NIST 800-53 outlines a listing of safety controls for shielding federal info programs from cyber threats and vulnerabilities resulting in knowledge breaches. With third-party distributors comprising a significant area of federal assault surfaces, these entities additionally should be monitored to make sure alignment with NIST 800-53 – Safety and Privateness Controls for Data Methods and Organizations.
This put up supplies a template to encourage the design of your personal vendor safety questionnaire mapping to NIST SP 800-53 requirements.
Learn how UpGuard streamlines Vendor Risk Management >
Vendor Questionnaire Template: NIST SP 800-53
Observe: UpGuard affords a NIST 800-53 vendor questionnaire that robotically highlights alignment gaps primarily based on vendor responses to assist an environment friendly compliance technique. For probably the most reliable provide chain danger administration program, it’s extremely advisable to handle your vendor safety questionnaires on a scalable resolution like UpGuard.
Learn more about UpGuard’s questionnaires >
Safety and Privateness Applications Evaluation
This part evaluates the power of a vendor’s set of insurance policies governing their safety and privateness applications.
1. Does your organization have a developed safety program in place?
1 (a). When you answered Sure, does this program tackle the entire scope of digital info being processed within the group?
Safety Management
This part evaluates the power of a vendor’s safety management technique and its capacity to guard non-public knowledge from compromise.
1. Do you present a discover to your prospects advising them the way you deal with and defend personally identifiable info PII?
1(a). When you answered Sure, present a duplicate of this coverage, both by pasting it within the free textual content discipline beneath or appending it to this accomplished questionnaire.
1 (b). When you answered No, describe compensating controls which might be in place or clarify why you don’t think about this to be a safety danger.
1 (c). When you’re within the means of implementing an exterior coverage describing the way you deal with and defend personally identifiable info, advise the estimated timeframe for when this will likely be accomplished.
2. Do you’ve got inner documentation outlining how one can safely deal with delicate buyer knowledge?
2 (a). When you answered No, describe compensating controls which might be in place or clarify why you don’t think about this to be a safety danger.
3. How usually are inner audits of your safety and privateness program performed?
- Each three months
- Each six month
- Yearly
- Free Textual content Discipline
4. Do you’ve got a coverage in place for mitigating the safety dangers posed by cell gadgets?
5. Have you ever applied a danger evaluation program?
5 (a). When you answered Sure, how usually are danger assessments accomplished for every vendor?
- Quarterly
- Bi-Yearly
- Yearly
- Different (specify beneath)
- Free Textual content Discipline
For an outline of an idealistic danger evaluation workflow, watch this video.
6. Do you’ve got a coverage for prioritizing important distributors in danger evaluation plans?
6 (a). When you answered Sure, how do you identify which distributors should be prioritized?
7. Do you’ve got a cybersecurity resolution for steady monitoring of assault surfaces to find rising dangers, both internally or throughout your service supplier community (real-time monitoring)?
7 (a). Do you’ve got a vulnerability scanning device in place for locating rising assault vectors throughout all internet-facing property?
8. Do you’ve got safety insurance policies for mitigating insider risk dangers?
9. How do you guarantee onboarded distributors meet your safety necessities as outlined by your danger urge for food?
10. Do you’ve got any distributors at the moment exceeding your danger urge for food baseline?
11. Do you incorporate penetration testing in your technique for sustaining a resilient management baseline?
11 (a). When you answered Sure, how usually do you carry out penetration exams?
- Quarterly
- Bi-Yearly
- Yearly
- Different (specify beneath)
- Free Textual content Discipline
Personnel Safety
This part evaluates the likelyhood of employees facilitating safety incidents.
1. Do you retain an up-to-date file of all worker consumer accounts and their respective entry management ranges?
2. Do you’ve got a coverage in place guaranteeing delicate knowledge is simply accessed on a need-to-know foundation?
3. Do you’ve got a coverage in place guaranteeing solely approved customers have entry to delicate sources?
4. Do you’ve got a technique in place for shielding privileged consumer accounts?
5. Do you’ve got contingency plans in place for when privileged consumer accounts are compromised?
6. Are authorities contractors and knowledge safety assessors required to signal congenitally agreements to make sure buyer knowledge stays protected?
7. Do you’ve got formal administration processes of system safety plans for shielding account authentication info, equivalent to passwords and digital certificates?
8. Are consumer account entry ranges usually reviewed?
8.1. When you answered Sure, how usually do these critiques occur?
- Quarterly
- Bi-Yearly
- Yearly
- Different (specify beneath)
- Free Textual content Discipline
9. Do your staff full cyber risk consciousness coaching usually?
9 (a). When you answered Sure, how usually does this coaching happen?
- Quarterly
- Bi-Yearly
- Yearly
- Different (specify beneath)
- Free Textual content Discipline
9 (b). When you answered Sure, present a top level view of what’s coated in every coaching module.
9 (c). When you answered Sure, does your program administration coverage usually replace this coaching?
