WMG VSQ Header Image

WMG Vendor Security Questionnaire (VSQ)

Note: Your privacy is very important to us. To better serve you, the form information you enter is recorded in real time.

As part of the Warner Music Group's (WMG) Global Risk Management Policy all vendors to WMG are required to complete the Vendor Security Questionnaire (VSQ), regardless of the services being provided.  WMG staff are not permitted to compete this form on behalf of any vendor.  

Based on the answers to the Yes/No pre-assessment questions,  the vendor VSQ questions will be customized for the services to be provided. This VSQ must be submitted by the vendor prior to the commencement of any engagements with WMG. 

Should you have any questions please contact WMG Global Technology, Cyber Security Division at vendorsecurity@wmg.com or Phone: +1 (212) 275-1200.

Select NEXT below to continue


WMG VSQ Pre- Assessment Questions

Key Definitions:

CONTENT: Any artistic work whether printed, audio, visual which is intended for an end user or audience.  Pre-air whether owned and/or licensed content.

PERSONALLY IDENTIFIABLE INFORMATION (PII):  Refers to any attributes of WMG employees, vendors, customers or end users that can be used to identify them.  This includes (but is not limited to) social security numbers, personal email addresses, names, mailing addresses, phone numbers.

SOFTWARE AS A SERVICE (Saas):  Software that is licensed on a subscription basis AND is centrally-hosted; usually accessed by users via a web browser.PLATFORM AS A SERVICE (PaaS):  Cloud platform services, or Platform as a Service (PaaS), provide cloud components to certain software while being used mainly for applications.  PaaS delivers a framework for developers that they can build upon and use to create customized applications

PLATFORM AS A SERVICE (PaaS):  Cloud platform services, or Platform as a Service (PaaS), provide cloud components to certain software while being used mainly for applications.  PaaS delivers a framework for developers that they can build upon and use to create customized applications

INFRASTRUCTURE AS A SERVICE (IaaS):  Cloud infrastructure services, known as Infrastructure as a Service (IaaS), are made of highly scalable and automated compute resources.  IaaS is fully self-service for accessing and monitoring things like computers, networking, storage, and other services, and it allows businesses to purchase resources on-demand and as-needed instead of having to buy hardware outright.

Have you (Vendor) provided service(s) to WMG previously? *
Will the vendor be creating, viewing, collecting or processing any of WMG's pre-release content? *
Will the vendor be viewing, collecting, or processing any Personally Identifiable Information (PII)?*
Will the vendor be providing any 'Software as a Service' (Saas) services?*
Will the vendor be providing any 'Platform as a Service' (PaaS) services?*
Will the vendor be providing any 'Infrastructure as a Service' (IaaS) services?*
Will the vendor be creating, editing, collecting, or providing any development services?*
Will the vendor be providing any administration services including deployment, maintenance, configuration, monitoring, backing up, or storing of data for any WMG related system(s), infrastructure, or data?*

WMG Vendor Security Questionnaire (VSQ)

Instructions:

* WMG staff should not compete this form on behalf of the vendor.  

* The form is broken down by nine (9) sections in total.  

* All nine sections are to be completed.

* All questions need to be completed


Form Sections:

0.0   Vendor Details
1.0   Program Governance
2.0   Policies, Standards, Procedures
3.0   Facilities and Asset Management
4.0   Network Operations and Application Controls
5.0   Asset Encryption
6.0   Incident Response
7.0   Business Continuity & Disaster Recovery
8.0   Infrastructure



IMPORTANT - Don't Lose Your Data Entered

To ensure you do not lose the data entered into the form you must follow these instructions before exiting the form each time:

  •   The form is broken down into nine (9) sections in total. 
  •   There is only ONE SUBMISSION for the entire form ( all 9 sections) after the     signature page at the end of the form.
  •   To submit your form you must select the button marked FINAL SUBMISSION

You MUST select "Save and Resume Later" link on the bottom the page before       you exit the form until you submit your final submission.


  • It is very important that you do not lose the email the system will send you as the link cannot be regenerated.

  •  If you fail to select "Save and Resume Later" link you will lose data entered and will need to re-enter the data.


