2012-12-01

Download Blank Third Party Assessment

Type            :             Vendor Assessment

Short Name

Question / Description

Answer / Value

Name

Enter the name

TPA: Project Name

Whirlpool project name requesting third party or service provider connection

*

TPA: Project Owner

Whirlpool project owner requesting third party or service provider connection

*

TPA: Business Area

Whirlpool business area or process supported by the third party or service provider

*

TPA: Service Provider Name

Service provider company name

*

TPA: Service Provider Contact

Service provider or third party contact

*

TPA: Target Implementation Date

Target implementation date

*

TPA: CISO

Vendor Chief Information Security Officer (CISO) or equivalent

*

TPA: User Directory

Choose the user directory used to manage security and provisioning of access on your internal network

*

TPA: OS and database

List the operating system and database used to manage Whirlpool data

Select any number

*

Mainframe

Unix

AS400

Windows

Oracle

DB2/UDB

MS SQL

Other

TPA: Datacenter location

List the location of the datacenter that hosts Whirlpool data

*

Short Name

Question / Description

Answer / Value

Comments

WVA: Organizational Security and Privacy 1

Has a complete and current Information Security policy been established?

Yes

*

WVA: Organizational Security and Privacy 2

Are retention and destruction requirements documented and followed  for different classifications of data?

Yes

*

WVA: Organizational Security and Privacy 3

Are  documented guidelines  followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls?

Yes

*

WVA: Organizational Security and Privacy 4

Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers?

Yes

*

WVA: Organizational Security and Privacy 5

Are documented policies followed for enforcing segregation of duties?

Yes

*

What types of audits are performed?

2

WVA: Organizational Security and Privacy 6

Are audits performed to ensure compliance of systems with organizational security policies and standards?

Yes, external audits are performed on a periodic basis.

*

SAS-70 , SOX Audit

WVA: Organizational Security and Privacy 7

How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement?

Semi-annually

*

WVA: Employment Security 1

Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment?

Yes

*

WVA: Employment Security 2

Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants?

Yes for all applicants and is required by contract by any third party vendors

*

WVA: Employment Security 3

Are documented guidelines followed for providing security awareness training (SAT) to all personnel?

Yes, training is required at least annually

*

WVA: Business Continuity 1

Are controls in place  to ensure that back-ups of business information are completed on a regular basis?

Yes, full back-ups are performed weekly

*

WVA: Business Continuity 2

Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location?

Yes, back-up are retained off-site at a distance greater than 15 miles

*

WVA: Business Continuity 3

Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site?

Yes, controls are in place are greater than the main site

*

WVA: Physical Security 1

Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only?

Yes, documented approval required with physical access controlled by an electronic card key

*

WVA: Physical Security 2

Are documented guidelines followed for granting access to visitors?

Yes, sign in and data center manager approval required

*

When are the audits performed?

2

WVA: Physical Security 3

How often are reviews of access rights to secure areas are conducted?

Access rights  are reviewed semi-annually

*

After Every 6 month(dec and july)

WVA: Physical Security 4

Are controls in place to address the possibility of damage from fire in secure areas?

Yes, fire detection in place  with automated fire suppression system in place

*

WVA: Physical Security 5

Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures?

Yes, equipment protected by UPS and generator back-up

*

WVA: Software Development 1

Are documented guidelines followed to separate development, test and production (operational) environments?

Yes

*

WVA: Software Development 2

Are all security requirements identified and justified during the requirements phase of projects?

Yes

*

WVA: Software Development 3

Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes?

Yes

*

WVA: Software Development 4

Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to production

N/A

*

WVA: Software Development 5

Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications?

Yes, all three types of testing are deployed at every release

*

WVA: Software Development 6

Have controls been established to protect the storing of confidential data on local devices ?

Yes, local encryption required

*

WVA: Security Operations 1

How often are security logs reviewed?

Security logs  contain user ID, failed log-ins, and other security events and are reviewed weekly

*

WVA: Security Operations 2

Are documented guidelines followed to ensure access controls of mobile devices  (Laptops, PDA’s Etc.) ?

Yes, encryption required

*

WVA: Security Operations 3

Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service?

Yes

*

WVA: Security Operations 4

Are cryptographic systems and techniques used for storage of information that is considered confidential?

Yes, for all confidential data

*

WVA: Security Operations 5

Have controls been established to ensure the handling of compromised keys?

Yes, compromised key is revoked

*

WVA: Security Operations 6

How often are security or vulnerability patches applied?

Patches are applied more frequently than monthly

*

WVA: Security Operations 7

Have controls been established to ensure installation and regular update of anti-virus  software to protect computers on a precautionary or routine basis?

Yes, virus definitions are updated daily

*

WVA: Security Operations 8

Do the media handling procedures ensure the safe and secure storage of media containing confidential information?

Yes

*

WVA: Security Operations 9

Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information?

