Part I. Information Security Policy  
QuestionResponse (Yes/No/NA)Comments
This section must be completed by all prospective clients
Does your company have a formalized Information Security Program? If so, how often is it reviewed?
Are security and privacy policies available to all employees?
Does your company provide regular information security awareness training? If so, how often?
Does your company maintain a process for monitoring employee compliance?
Are all employees required to sign an Acceptable Use Policy (AUP) as a condition of employment?
What industry standards and/or frameworks does your information security program align to? (ISO 27001, NIST, etc.)
Are third - party contractors required to sign an acceptable use policy (AUP)?
Does your company maintain a dedicated Information Security function/business unit/division? If so, please briefly describe reporting structure.
Does your company have a formalized Data Loss Prevention program? Please briefly describe.
Does your company employ the use of locked cabinets, doors, shredders etc. to secure printed sensitive information?
Does your company maintain policies and procedures regarding the retention and secure disposal of sensitive information, whether physical or electronic?
Does your company provide background checks on employees that will have access to sensitive information?
Does your company immediately disable all physical and electronic access to your environment for any employee that leaves your organization, either voluntary or involuntary?
Does your company use any third party providers to process sensitive information?
Is your information security program audited regularly? Please briefly describe.
Does your company maintain policies and procedures for handling data breaches, including unauthorized disclosures and what is the average turnaround time for reporting to affected partners?
Does your company maintain a disciplinary process for security violations?
Does your company maintain policies and procedures to assure the privacy and security of sensitive information processed, transmitted, or shared outside the United States?
Does your company allow subcontractors to process, take, transmit or share sensitive information outside of the United States?
Does your company mitigate, to the extent practicable, consequences resulting from the disclosure of sensitive information?
Does your company use a third party for any disposal process-electronic media, paper?
Is physical security provided on a 24x7 basis where any sensitive information is stored/processed?
What is the process to obtain physical access to your facilities? This includes any hosting facilities.
How long are physical security personnel logs retained for?
 Do you emloy the use of Intrusion Prevention technologies in your datacenter environments? If so, is it network-based, host-based, or both?
What application security measures (if any) do you use in your production environment (e.g., application-level firewall, database auditing)?
For any application development or professional services related to your solution, so you adhere to industry standard security frameworks (such as OWASP)?
Does your solution provide built-in encryption capabilities (Database, at rest, in transit etc.)? If so, please describe types and cipher strengths supported
What types of documentation are you able to provide auditors regarding data access?
Is there a formal process available in which third parties, including government agencies, may request access to Sodexo’s data?
Do you have a formalized vulnerability management program? If so, please briefly describe.
Do you have a formalized security incident / data breach response program? Please briefly describe.
 Are you required to comply with Sarbanes-Oxley (SOX) requirements?
Do you engage in regular, independent audits of both electronic and physical security infrastructure and components? Please describe.
Is your solution, service or organization PCI-DSS (Payment Card Industry Data Security Standards) Compliant? How often is compliance audited? Can you provide verification?
Is your solution, service or organization HIPAA Compliant? How often is compliance audited? Can you provide verification?
 Are you ISO certified? If so, which certification do you possess?
Does your solution, service and/or organization comply with European Union Safe Harbor rules regarding the protection of Personally Identifiable Information (PII)/PII (personally identifiable information)? If so, when were you last certified?
Is Personally Identifiable Information (PII) stored outside the country of residence?
 Do you comply with US Government and State Laws regarding protection of Personally Identifiable Information (PII)
Do you have any other certifications that were not previously listed?
If required, do you have the capability to perform forensic analyses of your solution, service or related infrastructure?
How long have you been providing your specific solution and/or service?
Scroll to Top