Acknowledgement*

Vendor Contact Details

Name of Person Completing Form *
Alternate Contact Person

Company Profile

Publicly or Privately Held Company
Type of legal entity
Are there any material claims or judgments against the company

Scope

Are you SOC 1 Compliant?
SOC 1 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients
Are you SOC 2 Compliant?
SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients
Are you ISO27001 Compliant?
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
Are Servers and Data Hosted on premise, in the cloud, or hybrid?
Any additional locations where Assets are stored
Address of additional location

Section 1.0 - Corporate / Program Governance

1.1 Governance Model & Structure

1.1.1 Does a security policy document exists which is approved by management, published and communicated to all employees?
1.1.2 Does executive management / owner(s) have oversight of the Information Security function?
1.1.3 Are periodic updates of the information security program and risk assessment results required?
1.1.4 Executive management have been trained and support and promote the business' responsibilities to protect content?
1.1.5 Do you have a Chief Security Officer?

1. 2 Defined Objectives

1.2.1 Is there a documented risk assessment program that has been approved by management, communicated to appropriate constituents and has an owner to maintain and review the program?
1.2.2 Have you developed and regularly update a security awareness program and train company personnel and third party workers upon hire and annually thereafter, addressing the following areas at a minimum:
1.2.2 Have you developed and regularly update a security awareness program and train company personnel and third party workers upon hire and annually thereafter, addressing the following areas at a minimum:
  Yes No Unknown
IT security policies and procedures
Content/asset security and handling
Security incident reporting and escalation
Disciplinary measures
1.2.3 Is there a documented asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
1.2.4 Do established policies and procedures regarding asset and content security; policies address the following topics, at a minimum:
1.2.4 Do established policies and procedures regarding asset and content security; policies address the following topics, at a minimum:
  Yes No Unknown
1.2.4.1 - Human resources policies
1.2.4.2 - Acceptable use (e.g., Internet, phone, etc.)
1.2.4.3 - Asset classification
1.2.4.4 - Asset handling policies
1.2.4.5 - Digital recording devices (e.g., smart phones, camcorders, etc.)
1.2.4.6 - Exception policy
1.2.4.7 - Exception policy - Password controls (e.g., minimum length, screensavers)
1.2.4.8 - Prohibition of client asset removal from the facility
1.2.4.9 - System change management
1.2.4.10 - Whistleblower policy

1.3 Established Risk

1.3.1 Do you have a formal security risk assessment process focused on content workflows and sensitive assets that identifies and prioritizes risks of content theft and leakage that are relevant to the facility?
1.3.2 Are security risk assessments performed annually?
1.3.3 Do you have a defined risk monitoring practices and establish escalation process for exception conditions.

1.4 Third Party Risk Oversight

1.4.1 Are security risks with third party contractors working onsite identified and appropriate controls implemented?
1.4.2 Are security requirements addressed in the contracts with the third party and the risk assessment updated when key workflows change?

1.5 Service Delivery Life Cycle (SDLC)

1.5.1 Do you follow a standard SDLC process?
Plan, Design, Build, Test, and Deploy
1.5.2 Are the following deliverables completed during the Planning Phase? (Resource Plan, Project Plan (High Level), Scope Matrix)
Resource Plan, Project Plan (High Level), Scope Matrix
1.5.3 Are the deliverables listed below completed during the Design Phase?
Kickoff Deck/Project Charter, Complete Project Plan, Product Requirements document, Business Rules. Wireframes, Acceptance Criteria, Technical Requirements, BC/DR Requirements, QA Plan, Security Requirements, UAT Plan
1.5.4 Are the deliverables listed below completed during the Build Phase?
Systems Build Configuration, Code (unit tested), QA Test Scripts, QA Exit Criteria, App/Dev/Sys Hardening Period
1.5.5 Are the deliverables listed below completed during the Test Phase?
Hypercare Plan, Run Book, Deployment Plan, BC/DR Testing, QA Signoff, Security Scans, Vulnerability Management, UAT Signoff

Section 2.0 Policies Standards Procedures

2.1 Risk Management Policy

2.1.1 Is high-security content Identified as per client instructions?
2.1.2 Does your organization have a mitigation strategy for identified potential risks?
2.1.3 Does your organization research and review pertinent regulatory updates and/or common industry standards to ensure the program is meeting guidelines applicable to your organization?
2.1.4 Are identified risks documented and acted upon?
2.1.5 Does your organization obtain senior management approval of policy and risk levels?

