Part II. Infrastructure and Cloud security  
This section must be completed by all prospective clients
Question Response (Yes/No/NA)Comments
Please provide the City, State (Province) and Country locations of your datacenters / hosting servers.
Is Single Sign-On (SSO) provided and if so what types are available? SAML, Open Auth etc.?
Is the infrastructure hosting your solution located in a physically secure facility which minimally requires badge access?
Are the systems that support your solution secured within a physical cage / location from the other tenants at the hosting facility?
Are the geographic locations of the data center infrastructure selectable?
May cutomers select where their data, applications, and systems are to be housed and / data replicated and to what granularity?
How are client environment segmented from other clients?
Do you support multi-tenancy and if so, how is privacy assured between tenants?
What tools do you use to ensure that Goode Cyber Security’s data is removed from your cloud platform after the system is turned off and/or decommissioned?
What type of identity management solution and options are provided? For example LDAP, two-factor authentication, RADIUS.
Can the Cloud service be integrated with an existing Identity Management system? For example Active Directory
Does your platform offer differentiated security policies between public and private cloud? If so, list differentiating features.
Does your solution support developer self-service to add/modify/delete user and user rights, with linkage to per-customer LDAP or LDAP schema namespaces?
Does your solution support cloud service management (I.e. change management) including lifecycle management that integrates with your customers?
 How long have you been providing cloud services?
What real-time data migration methods does your service support?
What "batch" data migration methods does your service service support?
What data transformation is needed to allow migration to your service offering?
What facilities are available to export data for migration to another vendor service provider?
In the event of service agreement termination, what is the process involved to permanently migrate data from the vendor service to a different processing environment?
What operating systems do you currently support or is your platform is based upon?
What additional support mechanisms or future state architecture do you expect to move towards?
Does the platform provide the capability to customize the operating system image to host a service? Provide a list of customized features by operating system.
Which management solutions are used to manage OS, middleware, system etc.?
Do you implement any type of middleware solution? If so, briefly explain.
What event-based capabilities do you have as part of your environment?
What database platforms, including version, do you implement and\or willing to support?
What types of tools and utilities are available for activities such as application deployment, job scheduling etc.
Are you interoperable with other cloud services and/or on premise infrastructures? Do you support hybrid models?
Are there pre-built integration methods or APIs to allow industry standard integration with other Cloud systems or our on-premise systems? For example: SAP, Enterprise, Service Bus, Websphere, etc.
Describe how you monitor system utilization, what items are monitored and how you can proactively adjust system resources to ensure performance and uptime SLA's.
Does your solution support planning, trending and forecasting of infrastructure and platform resources? If so, please provide details.
How do you define your SaaS or Cloud model? Are you single tenant, multi-tenant or hybrid? What future state architecture do you expect to move towards in your medium range plans (12 to 18 months)?
Describe in detail your systems architecture methodology, including specifically how systems are sized and designed for security, performance, availability and scalability.
Are backups made of all in-store systems?
Are daily backups executed for all associate and schedule files?
What environments are supported in the SaaS model? (Production, QA, Training, Development?)
Are version upgrades mandatory? That is, are customers forced into upgrades or allowed to continue with current?
Does your colocation provide for the capability to review personnel who enter the locked area where the communications architecture is housed?
Do you have the ability to compartmentalize your environment in the event of a security compromise? If so, please briefly explain the mechanisms in place to achieve this functionality.
What kind of authentication and access control procedures are in place regarding data access?
If the primary environment is down, how quickly can the DR environment be made active either in the primary or the DR data center?
What type of infrastructure exists to replicate and synchronize data between the primary and DR data centers? Is this available in real-time, daily?
Are the primary and secondary datacenter locations locate din different geographical regions? (e.g. at least 500 miles)
 Please describe your access control methodology/procedures. This includes but is not limited to administrative/root, developer, end user, as applicable to the offering and environment.
Describe the approach for change management of your platform and software as service offerings. Specifically address key details such as version life cycle management and patch management approaches.
Is there a URL monitoring solution available? If so, where is it located in your network topology (internal, external etc.)
May Goode Cyber Security conduct an external vulnerability assessment on your network, and if so, to what extent?
What security technologies/protocols do you support for inter-company data transmission? (SFTP, SSL/TLS etc.)? Please provide versions and cipher strengths as appropriate
Can you provide an SOC1 or SOC2 Report?
Scroll to Top