Yes, media is disposed in a way that renders the data irretrievable

*

WVA: Security Operations 10

Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information?

Yes, media is disposed in a way that renders the document irretrievable

*

WVA: Security Operations 11

Is access to the modify job schedules limited to authorized personnel?

Yes

*

WVA: Security Operations 12

Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)?

Yes, PGP or other enhanced encryption

*

WVA: Security Operations 13

Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)?

Yes, secure package handling controls

*

WVA: Security Operations 14

Are the domains with different security needs separated by secure gateways?

Yes, DMZ’s exist for internal and external network

*

WVA: Security Operations 15

Are documented guidelines followed for the secure exchange of confidential information to prevent  the unauthorized disclosure and misuse?

Yes, documented and encryption is always required

*

WVA: Security Operations 16

Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks?

Yes, WEP encryption

*

WVA: Security Operations 17

Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations?

Yes, SSL/TLS is required

*

WVA: Password Controls 1

Does the authentication method to gain access to the network utilize passwords?

Passwords are used

*

WVA: Password Controls 2

What is the minimum password length available to end-users?

Requires at least 6 characters

*

WVA: Password Controls 3

How often are end-users forced to change their passwords?

Quarterly

*

WVA: Password Controls 4

What are the minimum password complexity requirements being enforced for end-users?

Mixed case alphabetic, numeric, and plus special characters

*

WVA: Password Controls 5

Are end-users restricted from using previous passwords (password history)?

No password re-use restrictions

*

WVA: Password Controls 6

Are users forced to change their password during first login?

Users are forced to change passwords on first login

*

WVA: Password Controls 7

Are passwords hidden during authentication?

Passwords characters are masked

*

WVA: Password Controls 8

Is a complete & current mechanism in place to report & reset lost or compromised passwords?

Secure self service password reset mechanism

*

WVA: Infrastructure Access 1

When authentication fails, is the user informed of which portion of the authentication process failed?

Message indicates which portion of the authentication process failed

*

WVA: Infrastructure Access 2

Are authentication credentials securely communicated across the network?

Authentication credentials are securely encrypted using  industry standards

*

WVA: Infrastructure Access 3

Are accounts locked after several failed login attempts?

Locked after 3 or more failed attempts

*

WVA: Infrastructure Access 4

How long before the system automatically re-enables the account after an account lock out?

Auto unlock after 30 minutes or more

*

WVA: Infrastructure Access 5

How often are accounts reviewed for deactivation (due to inactivity, termination, etc)?

Recurring =<6 months

*

WVA: Infrastructure Access 6

Have control requirements been established for requesting, establishing, and issuing user accounts?

Yes

*

WVA: Infrastructure Access 7

How often is a review of  accounts and related privileges conducted?

Accounts with access to confidential data are reviewed =<6 months

*

WVA: Infrastructure Access 8

Are controls in place to ensure all user activities on IT systems are uniquely identifiable?

Yes, all user accounts have unique IDs and are not shared

*

WVA: Infrastructure Access 9

Are access rights immediately adjusted for users who have changed jobs?

Yes, as requested by management

*

WVA: Infrastructure Access 10

Is a documented termination procedure followed which includes the removal of access rights?

Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.

*

WVA: Application Password Controls 1

Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure?

Yes

*

WVA: Application Password Controls 2

Does the authentication method to gain access to the application utilize passwords?

Passwords are used

*

WVA: Application Password Controls 3

What is the minimum password length available to end-users?

Requires at least 6 characters

*

WVA: Application Password Controls 4

How often are end-users forced to change their passwords for the application?

Quarterly

*

WVA: Application Password Controls 5

What are the minimum application password complexity requirements being enforced for end-users?

Mixed case alphabetic, numeric, and plus special characters

*

WVA: Application Password Controls 6

Are end-users restricted from using previous application passwords (password history)?

No password re-use restrictions

*

WVA: Application Password Controls 7

Are users forced to change their application password during first login?

Users are forced to change passwords on first login

*

WVA: Application Password Controls 8

Are passwords hidden during authentication?

Passwords characters are masked

*

WVA: Application Password Controls 9

Is a complete & current mechanism in place to report & reset lost or compromised application passwords?

Secure self service password reset mechanism

*

WVA: Application Access Controls 1

When the application authentication fails, is the user informed of which portion of the authentication process failed?

Message indicates which portion of the authentication process failed

*

WVA: Application Access Controls 2

Are application authentication credentials securely communicated across the network?

Authentication credentials are securely encrypted using  industry standards

*

WVA: Application Access Controls 3

Are application accounts locked after several failed login attempts?

Locked after 3 or more failed attempts

*

WVA: Application Access Controls 4

How long before the system automatically re-enables the application account after an account lock out?

No auto unlock, manual administrator unlock only

*

WVA: Application Access Controls 5

How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)?

Recurring =<6 months

*

WVA: Application Access Controls 6

Have application control requirements been established for requesting, establishing, and issuing user accounts?