2.2 Security Standards

2.2.1 Are established security standards in place for system configurations (e.g, laptops, desktops, servers)?
2.2.2 Are network infrastructure devices "hardened" based on security configuration standards?

2.3 Privacy

2.3.1 Is there a documented privacy policy or procedures to protect confidential information provided to service provider by client?
2.3.2 Are there appropriate contractual controls to ensure that personal information shared with other third parties is limited to defined parameters for access, use and disclosure?
2.3.3 Are there documented policies, procedures, and controls to limit access based on need to know or minimum necessary for its employees,agents, contractors (or others as, applicable)?

2.4 Management Procedures

2.4.1 Are background screening checks performed on all company personnel and third party workers?
2.4.2 Are security policies and procedures reviewed and updated annually?
2.4.3 Are employee roles and responsibilities for content and asset protection formally defined?
2.4.4 Is sign-off required by all company personnel (e.g., employees, temporary workers, interns) and third party workers (e.g., contractors, freelancers, temp agencies) on all security policies, procedures, and/or client requirements?
2.4.5 Are all company personnel and third party workers required to sign a confidentiality agreement (e.g., non-disclosure) upon hire and annually thereafter, that includes requirements for handling and protecting content?
2.4.5.1 Are all company personnel and third party workers required to return all content and client information in their possession upon termination of their employment or contract?
2.4.6 Do security policy updates require review and sign-off by all company personnel?

Section 3.0 Facility & Asset Management

3.1 Facilities Access and Control

3.1.1 Are all entry/exit points locked at all times?
3.1.2 Do you control access to production areas by segregating the content/production area from other facility areas (e.g., administrative offices)?
3.1.3 Are rooms used for production (e.g., ingest stations, MAM Administration workstations, etc.) access-controlled?
3.1.4 Is there security control for third parties and for staff personnel working in secure area?
3.1.5 Are visitors required to be escorted by authorized employees while on-site, or in content/production areas?
3.1.6 Have you implemented a documented process to manage facility access and keep records of any changes to access rights?
3.1.7 Does the facility have a segregated access-controlled area beyond reception?
3.1.8 Is an identification badge or sticker, which must be visible at all times, assigned to each visitor and collect badges upon exit?
3.1.10 Do you provide company personnel and long-term third party workers (e.g., janitorial) with photo identification that is validated and required to be visible at all times?
3.1.11 Have you installed a centralized, audible alarm system that covers all entry/exit points (including emergency exits), loading docks, fire escapes, and restricted areas (e.g., vault, server/machine room)?
3.1.12 Are alarms configured to provide escalation notifications directly to: - Personnel in charge of security - Monitored by a central security group - Remotely located third party
3.1.13 Have you implemented a documented process to manage facility access and keep records of any changes to access rights?
3.1.14 Is electronic key card access implemented throughout the facility to cover all entry/exit points and all areas where content is stored, transmitted, or processed?
3.1.15 Is electronic key card access to critical infrastructure fiord system administration restricted to appropriate personnel?
3.1.16 Have you limited the distribution of master keys to authorized personnel only (e.g., owner, facilities management)?
3.1.17 Is a CCTV system installed that records all facility entry/exit points and restricted areas?
3.1.18 Is all camera "footage" accurately dated and time-stamped?
3.1.19 Do you log and review electronic key card access to restricted areas for suspicious events?
3.1.21 Are company personnel and third party workers informed upon hire that bags and packages are subject to random searches and include a provision addressing searches in the facility policies?
3.1.22 Do you maintain a detailed visitors’ log which includes the items listed below?
- Name - Company - Time in/time out - Person/people visited - Signature of visitor - Badge number assigned

3.2 Asset Management

3.2.1 Are responsibilities for the protection of individual assets and for carrying out specific security processes clearly defined?
3.2.2 Do you restrict access to client assets to only personnel responsible for tracking and managing assets?
3.2.3 Is access to production systems restricted to appropriate personnel only?
3.2.4 Are storage devices and media containing sensitive information physically destroyed or securely over written?
3.2.5 Do you follow the Department of Defense (DoD 5220.22-M, etc.) clearing and sanitizing standards for digital shredding and wiping?
3.2.6 Are client assets stored in a restricted and secure area (e.g., vault, safe, high security server room, ...)?

