professional Service (which is an intangible product that a contractor or product vendor sells to help a customer manage a specific part of their business. Because professional service providers have specialized knowledge about niche areas of interest, such as law, advertising, marketing or accounting, they allow the customer to focus on core business concerns.)
- Hardware (which refers to the physical components of a computer system.)
- Commercial Off-the-Shelf software (Not SaaS) (which refers to the products that are ready-made and available for sale to the general public.)
- Other:
F. Is the vendor the primary service provider or does it subcontract the service and/or product out to a fourth party? *
When a third-party outsources certain functions to another company, that company is considered a fourth-party vendor to Oath.
- Subcontracted
- Primary
Duration in months. Ex: 2 years as 24 months
3
- Yes
- No
- Yes
- No
Software products that are ready-made and available for sale to the general public (Example - Microsoft Word and Adobe Suite). COTS does NOT include software that is customized specifically for Oath as well as open source software/add-on such as Chrome extensions. SaaS: offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser.
If this is an open source software or Chrome extensions, this process does not apply. Please do not proceed forward with this sheet. You must reach out to Ashley Wolf or Gil Yehuda for these specific requests.
- Yes
- No
Example: Employee's local machine (i.e. laptop, desktop) is part of Oath's networks
- Yes
- No
*4th party premises includes Amazon Web Service, Google Cloud Platform, Microsoft Azure, or other sub-contractors, etc.
- On Vendor premise
- A 4th party (sub-contractor) premise
- Yes
- No
*Custom software is software that is designed, developed, and/or implemented specifically for Oath. Custom software does NOT include customization on commercial software (COTS or Saas).
- Yes
- No
- Yes
- No
3 - Does Oath utilize this vendor to comply with legal and/or regulatory requirements (PCI, HIPAA, etc.)? *
- Yes
- No
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- California Consumer Privacy Act (CCPA)
- General Data Protection Regulation (GDPR)
- Federal Information Security Management Act (FISMA)
- Sarbanes-Oxley Act (SOX)
- Dodd-Frank Act
- Other:
3.2 - What is the potential impact of not complying with this legal and/or regulatory requirement? *
- Loss of license or ability to operate
- Impact to business
- Financial impact
- Reputational impact
- Annual
- Every 2 years
- Every 3 years
- More than every 3 years
4. What is the level of criticality associated with the business process that the vendor supports? *
*In the answer options, business unit refers to the same as business unit in question A (e.g., Business Management, Consumer and Global Platforms Core Platforms & Services, etc.)
- Low (Less than 25% of the business unit is affected. Outage of service results in no or negligible impact to operations, minimal impact on ability to meet business objectives and near-term initiatives.)
- Medium (25% to 75% of the business unit is affected. Outage of service results in moderate impact to operations, minor impact on ability to meet business objectives and near-term initiatives.)
- High (75% to 90% of the business unit is affected. Outage of Service results in major operational interruptions, resulting in major or long term unavailability of critical systems and assets.)
- Critical (More than 90% of the business unit is affected. Outage of service results in extreme operational interruptions, resulting in unavailability of critical systems and modification of sensitive assets.)
- Annually / Ad-Hoc
- Monthly
- Weekly
- Daily
4.2 - What is the max financial impact this vendor would cause Oath if the vendor suffered an outage? *
Example - if a vendor is brought in and their revenue projection is $10 million for a business unit that has a revenue capability of $20 million, the critical option would selected here since the revenue projection is 50% of the of the business unit's revenue capability.
- No Financial Impact / Low Financial Impact: < 5% of business unit's revenue capability
- Medium Financial Impact: 5-20% of business unit's revenue capability
- High Financial Impact: 20-50% of business unit's revenue capability
- Critical Financial Impact: > 50% of business unit's revenue capability
This is specifically in reference to which user type will be accessing the system itself and not receiving information or content from the system.
