Download Blank Third Party Assessment
Type : Vendor Assessment
Short Name
Question / Description
Answer / Value
Name
Enter the name
TPA: Project Name
Whirlpool project name requesting third party or service provider connection
*
TPA: Project Owner
Whirlpool project owner requesting third party or service provider connection
*
TPA: Business Area
Whirlpool business area or process supported by the third party or service provider
*
TPA: Service Provider Name
Service provider company name
*
TPA: Service Provider Contact
Service provider or third party contact
*
TPA: Target Implementation Date
Target implementation date
*
TPA: CISO
Vendor Chief Information Security Officer (CISO) or equivalent
*
TPA: User Directory
Choose the user directory used to manage security and provisioning of access on your internal network
*
TPA: OS and database
List the operating system and database used to manage Whirlpool data
Select any number
*
Mainframe
Unix
AS400
Windows
Oracle
DB2/UDB
MS SQL
Other
TPA: Datacenter location
List the location of the datacenter that hosts Whirlpool data
*
Short Name
Question / Description
Answer / Value
Comments
WVA: Organizational Security and Privacy 1
Has a complete and current Information Security policy been established?
Yes
*
WVA: Organizational Security and Privacy 2
Are retention and destruction requirements documented and followed for different classifications of data?
Yes
*
WVA: Organizational Security and Privacy 3
Are documented guidelines followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls?
Yes
*
WVA: Organizational Security and Privacy 4
Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers?
Yes
*
WVA: Organizational Security and Privacy 5
Are documented policies followed for enforcing segregation of duties?
Yes
*
What types of audits are performed?
2
WVA: Organizational Security and Privacy 6
Are audits performed to ensure compliance of systems with organizational security policies and standards?
Yes, external audits are performed on a periodic basis.
*
SAS-70 , SOX Audit
WVA: Organizational Security and Privacy 7
How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement?
Semi-annually
*
WVA: Employment Security 1
Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment?
Yes
*
WVA: Employment Security 2
Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants?
Yes for all applicants and is required by contract by any third party vendors
*
WVA: Employment Security 3
Are documented guidelines followed for providing security awareness training (SAT) to all personnel?
Yes, training is required at least annually
*
WVA: Business Continuity 1
Are controls in place to ensure that back-ups of business information are completed on a regular basis?
Yes, full back-ups are performed weekly
*
WVA: Business Continuity 2
Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location?
Yes, back-up are retained off-site at a distance greater than 15 miles
*
WVA: Business Continuity 3
Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site?
Yes, controls are in place are greater than the main site
*
WVA: Physical Security 1
Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only?
Yes, documented approval required with physical access controlled by an electronic card key
*
WVA: Physical Security 2
Are documented guidelines followed for granting access to visitors?
Yes, sign in and data center manager approval required
*
When are the audits performed?
2
WVA: Physical Security 3
How often are reviews of access rights to secure areas are conducted?
Access rights are reviewed semi-annually
*
After Every 6 month(dec and july)
WVA: Physical Security 4
Are controls in place to address the possibility of damage from fire in secure areas?
Yes, fire detection in place with automated fire suppression system in place
*
WVA: Physical Security 5
Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures?
Yes, equipment protected by UPS and generator back-up
*
WVA: Software Development 1
Are documented guidelines followed to separate development, test and production (operational) environments?
Yes
*
WVA: Software Development 2
Are all security requirements identified and justified during the requirements phase of projects?
Yes
*
WVA: Software Development 3
Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes?
Yes
*
WVA: Software Development 4
Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to production
N/A
*
WVA: Software Development 5
Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications?
Yes, all three types of testing are deployed at every release
*
WVA: Software Development 6
Have controls been established to protect the storing of confidential data on local devices ?
Yes, local encryption required
*
WVA: Security Operations 1
How often are security logs reviewed?
Security logs contain user ID, failed log-ins, and other security events and are reviewed weekly
*
WVA: Security Operations 2
Are documented guidelines followed to ensure access controls of mobile devices (Laptops, PDA’s Etc.) ?
Yes, encryption required
*
WVA: Security Operations 3
Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service?
Yes
*
WVA: Security Operations 4
Are cryptographic systems and techniques used for storage of information that is considered confidential?
Yes, for all confidential data
*
WVA: Security Operations 5
Have controls been established to ensure the handling of compromised keys?
Yes, compromised key is revoked
*
WVA: Security Operations 6
How often are security or vulnerability patches applied?
Patches are applied more frequently than monthly
*
WVA: Security Operations 7
Have controls been established to ensure installation and regular update of anti-virus software to protect computers on a precautionary or routine basis?
Yes, virus definitions are updated daily
*
WVA: Security Operations 8
Do the media handling procedures ensure the safe and secure storage of media containing confidential information?
Yes
*
WVA: Security Operations 9
Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information?