4.0 NetOps & App Controls

4.1 Content Encryption

4.1.1 Is content always transmitted from your facility to distribution affiliates in a secure, encrypted form such that access, reproduction of usable copies and re-distribution is accomplished only via licensing and authorized of devices?
4.1.2 Is there a process in place for AES 128-bit or 256-bit encryption implemented on hard drives and USB flash memory used to transport content?

4.2 User / Client Access

4.2.1 Do you have a process that ensures users only have access to their own digital assets (i.e., client A must not have access to client B’s content).
4.2.2 Do you use HTTPS and enforce use of a strong cipher suite (e.g.,SSLv3 or TLS v1) for the internal/external web portal?
4.2.3 Do you use persistent cookies or cookies that store credentials in plaintext?
4.2.4 Do you have a process to test monthly for web/client application vulnerabilities?

4.3 Network Access

4.3.1 Is your WAN(s) segmented by using stateful inspection firewalls with Access Control Lists that prevent unauthorized access to any internal network?
4.3.2 Is a process in place to review firewall Access Control Lists (ACLs) to confirm configuration settings are appropriate and as required by the business.
4.3.3 Are externally accessible servers (e.g., secure FTP server, web servers) located within a DMZ?
4.3.4 Do you monitor, alert, and protect against malicious activity such as DDoS attacks, Bot protection, brute force attacks, web scraping, or other malicious attempts to compromise a system, exfiltrate data, or attempts to exploit a web application?
4.3.5 Are network infrastructure devices (e.g., firewalls, routers, switches, etc.) "hardened" based on security configuration standards, and patched regularly?
4.3.6 Is remote access to WAN network infrastructure devices (e.g., firewall, router) that control access to content allowed?
4.3.7 Do you perform an annual vulnerability scan on servers and devices that are externally accessible and remediate issues?
4.3.8 Is Internet access disabled on systems (desktops/ servers) that process or store digital content?
4.3.9 Have you implemented web filtering software or appliances that restrict access to websites known for peer-to-peer file trading, viruses, hacking or other malicious sites on all computers with Internet access?
4.3.10 Are personnel allowed to use personal PCs, Laptops, tablets, etc. to access company networks?
4.3.12 Is remote access to the content/production network restricted to only approved personnel who require access to perform their job responsibilities while away from the facility?
4.3.13 Do you restrict internal LAN access to the content/production systems to authorized personnel?
4.3.14 Do you have security baselines and standards for system configuration (e.g., laptops, workstations, servers) that are setup internally?
4.3.15 Are all protocols denied by default and enable only specific permitted secure protocols on the WAN?
4.3.16 Have you implemented a network-based intrusion detection (IDS) or prevention system (IPS) on the content/production network?
4.3.17 Are users prohibited from being Administrators on their own workstations?
4.3.18 Is a next-generation antivirus + endpoint detection and response (EDR) sendpoint protection solution deployed across all platforms to stop malware and non-malware attacks?
4.3.19 Has anti-virus software been installed on all workstations and servers, and definitions updated daily?
4.3.20 Do you scan file-based content for viruses prior to ingest onto the content/production network?
4.3.21 Have you implemented a documented strategy for performing virus scans such as the ones listed below:
- Enable regular full system virus scanning on all workstations - Enable full system virus scans for servers, where applicable (e.g., non-SAN systems)
4.3.22 Do you have a patch management process used to regularly update patches (e.g., system, database, application, network devices) that remediate security vulnerabilities?
4.3.23 Are all unused switch ports on the content/production network disabled to prevent packet sniffing by unauthorized devices?
4.3.24 Do you prohibit the use of non-switched devices such as hubs and repeaters on the content/production network?
4.3.25 Are dual-homed networking (network bridging) on computer systems within the content/production network prohibited?
4.3.26 Is wireless networking and the use of wireless devices on the production/content network prohibited?
4.3.27 Are specific systems dedicated solely to be used for content input/output (I/O)? i.e. Ingest and distribution
4.3.28 Do you block input/output (I/O) devices (e.g., USB, FireWire, e-SATA, SCSI, etc.) on all systems that handle or store content, with the exception of systems used for content I/O?
4.3.29 Is the installation and/or use of media burners (e.g., DVD, Blu-ray, CD burners) and other devices with output capabilities to specific I/O systems used for outputting content to physical media restricted/prohibited?
4.3.30 Is the use of digital and all types of recording devices (e.g., smart phones, digital cameras, camcorders) prohibited in areas where sensitive content is accessible electronically or over in-house QC and playback devices?
4.3.31 Where commercially available or otherwise feasible, have you implemented internal secure data channels to prevent rogue processes from intercepting data transmitted between system processes?
4.3.32 Do you install remote-kill software on all portable computing devices that handle content to allow remote wiping of hard drives and other storage devices?
4.3.33 Do you require that legitimate licenses are used for all software and other proprietary software assets?
4.3.34 Are there controls against malicious software installation and usage?
4.3.35 Are unnecessary services and applications uninstalled from content transfer servers?
4.3.36 Are dedicated systems (i.e. non-business systems) used for content transfers ?
4.3.37 Are systems dedicated to transfer files segregated and segmented from systems that store or process content and from the non-production network?
4.3.38 Are transfer systems (e.g. edge servers) in a Demilitarized Zone (DMZ) and not in the production/content network?
4.3.39 Are Assets ever transferred (internally or externally) over wireless networks?
4.3.40 Are assets removed from content transfer devices (e.g. edge servers) immediately after successful transmission/receipt?
4.3.41 Have you implemented logging of content transfers that includes the following information at a minimum the items listed below:
- Username - Timestamp - File name - Source IP address - Destination IP address - Event (e.g., download, view)
4.3.42 Is security of media while being physically transported taken into account and protected from unauthorized access, misuse or corruption?
4.3.43 Is content always transmitted from your facility to distribution affiliates in a secure, encrypted form such that access, reproduction of usable copies and re-distribution is accomplished only via licensing and authorized of devices?
4.3.44 Does your encryption system operate on the basis of cryptographically robust authentication methods such that a valid license, containing cryptographic keys and other information necessary to decrypt the associated content and associated usage rules, is required to access and play each specific instance of the content?
4.3.45 Are software installation privileges restricted to appropriately authorized and segregated system administrators? i.e. Corp admins do Corp - Prod Admins do Prod.
4.3.46 Are network infrastructure devices securely backed-up to a centrally secured server on the internal network?