- Internal
- External
- Internal & External
- <100
- 100-500
- 500-1000
- >1000
*Oath's external users includes Oath's customers, Oath's email service users, etc.
- < 250
- 250 - 1250
- 1250 - 2500
- > 2500
*Oath's external users includes Oath's customers, Oath's email service users, etc.
25000 (TBD)
Recovery Time Objective (RTO) is the overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business functions.
- Yes
- No
- N/A
Network or systems access does NOT include public interfaces (API, SDK, etc.)
- Yes
- No
- Third Party connections (Third Party-managed channels, systems, or application hosting)
- Storage of Oath confidential and/or highly confidential data (local storage or hosting)
- Unescorted physical access to Oath facilities only (no systems or data access)
- Oath managed electronic access (such as cloud tools, SFTP, file-sharing)
- Staff Augmentation using Oath managed devices only
- Access to Internet Site
- Use of APIs
- Client VPN
- Site to Site VPN
*Logical access is the ability to read, write, or execute records or data contained in the information system.
- Yes
- No
*Privileged access is to have allocated powers within Oath systems/networks which are significantly greater than than those available to the majority of users.*For example, local admin, domain admin, Identity & Access Management admin, database admin, service admin, system admin, root account, etc.
- Yes
- No
- <5
- 5-20
- >20
5.5 - What is the approximate number of users from vendors who will have access to Oath systems or networks? *
n/a
*Data access refer to software and activities related to storing, retrieving, or acting on data directly or indirectly from Oath. *Data transmission refers to the process of sending data over a communication medium to one or more computing, network, communication or electronic devices. *Data processing refers to operations on data to retrieve, transform, or classify information. *Data storage refers to recording or archiving information in a storage medium.
- Yes
- No
Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard.
- Yes
- No
Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard.
- Yes
- No
- Direct Contact Information (DCI)
- PII (Personal Identifiable Information) and user registration information, including full name, address, phone Number(s), alternate email addresses, and date of birth
- Public Profile Data
- Passwords (employee or customer)
- Affiliate Agreements/Data
- IP Address
- Data Associated with an Anonymized or Non-Anonymized Identifier (B-Cookie ID or SID)
- Collected User Behaviour Data
- Proprietary Source Code
- Other:
6.2.2 - For the Confidential data, how many records of data is the vendor accessing, processing, and/or storing? *
*Record is any form of digitally recorded material generated, transmitted, received and/or stored that is designated a record by data owner or law, based on content and/or subject matter.This includes but is not limited to electronic digital interchange, email, digital/text voice messages, instant messages and text messages.
- <25 records
- 25 -500 records
- >500 records
6.2.3 - What is the approximate number of records of Confidential data that the vendor is accessing, processing, and/or storing? *
25000
Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard.
- Yes
- No
- If Question 6.1 is Confidential
- Internal Memorandum
- Employee Handbook
- Aggregated reports
- Customer Account number
- End User Meta Data
- Anonymized or aggregated Insights derived from Public Profile Data
- Anonymous/aggregated interest segments
- Other:
6.3.2 - For the Private data, how many records of data is the vendor accessing, processing, and/or storing? *
If Question 6.1 is Confidential
- <2500 records
- >2500 records
6.3.3 - What is the approximate number of records of Private data that the vendor is accessing, processing, and/or storing? *
25000 (TBD)
Please refer to https://confluence.vzbuilders.com/pages/viewpage.action?pageId=158990842&preview=/158990842/232523911/Asset%20Management%20Standard%20v1.0%20.pdf#ParanoidsPolicy,Standards&Guidelines-DataClassificationStandard for the Verizon Media Asset Management Standard
- Yes
- No
- If Question 6.1 is Confidential
- Press releases
- Published Financial reports
- Approved Marketing brochures
- Customer’s Domain
- Ratings
- Reviews
- Other:
*According to Ponemon 2018 Cost of Data Breach Study, Average cost per lost or stolen record $148
- <$74
- $74-$148
- $148-$222
- >$222
- N/A