10. Does your bodily and environmental safety coverage guarantee all technique of bodily and digital entry to your community are revoked from offboarded contractors and staff, together with distant entry?
Regulatory Compliance
This part will provide help to consider the extent of danger your distributors pose to your regulatory compliance efforts.
1. Checklist the entire laws you might be sure to
2. Do you’ve got a course of in place for monitoring rising regulatory necessities?
3. Do you’ve got a course of in place for monitoring regulatory compliance gaps, internally and throughout your vendor community
4. Do you’ve got a system for prioritizing important regulatory compliance danger remediation duties?
Infrastructure Safety
These questions will provide help to uncover safety dangers related to a vendor’s IT Infrastructure.
1. Do you’ve got configuration administration instruments enabling safe configuration settings?
2. Do you facilitate distant entry to your infrastructure?
2 (a). When you answered Sure, do these distant entry mechanisms endure safety testing to uncover doubtlessly exploitable vulnerabilities?
3. Do you’ve got a patch administration program for conserving your community infrastructure secured with the most recent patches?
3 (a). When you answered Sure, do you automate patch updates?
4. Do you conduct safety management assessments for evaluating the cybersecurity of your cloud infrastructures?
4 (a). When you answered Sure, how usually do these assessments happen?
- Month-to-month
- Quarterly
- Bi-annually
- Yearly
- Different (specify beneath)
Server Safety
This part evaluates the probability of a vendor’s servers appearing as assault vectors facilitating knowledge breaches.
1. Do you comply with a server hardening protocol?
1 (a). When you answered Sure, present an outline of the hardening course of.
2. How do you guarantee your servers are protected with the most recent safety patches?
3. Which working programs are your servers operating on?
- Unix (together with Linux, Solaris, and so forth.)
4. Are servers housing delicate knowledge segmented and inaccessible by basic entry customers?
Learn more about network segmentation >
5. How usually is your checklist of privileged entry customers audited?
- Month-to-month
- Quarterly
- Bi-annually
- Yearly
- Different (specify beneath)
6. Describe how your server backups are saved
For instance, on disks, detachable drives, different servers, and so forth.
7. Checklist the entire geographical areas of your servers (together with backup servers).
8. How usually are these backups examined?
- Month-to-month
- Quarterly
- Bi-annually
- Yearly
- Different (specify beneath)
- Free Textual content Discipline
E mail Safety
These questions will provide help to perceive the probability of a vendor being compromised by means of an email-based cyberattack.
1. Describe the safety controls you’ve got in place for defending towards email-based assaults.
For instance, phishing, email spoofing, and so forth.
2. Have you ever suffered any email-based assaults within the final 12 months?
2 (a) When you have, had been any of those assaults profitable?
If that’s the case, describe the affect of the assault.
3. Are your emails encrypted whereas in transit?
For instance, utilizing Transport Layer Safety (TLS).
Shopper Workstation Safety
This part will uncover the probability of endpoints appearing as assault vectors and uncover safety enhancement potentials.
1. How do you guarantee consumer workstations and distant endpoints are hardened towards cyber threats?
2. Does your Incident Response Plan tackle conditions the place distant endpoints are compromised?
3. Choose the sorts of gadgets and knowledge system parts coated with malware safety.
- Cell Units
- Home windows workstations
- Non-windows workstations
4. Do any distant endpoints or workstations share passwords?
5. Do any workstations use default administrative passwords?
6. Do you’ve got a media safety coverage defending towards malware injections from exterior gadgets (equivalent to USBs and laborious drives)?
Knowledge Administration
This part evaluates the safety of the seller’s knowledge administration technique.
1. Do you utilize an lively listing device to trace delicate info throughout know-how programs?
1 (a). When you answered Sure, does this lively listing device additionally monitor delicate knowledge shared with third-party companies?
2. Do you’ve got separate community segments on your sensiitve knowledge and delicate knowledge belonging to your prospects?
Asset Administration
This part evaluates the power of the seller’s asset administration technique, which might reveal ignored assault floor areas weak to compromise.
1. How do you guarantee your IT asset stock stays up-to-date?
2. Do you’ve got an assault floor administration program in place to guard IT property from compromise?
2 (a). When you answered Sure, how do you observe the performance and efficacy of your ASM program?
3. Do you usually preserve stakeholders knowledgeable of your assault floor administration efforts?
4. How do you guarantee system and knowledge integrity is maintained throughout your IT property when a cyber risk breaches your community?
For an outline of how an Assault Floor Administration technique might cut back your danger of struggling a knowledge breach, watch this video.
Streamline NIST 800-53 Questionnaire Administration with UpGuard
The UpGuard platform features a customizable questionnaire mapping to the NIST particular publication 800-53 and lots of different fashionable laws and requirements.
Watch this video to find out how UpGuard tracks alignment with the Nationwide Institute of Requirements and Technology cyber safety framework, a characteristic that can ease the hassle of NIST 800-53 compliance.