| |
Yes |
No |
N/A |
| 1. Does the provider include a minimum bandwidth available for your site? |
|
|
|
| |
a. Are support response times included? |
|
|
|
| |
b. Does the provider perform monitoring (up time, response time, etc.) of the hosted site(s)? |
|
|
|
| |
|
1. Are the monitoring reports available to you upon request? |
|
|
|
| 2. Does the provider have any of the following third party security reviews performed on their systems? |
|
|
|
| |
a. Due diligence overview report detailing internal processes and controls |
|
|
|
| |
b. SSAE 18 audit report for the data center |
|
|
|
| |
c. External vulnerability or penetration testing |
|
|
|
| |
d. External penetration testing |
|
|
|
| |
e. Website snapshot service to provide daily historical audit trail of website content |
|
|
|
| |
f. Other types of testing |
|
|
|
| 3. Does your hosting agreement include a right to perform vulnerability scanning of the external network? |
|
|
|
| 4. Does the provider have 24/7 support available to you? |
|
|
|
| 5. Does the provider offer an annual due diligence package that addresses security & control policies? |
|
|
|
| 6. Does the provider have policies and procedures that adequately address: |
| |
a. Incident reporting requirements and procedures |
|
|
|
| |
b. Business continuity planning and disaster recovery |
|
|
|
| |
c. Software and hardware patches/updates |
|
|
|
| |
d. Controls over remote access and remote administration |
|
|
|
| |
e. Logging, auditing and change control processes |
|
|
|
| 7. Service Continuity |
| |
a. Does the provider have at least two data center sites capable of hosting your website or applications? |
|
|
|
| |
b. Does the provider have redundant Internet access via more than one vendor? |
|
|
|
| |
c. Does the provider offer any automatic failover capabilities to alternate hosting sites? |
|
|
|
| 8. Physical Security |
| |
a. Is all equipment behind locked doors with limited and controlled access? |
|
|
|
| |
b. Is all provider equipment protected by an alternate power source (generator)? |
|
|
|
| |
c. Are adequate environmental controls in place? |
|
|
|
| |
d. Is fire suppression equipment adequate? |
|
|
|
| |
e. Are there cameras, alarms, etc. in place to monitor physical access? |
|
|
|
| |
f. Are backups routinely performed and then stored at an off-site location? |
|
|
|
| 9. Logical Access Controls |
| |
a. Does the provider offer perimeter firewall protection options for your website? |
|
|
|
| |
b. Does the provider offer intrusion prevention system services for your website? |
|
|
|
| |
c. Does the provider offer file modification alerting services to notify you when website files are changed? |
|
|
|
| |
d. Does the provider offer anti-virus scanning services for your website? |
|
|
|
| |
e. Are password change and complexity requirements used? |
|
|
|