| Question | Response (Yes/No/NA) | Comments |
| | |
| This section must be completed by all prospective clients | | |
| Does your company have a formalized Information Security Program? If so, how often is it reviewed? | | |
| Are security and privacy policies available to all employees? | | |
| Does your company provide regular information security awareness training? If so, how often? | | |
| Does your company maintain a process for monitoring employee compliance? | | |
| Are all employees required to sign an Acceptable Use Policy (AUP) as a condition of employment? | | |
| What industry standards and/or frameworks does your information security program align to? (ISO 27001, NIST, etc.) | | |
| Are third - party contractors required to sign an acceptable use policy (AUP)? | | |
| Does your company maintain a dedicated Information Security function/business unit/division? If so, please briefly describe reporting structure. | | |
| Does your company have a formalized Data Loss Prevention program? Please briefly describe. | | |
| Does your company employ the use of locked cabinets, doors, shredders etc. to secure printed sensitive information? | | |
| Does your company maintain policies and procedures regarding the retention and secure disposal of sensitive information, whether physical or electronic? | | |
| Does your company provide background checks on employees that will have access to sensitive information? | | |
| Does your company immediately disable all physical and electronic access to your environment for any employee that leaves your organization, either voluntary or involuntary? | | |
| Does your company use any third party providers to process sensitive information? | | |
| Is your information security program audited regularly? Please briefly describe. | | |
| Does your company maintain policies and procedures for handling data breaches, including unauthorized disclosures and what is the average turnaround time for reporting to affected partners? | | |
| Does your company maintain a disciplinary process for security violations? | | |
| Does your company maintain policies and procedures to assure the privacy and security of sensitive information processed, transmitted, or shared outside the United States? | | |
| Does your company allow subcontractors to process, take, transmit or share sensitive information outside of the United States? | | |
| Does your company mitigate, to the extent practicable, consequences resulting from the disclosure of sensitive information? | | |
| Does your company use a third party for any disposal process-electronic media, paper? | | |
| Is physical security provided on a 24x7 basis where any sensitive information is stored/processed? | | |
| What is the process to obtain physical access to your facilities? This includes any hosting facilities. | | |
| How long are physical security personnel logs retained for? | | |
| Do you emloy the use of Intrusion Prevention technologies in your datacenter environments? If so, is it network-based, host-based, or both? | | |
| What application security measures (if any) do you use in your production environment (e.g., application-level firewall, database auditing)? | | |
| For any application development or professional services related to your solution, so you adhere to industry standard security frameworks (such as OWASP)? | | |
| Does your solution provide built-in encryption capabilities (Database, at rest, in transit etc.)? If so, please describe types and cipher strengths supported | | |
| What types of documentation are you able to provide auditors regarding data access? | | |
| Is there a formal process available in which third parties, including government agencies, may request access to Sodexo’s data? | | |
| Do you have a formalized vulnerability management program? If so, please briefly describe. | | |
| Do you have a formalized security incident / data breach response program? Please briefly describe. | | |
| Are you required to comply with Sarbanes-Oxley (SOX) requirements? | | |
| Do you engage in regular, independent audits of both electronic and physical security infrastructure and components? Please describe. | | |
| Is your solution, service or organization PCI-DSS (Payment Card Industry Data Security Standards) Compliant? How often is compliance audited? Can you provide verification? | | |
| Is your solution, service or organization HIPAA Compliant? How often is compliance audited? Can you provide verification? | | |
| Are you ISO certified? If so, which certification do you possess? | | |
| Does your solution, service and/or organization comply with European Union Safe Harbor rules regarding the protection of Personally Identifiable Information (PII)/PII (personally identifiable information)? If so, when were you last certified? | | |
| Is Personally Identifiable Information (PII) stored outside the country of residence? | | |
| Do you comply with US Government and State Laws regarding protection of Personally Identifiable Information (PII) | | |
| Do you have any other certifications that were not previously listed? | | |
| If required, do you have the capability to perform forensic analyses of your solution, service or related infrastructure? | | |
| How long have you been providing your specific solution and/or service? | | |