Yes, media is disposed in a way that renders the data irretrievable
*
WVA: Security Operations 10
Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information?
Yes, media is disposed in a way that renders the document irretrievable
*
WVA: Security Operations 11
Is access to the modify job schedules limited to authorized personnel?
Yes
*
WVA: Security Operations 12
Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)?
Yes, PGP or other enhanced encryption
*
WVA: Security Operations 13
Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)?
Yes, secure package handling controls
*
WVA: Security Operations 14
Are the domains with different security needs separated by secure gateways?
Yes, DMZ’s exist for internal and external network
*
WVA: Security Operations 15
Are documented guidelines followed for the secure exchange of confidential information to prevent the unauthorized disclosure and misuse?
Yes, documented and encryption is always required
*
WVA: Security Operations 16
Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks?
Yes, WEP encryption
*
WVA: Security Operations 17
Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations?
Yes, SSL/TLS is required
*
WVA: Password Controls 1
Does the authentication method to gain access to the network utilize passwords?
Passwords are used
*
WVA: Password Controls 2
What is the minimum password length available to end-users?
Requires at least 6 characters
*
WVA: Password Controls 3
How often are end-users forced to change their passwords?
Quarterly
*
WVA: Password Controls 4
What are the minimum password complexity requirements being enforced for end-users?
Mixed case alphabetic, numeric, and plus special characters
*
WVA: Password Controls 5
Are end-users restricted from using previous passwords (password history)?
No password re-use restrictions
*
WVA: Password Controls 6
Are users forced to change their password during first login?
Users are forced to change passwords on first login
*
WVA: Password Controls 7
Are passwords hidden during authentication?
Passwords characters are masked
*
WVA: Password Controls 8
Is a complete & current mechanism in place to report & reset lost or compromised passwords?
Secure self service password reset mechanism
*
WVA: Infrastructure Access 1
When authentication fails, is the user informed of which portion of the authentication process failed?
Message indicates which portion of the authentication process failed
*
WVA: Infrastructure Access 2
Are authentication credentials securely communicated across the network?
Authentication credentials are securely encrypted using industry standards
*
WVA: Infrastructure Access 3
Are accounts locked after several failed login attempts?
Locked after 3 or more failed attempts
*
WVA: Infrastructure Access 4
How long before the system automatically re-enables the account after an account lock out?
Auto unlock after 30 minutes or more
*
WVA: Infrastructure Access 5
How often are accounts reviewed for deactivation (due to inactivity, termination, etc)?
Recurring =<6 months
*
WVA: Infrastructure Access 6
Have control requirements been established for requesting, establishing, and issuing user accounts?
Yes
*
WVA: Infrastructure Access 7
How often is a review of accounts and related privileges conducted?
Accounts with access to confidential data are reviewed =<6 months
*
WVA: Infrastructure Access 8
Are controls in place to ensure all user activities on IT systems are uniquely identifiable?
Yes, all user accounts have unique IDs and are not shared
*
WVA: Infrastructure Access 9
Are access rights immediately adjusted for users who have changed jobs?
Yes, as requested by management
*
WVA: Infrastructure Access 10
Is a documented termination procedure followed which includes the removal of access rights?
Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.
*
WVA: Application Password Controls 1
Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure?
Yes
*
WVA: Application Password Controls 2
Does the authentication method to gain access to the application utilize passwords?
Passwords are used
*
WVA: Application Password Controls 3
What is the minimum password length available to end-users?
Requires at least 6 characters
*
WVA: Application Password Controls 4
How often are end-users forced to change their passwords for the application?
Quarterly
*
WVA: Application Password Controls 5
What are the minimum application password complexity requirements being enforced for end-users?
Mixed case alphabetic, numeric, and plus special characters
*
WVA: Application Password Controls 6
Are end-users restricted from using previous application passwords (password history)?
No password re-use restrictions
*
WVA: Application Password Controls 7
Are users forced to change their application password during first login?
Users are forced to change passwords on first login
*
WVA: Application Password Controls 8
Are passwords hidden during authentication?
Passwords characters are masked
*
WVA: Application Password Controls 9
Is a complete & current mechanism in place to report & reset lost or compromised application passwords?
Secure self service password reset mechanism
*
WVA: Application Access Controls 1
When the application authentication fails, is the user informed of which portion of the authentication process failed?
Message indicates which portion of the authentication process failed
*
WVA: Application Access Controls 2
Are application authentication credentials securely communicated across the network?
Authentication credentials are securely encrypted using industry standards
*
WVA: Application Access Controls 3
Are application accounts locked after several failed login attempts?
Locked after 3 or more failed attempts
*
WVA: Application Access Controls 4
How long before the system automatically re-enables the application account after an account lock out?
No auto unlock, manual administrator unlock only
*
WVA: Application Access Controls 5
How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)?