4.4 Internal Account Management

4.4.1 Have you established and implemented an account management process for administrator, user, and service accounts for all information systems and applications that handle content?
4.4.2 Is the use of service accounts restricted to only applications that require them? (i.e. run as Admin)
4.4.3 Have you implemented two-factor authentication (e.g., username/password and hard token) for remote access (e.g., VPN) to the network?
4.2.4 Do you have a process to test monthly for web/client application vulnerabilities?
4.4.4 Do you maintain traceable evidence of the account management activities (e.g., approval e-mails, change request forms)?
4.4.5 Do you assign unique credentials on a need-to-know basis using the principles of least privilege?
4.4.6 Have you renamed the default administrator accounts and limit the use of these accounts to special situations that require these credentials (e.g., operating system updates, patch installations, software updates)?
4.4.7 Have you segregated duties to ensure that individuals responsible for assigning access to information systems are not themselves end users of those systems (i.e., personnel should not be able to assign access to themselves)?
4.4.8 How do you monitor and audit administrator and service account activities?
4.4.9 How frequently do you review employee access for all information systems that handle assets and remove any accounts that no longer require access?
4.4.10 Do you review user access to assets on a per-project basis?
4.4.11 Are local accounts disabled or removed on systems that handle content?
4.4.12 Do you enforce the use of unique usernames and passwords to access information systems, such as operators, system administrators and all other staff including technical?
4.4.13 Do you have a strong password policy?
4.4.16 Is an automatic computer screen locking tool enabled? This would lock the screen when the computer is left unattended for a period of time.
4.4.6 Have you renamed the default administrator accounts and limit the use of these accounts to special situations that require these credentials (e.g., operating system updates, patch installations, software updates)? - Copy

Section 5.0 Asset Encryption

5.1 Data Encryption

5.1.1 Does your organization have a policy and procedure to encrypt assets and scoped data?
5.1.1.1 Can clients generate a unique encryption key?
5.1.1.2 Can clients rotate their encryption key on a scheduled basis?
5.1.2 Is encryption applied to the entirety of files?
5.1.3 Each time content is encrypted, is it encrypted using a unique cryptographic key?
5.1.4 Are two encrypted content files ever encrypted with the same unique cryptographic key?