Yes

*

WVA: Application Access Controls 7

How often is a review of  application accounts and related privileges conducted?

Accounts with access to confidential data are reviewed =<6 months

*

WVA: Application Access Controls 8

Are controls in place to ensure all user activities in the application  are uniquely identifiable?

Yes, all user accounts have unique IDs and are not shared

*

WVA: Application Access Controls 9

Are application access rights immediately adjusted for users who have changed jobs?

Yes, as requested by management

*

WVA: Application Access Controls 10

Is a documented termination procedure followed which includes the removal of application access rights?

Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.

*

WVA: Vendor Portal Access and Password Control 1

Do you provide access to a web based portal?

Yes

*

Does is conform with Infrastructure or Application password controls?

2

WVA: Vendor Portal Access and Password Control 2

Does the web portal access and password controls conform to either the infrastructure or application password and access controls?

Yes

*

Yes

WVA: Vendor Portal Access and Password Control 3

Does the authentication method to gain access to the  portal utilize passwords?

Passwords are used

*

WVA: Vendor Portal Access and Password Control 4

What is the minimum password length available to end-users?

Requires at least 6 characters

*

WVA: Vendor Portal Access and Password Control 5

How often are end-users forced to change their passwords for the portal ?

Quarterly

*

WVA: Vendor Portal Access and Password Control 6

What are the minimum portal password complexity requirements being enforced for end-users?

Mixed case alphabetic, numeric, and plus special characters

*

WVA: Vendor Portal Access and Password Control 7

Are end-users restricted from using previous portal passwords (password history)?

No password re-use restrictions

*

WVA: Vendor Portal Access and Password Control 8

Are users forced to change their portal password during first login?

Users are forced to change passwords on first login

*

WVA: Vendor Portal Access and Password Control 9

Are passwords hidden during authentication?

Passwords characters are masked

*

WVA: Vendor Portal Access and Password Control 10

Is a complete & current mechanism in place to report & reset lost or compromised portal passwords?

Secure self service password reset mechanism

*

WVA: Vendor Portal Access and Password Control 11

When the portal authentication fails, is the user informed of which portion of the authentication process failed?

Message indicates which portion of the authentication process failed

*

WVA: Vendor Portal Access and Password Control 12

Are portal authentication credentials securely communicated across the network?

Authentication credentials are securely encrypted using  industry standards

*

WVA: Vendor Portal Access and Password Control 13

Are portal accounts locked after several failed login attempts?

Locked after 3 or more failed attempts

*

WVA: Vendor Portal Access and Password Control 14

How long before the system automatically re-enables the portal account after an account lock out?

Auto unlock after 30 minutes or more

*

WVA: Vendor Portal Access and Password Control 15

How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)?

Recurring =<6 months

*

WVA: Vendor Portal Access and Password Control 16

Have portal control requirements been established for requesting, establishing, and issuing user accounts?

Yes

*

WVA: Vendor Portal Access and Password Control 17

How often is a review of  portal accounts and related privileges conducted?

Accounts with access to confidential data are reviewed =<6 months

*

WVA: Vendor Portal Access and Password Control 18

Are controls in place to ensure all user activities in the portal are uniquely identifiable?

Yes, all user accounts have unique IDs and are not shared

*

WVA: Vendor Portal Access and Password Control 19

Are portal access rights immediately adjusted for users who have changed jobs?

Yes, as requested by management

*

WVA: Vendor Portal Access and Password Control 20

Is a documented termination procedure followed which includes the removal of portal access rights?

Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.

*

Short Name

Question / Description

Answer / Value

Vendor Access to Whirlpool Data Types

What type of Whirlpool data does the vendor have access to?

Select at least 1

*

Employee Compensation

Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada])

Employee Health Information

Employee Criminal Information

Employee Contact Information

Employee Benefits Information

Employee Performance/Talent Ratings

Employee Emergency Contact Information

Employee Demographic Information

Credit Card Information

X

Consumer Contact Information

Customer Service Center Call History

Prospective Customer Information

Consumer Demographic Information

Pre-release Financial Information

Business Development Information

Board and Executive Committee Materials

Restructuring Information

Corporate Strategy

Regional Trade Sensitive Information

Aggregate Corporate Forecast and Planning Information

Historical Earnings Information

Capital Plan and Spend Information

Treasury Information

Tax Information

Internal Audit Information

Supply Chain Cost Information

IS Security Incident Information

IS Vulnerability Information

Application Code and Documentation

System Performance Information

Detailed System Information

Vendor Access to Whirlpool Data

What type of access does the vendor have to Whirlpool data?

Select at least 1

*

X

Systemic

Adhoc or Limited

Read Only Access

Whirlpool Corporation                                                                                                  Page 1 of 1                                                                                                                                        Confidential

No, back-up copies are stored onsite

</

Show more