Recurring =<6 months
*
WVA: Application Access Controls 6
Have application control requirements been established for requesting, establishing, and issuing user accounts?
Yes
*
WVA: Application Access Controls 7
How often is a review of application accounts and related privileges conducted?
Accounts with access to confidential data are reviewed =<6 months
*
WVA: Application Access Controls 8
Are controls in place to ensure all user activities in the application are uniquely identifiable?
Yes, all user accounts have unique IDs and are not shared
*
WVA: Application Access Controls 9
Are application access rights immediately adjusted for users who have changed jobs?
Yes, as requested by management
*
WVA: Application Access Controls 10
Is a documented termination procedure followed which includes the removal of application access rights?
Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.
*
WVA: Vendor Portal Access and Password Control 1
Do you provide access to a web based portal?
Yes
*
Does is conform with Infrastructure or Application password controls?
2
WVA: Vendor Portal Access and Password Control 2
Does the web portal access and password controls conform to either the infrastructure or application password and access controls?
Yes
*
Yes
WVA: Vendor Portal Access and Password Control 3
Does the authentication method to gain access to the portal utilize passwords?
Passwords are used
*
WVA: Vendor Portal Access and Password Control 4
What is the minimum password length available to end-users?
Requires at least 6 characters
*
WVA: Vendor Portal Access and Password Control 5
How often are end-users forced to change their passwords for the portal ?
Quarterly
*
WVA: Vendor Portal Access and Password Control 6
What are the minimum portal password complexity requirements being enforced for end-users?
Mixed case alphabetic, numeric, and plus special characters
*
WVA: Vendor Portal Access and Password Control 7
Are end-users restricted from using previous portal passwords (password history)?
No password re-use restrictions
*
WVA: Vendor Portal Access and Password Control 8
Are users forced to change their portal password during first login?
Users are forced to change passwords on first login
*
WVA: Vendor Portal Access and Password Control 9
Are passwords hidden during authentication?
Passwords characters are masked
*
WVA: Vendor Portal Access and Password Control 10
Is a complete & current mechanism in place to report & reset lost or compromised portal passwords?
Secure self service password reset mechanism
*
WVA: Vendor Portal Access and Password Control 11
When the portal authentication fails, is the user informed of which portion of the authentication process failed?
Message indicates which portion of the authentication process failed
*
WVA: Vendor Portal Access and Password Control 12
Are portal authentication credentials securely communicated across the network?
Authentication credentials are securely encrypted using industry standards
*
WVA: Vendor Portal Access and Password Control 13
Are portal accounts locked after several failed login attempts?
Locked after 3 or more failed attempts
*
WVA: Vendor Portal Access and Password Control 14
How long before the system automatically re-enables the portal account after an account lock out?
Auto unlock after 30 minutes or more
*
WVA: Vendor Portal Access and Password Control 15
How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)?
Recurring =<6 months
*
WVA: Vendor Portal Access and Password Control 16
Have portal control requirements been established for requesting, establishing, and issuing user accounts?
Yes
*
WVA: Vendor Portal Access and Password Control 17
How often is a review of portal accounts and related privileges conducted?
Accounts with access to confidential data are reviewed =<6 months
*
WVA: Vendor Portal Access and Password Control 18
Are controls in place to ensure all user activities in the portal are uniquely identifiable?
Yes, all user accounts have unique IDs and are not shared
*
WVA: Vendor Portal Access and Password Control 19
Are portal access rights immediately adjusted for users who have changed jobs?
Yes, as requested by management
*
WVA: Vendor Portal Access and Password Control 20
Is a documented termination procedure followed which includes the removal of portal access rights?
Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination.
*
Short Name
Question / Description
Answer / Value
Vendor Access to Whirlpool Data Types
What type of Whirlpool data does the vendor have access to?
Select at least 1
*
Employee Compensation
Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada])
Employee Health Information
Employee Criminal Information
Employee Contact Information
Employee Benefits Information
Employee Performance/Talent Ratings
Employee Emergency Contact Information
Employee Demographic Information
Credit Card Information
X
Consumer Contact Information
Customer Service Center Call History
Prospective Customer Information
Consumer Demographic Information
Pre-release Financial Information
Business Development Information
Board and Executive Committee Materials
Restructuring Information
Corporate Strategy
Regional Trade Sensitive Information
Aggregate Corporate Forecast and Planning Information
Historical Earnings Information
Capital Plan and Spend Information
Treasury Information
Tax Information
Internal Audit Information
Supply Chain Cost Information
IS Security Incident Information
IS Vulnerability Information
Application Code and Documentation
System Performance Information
Detailed System Information
Vendor Access to Whirlpool Data
What type of access does the vendor have to Whirlpool data?
Select at least 1
*
X
Systemic
Adhoc or Limited
Read Only Access
Whirlpool Corporation Page 1 of 1 Confidential
No, back-up copies are stored onsite
</