5.2 Encryption Management

5.2.1 Are passwords, cryptographic keys or any other information that is critical to the cryptographic strength ever transmitted or stored in the clear or reused?
5.2.2 Are staff able to access client Assets & Scoped Data in an unencrypted state?
5.2.3 Is security-critical data always cryptographically protected against tampering, forging, and spoofing?
5.2.4 Are staff able to access client's encryption key?
5.2.5 Is AES 128-bit or 256-bit encryption implemented on hard drives and USB flash memory used to transport content?
5.2.6 Is security-critical data always cryptographically protected against tampering, forging, and spoofing?
5.2.7 Is standards based federated ID capability available to clients e.g. SAML, OpenID?
5.2.8 Are application self service features or an Internet accessible self-service portal available to clients?
5.2.9 Is there a management approved process to ensure that image snapshots containing Assets & Scoped Data are authorized prior to being snapped?

Section 6.0 Incident Response

6.1 Incident Response Policy

6.1.1 Does a formal Security Incident Response Plan describes actions to be taken when a security incident is detected and reported?
6.1.2 Do you have a Security Incident Response Team?
6.1.3 Do you have a Security Incident Response Process?
6.1.4 Are incidents communicated to clients whose Assets may have been leaked, stolen or otherwise compromised (e.g., missing client assets), and a post-mortem meeting conducted with management and client?

6.2 Incident Response Reporting

6.2.1 Has your environment, such as applications, servers, data, facility, etc., ever been compromised?
6.2.2 Do you have real-time logging?
6.2.3 Does real-time logging gather the following information at a minimum: (see below)
- When (time stamp) - Where (source) - Who (user name) - What (content)
6.2.4 Do you report on unusual activity reported by the logging and reporting systems?
6.2.5 Are logging systems configured to send automatic notifications to appropriate response personnel and IT management when security events are detected in order to facilitate active response to incidents?
6.2.6 Are logs frequently reviewed?
6.2.7 Are appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunication operators maintained to ensure that appropriate action can be quickly taken and advice obtained, in the event of a security incident?

Section 7.0 Business Continuity & Disaster Recovery

Section 7.1 Business Continuity & Disaster Recovery

7.1.1 Is there a documented policy for business continuity and disaster recovery that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy?
7.1.2 Is there an annual schedule of required tests?
7.1.3 Are BC/DR tests conducted at least annually?
- When (time stamp) - Where (source) - Who (user name) - What (content)
7.1.4 Is there a Pandemic Plan?
7.1.5 Is a Business Impact Analysis conducted at least annually?

Section 8.0 Infrastructure

8.1 Cloud Infrastructure

8.1.1 Are Cloud Services provided? tests?
If yes, what service model and deployment model is used (select all that apply):
If yes, what service model and deployment model is used (select all that apply):
  Yes
8.1.1.1 Software as a Service (SaaS)
8.1.1.2 Platform as a Service (PaaS)
8.1.1.3 Infrastructure as a Service (IaaS)
8.1.1.4 Private cloud
8.1.1.5 Public cloud
8.1.1.6 Community cloud
8.1.1.7 Hybrid cloud
8.1.2 Is a Cloud API available to clients?
- When (time stamp) - Where (source) - Who (user name) - What (content)
8.1.3 Are automated penetration tests performed?
8.1.4 Can clients run their own security services within their own cloud environment?
8.1.5 Is there a process which allows the client to specifically list who from the cloud provider will have access to their Assets and Scoped Data?
8.1.6 Are staff technically prevented from accessing the cloud environment via non-managed private devices?
8.1.7 Are staff required to use two factor authentication to remotely access the production cloud environment containing Assets?
8.1.8 Is there a cloud audit program to address client audit and assessment requirements?

8.2 Cloud Data Storage and Segmentation

8.2.1 Where is the cloud infrastructure located?
8.2.3 Can clients define the legal jurisdictions where their data can be transmitted, processed or stored?
8.2.4 Are clients provided with the ability to specify where their data will be stored?
8.2.5 Is data segmentation and separation capability between clients provided?
8.2.6 Does the ability exist to legally demonstrate sufficient data segmentation, in the event of a client subpoena or a forensics incident, so as not to impact other client's data?

