Service Provider Questionnaire

This questionnaire is for technology service providers to complete. Technology service providers include any vendor providing hardware, software, or a service to the college. It is highly recommended to provide these questions to the vendor in early discussions to avoid delays or possible late cancellations due to security concerns. Send this to the vendor representative you are in contact with and forward the results to informationsecurity@morainevalley.edu. The Information Security team will review the results and if the vendors answers yes to any of the questions, the Information Security team will provide a response including a risk analysis.

  1. List the security practices that are in place by the service provider:
    1. Is the vendor processing payments? If yes:
      1. PCI Compliance: Vendor must have and provide records of PCI compliance.
      2. Payment types: Will credit card terminals be used on site, payments made online, or both?
      3. Section two must be completed.
    2. If vendor is accessing, storing, or transmitting sensitive data? If yes:
      1. Security Posture: How is sensitive data managed, particularly in areas where forms collect user information, and comply with data protection regulations. Include information on multi-factor authentication, firewalls, encryption (at rest and in transit) and intrusion detection systems. Include history of Cybersecurity incidents.
      2. Data Privacy: Provide policies regarding the use or sale of user data, including marketing practices. Provide details on how user data is handled, and confirm that no data is sold or used for unauthorized purposes.
      3. Compliance: Describe your data privacy program and how it ensures compliance with U.S. federal and state laws, as well as international laws like, particularly in relation to personal data collection, storage, and processing.
      4. Confidentiality:  Describe how user access and permissions are managed.
    3. Does the vendor use equipment or services from the following companies?
      1. Huawei Technologies Company
      2. ZTE Corporation
      3. Hytera Communications Corporation
      4. Hangzhou Hikvision Digital Technology Company
      5. Dahua Technology Company
      6. AO Kaspersky Lab
      7. China Mobile International USA Inc.
      8. China Telecom (Americas) Corp.
      9. Pacific Networks Corp or ComNet (USA) LLC
      10. China Unicom (Americas) Operations Limited
      11. Kaspersky Lab, Inc

 

Print Article