Noticed the attached document was rejected due to technical issues.So listed the questions below:
Provide a brief description of the 3rd party solution and how it integrates with the existing environment (if applicable)
What type of our data will be stored/processed/accessed by the 3rd party solution? Please provide specific fields/details if the data includes PII, PCI, proprietary, or other confidential/sensitive information.
What platform and programming language used to develop the application?
a. How do you assess the application and underlying technology security vulnerabilities?
b. What is the application patch management/release methodology, especially for security fixes?
Do you support SSO? What are the supported authentication protocol and technology?
Does the solution provide role-based access permissions to users?
a. Would it be possible to customize the roles according to our business needs
How do you achieve security of data at rest?
a. What is the encryption algorithm/key strength?
b. How are the encryption keys managed?
How is the security of data in transit achieved?
a. What are the minimum requirements for supported browser?
How are tenants and data of customer segregated from other tenants/customers (if the solution is offered in a multi-tenant model)
How can we ensure that solution administrators or system administrators do not access the underlying customer information?
Can we enable digital rights management to enforce what users can do with the document when they download documents (if document management is applicable)?
Do you maintain detailed audit logs of user and admin activities?
a. How long are the logs stored, and can it be provided to customers if required?
b. Would it be possible to integrate/forward these logs to customer log monitoring infrastructure?
c. Is it possible for system administrators or power users to remove audit log entries?
Explain the solution’s DR capability
Explain secure backup and archival options
Applicable only when the document management feature is available:
a. Ability to integrate with an anti-malware solution to scan documents for malicious content before storing it. Please provide security solution names used for such scans
b. Is there any other restriction on files/documents that are stored within the solution
Device/location-based access control options
a. Can we restrict access to the application from a specific customer public IP gateway?
b. Do you perform user behaviour analysis to identify malicious activity?
Please provide details on how security monitoring is performed for the solution.
How often do you perform penetration testing exercises?
What is your security incident management process? Please provide the timelines for breach notification to customers.