8.3 System Maintenance

8.3.1 Is there a scheduled maintenance window?
8.3.2 Is there a scheduled maintenance window which results in client downtime?
8.3.3 Do third party vendors have access to Assets & Scoped Data?
Example's: backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc.?
8.3.4 Is there a management approved process to ensure that image snapshots containing Assets & Scoped Data are authorized prior to being snapped?

8.4 Client Portal

8.4.1 Do you assign unique credentials (e.g., username and password) to portal users and distribute credentials to clients securely?
8.4.2 Does your system ensures users only have access to their own digital assets (i.e., client A must not have access to client B’s content).
The next question involves TLS Recommended Configuration. Would you like to review the configuration prior to the next question?




Security –TLS Recommended Configuration




VersionsTLSv1.1
TLSv1.2


ECDHE-ECDSA-AES256-GCM-SHA384

Cipher SuitesECDHE-RSA-AES256-GCM-SHA384


ECDHE-ECDSA-CHACHA20-POLY1305


ECDHE-RSA-CHACHA20-POLY1305


ECDHE-ECDSA-AES128-GCM-SHA256


ECDHE-RSA-AES128-GCM-SHA256


ECDHE-ECDSA-AES256-SHA384


ECDHE-RSA-AES256-SHA384


ECDHE-ECDSA-AES128-SHA256


ECDHE-RSA-AES128-SHA256 

RSA Key Size2048


sha256WithRSAEncryption

Certificate Signatureecdsa-with-SHA256


ecdsa-with-SHA384


ecdsa-with-SHA512


prime256v1

Certificate Curvesecp384r1


secp521r1


prime256v1

TLS Curvessecp384r1


secp521r1

Certificate TypeECDSA

DH Parameter SizeNone (disabled entirely)

ECDH Parameter Size256

HSTSmax-age=15768000

Certificate SwitchingNone

Forward SecrecyClient & server negotiate a key that never hits the wire and is destroyed end of the session.
Enable when available.  

OCSP StaplingSaves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling
 Allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. 

Mandatory DiscardsaNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In The-Middle (MITM) attacks 

eNULL contains null-encryption ciphers (cleartext) 

EXPORT are legacy weak ciphers that were marked as exportable by US law 

RC4 contains ciphers that use the deprecated ARCFOUR algorithm 

DES contains ciphers that use the deprecated Data Encryption Standard 

SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated 

MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm 



8.4.4 Do you use HTTPS and enforce use of a strong cipher suite, defined in tab Appendix-TLS, for the internal/external web portal?
8.4.5 Is client portal access restricted to originate from a specific IP address, range, or port?
8.4.6 Have you set access to content on internal or external portals to expire automatically at predefined intervals, where configurable?
8.4.6 Have you set access to content on internal or external portals to expire automatically at predefined intervals, where configurable?
8.4.7 Do you review access permissions and logs to the client web portal?

8.5 Application Development

8.5.1 Are applications created and released into production?
8.5.2 Do you follow a standard SDLC process?
8.5.3 Is an agile development methodology in use?
8.5.4 Is there an automated secure source code review?
8.5.5 Is source code security reviewed manually?
8.5.6 Is there a formal process to ensure clients are notified prior to changes being made which may impact their service?
8.5.7 Is there an operational change management / change control policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
8.5.8 Are all programs running on production systems subject to strict change control?
For example, any change to be made to those production programs need to be pre-authorized and audit logs maintained for any change made to the production programs?
8.5.9 Are the development and testing facilities isolated from operational facilities?
8.5.10 Are test cases documented and/or automated?
8.5.11 Do you perform code reviews in the development phase?

Signature

Name*
Use your mouse or finger to draw your signature above
Date

Final Form Submission to WMG

Last Question: You are about to submit your answers for all 9 sections to WMG. Have you completed all sections and are you ready to complete your FINAL submission?

Okay you said you are not ready to submit your form to WMG just now.  

Please select the "Save and Resume Later" link to save your work.

DO NOT use the submit button at the bottom of this page as you cannot undo this submission.

Save and Resume Later
Progress
Cancel
Confirm