This FAQ contains consolidated responses to security questionnaires from multiple financial institutions.
Relevant security policies are linked at the bottom of this FAQ.
Table of Contents
- Information Security Program & Governance (52 questions)
- Data Protection & Encryption (55 questions)
- Access Control & Authentication (37 questions)
- Network Security & Infrastructure (21 questions)
- Business Continuity & Disaster Recovery (21 questions)
- Incident Response & Breach Management (18 questions)
- Vulnerability Management & Patching (20 questions)
- Malware & Antivirus Protection (8 questions)
- Third-Party & Vendor Management (25 questions)
- Application Security & Development (6 questions)
- Cloud Security & Infrastructure (1 questions)
- Physical Security (8 questions)
- Logging, Monitoring & Auditing (10 questions)
- Asset Management & Inventory (3 questions)
- Change Management (3 questions)
- Risk Assessment & Management (5 questions)
- Compliance & Regulatory (5 questions)
- Security Awareness & Training (3 questions)
- Policies & Procedures (9 questions)
- Human Resources & Personnel (16 questions)
- Artificial Intelligence & Machine Learning (34 questions)
- Insurance & Legal (3 questions)
- Business Information & Operations (1 questions)
- Data Storage & Transmission (5 questions)
- Integration & Communication (2 questions)
- Other Security Topics (121 questions)
1. Information Security Program & Governance
Q: Does your organization have a formal and documented information risk management program?
Answer: Yes
Q: Is the information risk management program approved by senior management?
Answer: Yes
Q: Is the information security program approved by senior management?
Answer: Yes
Q: Does your organization have a formal and documented information security program?
Answer: Yes
Q: Does your organization have a Chief Information Security Officer (CISO)?
Answer: Yes
Q: Does the organizations Board of Directors or equivalent receive an update on the Information Security Program?
Answer: Yes
Q: Is your information security program evaluated by an independent third party or an independent internal audit function?
Answer: Yes
Q: Does your organization have formal, documented information security policy(s) and security standards?
Answer: Yes
Q: Are the security policy(s) and standards approved by senior management?
Answer: Yes
Q: Are the security policies and standards reviewed at least annually?
Answer: Yes
Q: Are the security policies and standards communicated to employees and contractors at least annually?
Answer: Yes
Q: Do you have formal security configuration standards based on independent third parties (e.g., NIST or Center for Internet Security) or an internally developed, customized standard configuration document?
Answer: Yes
Q: Does your organization have a Cyber Security / Cyber Resiliency program?
Answer: Yes
Q: Is the cybersecurity program reviewed annually and updated for emerging threats? (e.g. ransomware)
Answer: Yes
Q: Is the cybersecurity program integrated with your Incident Response program?
Answer: Yes
Q: Do you subscribe to cyber security services / threat intelligence services, and do you review, evaluate and take action, including but not limited to control adjustment on that intelligence?
Answer: Yes
Q: Do you conduct cyber security tabletop exercises?
Answer: Yes
Q: When was your last cyber security tabletop exercise? (Provide the month and year it was conducted.)
Answer: December, 2025.
Q: Have you performed a cyber security tabletop exercise with a ransomware cyber event theme?
Answer: Yes
Q: Is there a process to regularly monitor system configuration against security standards?
Answer: Yes
Q: Are problem or incident tickets created to fix systems which are not compliant with security standards?
Answer: Yes
Q: Does your firm have an Information Security Red Team?
Answer: Yes
Q: Do you use Encrypted SSH and/or RDP over VPN for remote administration?
Answer: Yes
Q: If an initial password for the user is set by an administrator, are the users required to change their password after the initial login?
Answer: Yes
Q: Does the program include review of third party security provider’s information security policy, standards or procedures?
Answer: Yes
Q: Do you have an AI Governance program?
Answer: Yes
Q: Are logs of all security administration activity retained for at least 3 years?
Answer: Yes
Q: If requested, could a daily log of security administration activity relevant to our financial institution be provided?
Answer: Yes
Q: Has your company undergone any independent information security assessments (SSAE16/18, SOC2 examinations) within the past 18 months?
Answer: Yes
Q: Does your company have an individual(s) identified to implement and manage the Information Security Program (e.g. Chief Information Security Officer, Director/Manager, Other)?
Answer: Yes
Q: Do Information/Cyber Security personnel maintain current certifications and/or attend regular training to stay up to date on current threats, industry standards, regulations, and technologies?
Answer: Yes
Q: Do users have the ability to make administrative changes on their workstations?
Answer: No
Q: Who (our financial institution or vendor) performs user administration for the portal?
Answer: Vendor
Q: Are advisors able to add their own disclosure to the output/reports?
Answer: Yes
Q: Does the tool allow advisors or clients to manually enter their assets (including securities)?
Answer: Yes
Q: Does the tool allow the advisor to enter data on behalf of the client?
Answer: Yes
Q: Are they able to message the advisor in the tool?
Answer: No
Q: Follow up: Does the advisor have the ability to export these documents to PDF and save them outside of the tool?
Answer: Yes
Q: Do advisors, clients, or both have ability to enter non-public personal information?
Answer: Yes
Q: Does the tool have an electronic document signing feature or an integration with DocuSign?
Answer: No
Q: Does the vendor/application view any client information?
Answer: In general, no. But advisors may email client files to technical support with questions.
Q: Does the vendor/application isolate our financial institution’s data from its other customers?
Answer: No
Q: Will this be an exclusive relationship: Will the vendor provide this product/service only to Mercer Advisors? or Has Mercer has chosen this specific vendor to be the exclusive provider of X services?
Answer: No
Q: Will Mercer Advisor IT resources be needed?
Answer: No
Q: Do you limit administrator level access on network and systems infrastructure?
Answer: Not answered
Q: What is the average tenure of your information security staff? (average number of years)
Answer: 5 years
Q: Is all administrative network traffic to the platform encrypted?
Answer: Yes
2. Data Protection & Encryption
Q: Do you have a baseline of the type of outbound encrypted traffic to be able to identify deviations that could be potential threat activity?
Answer: Yes
Q: Is the sign in to your systems encrypted?
Answer: Yes
Q: Are shared accounts (Firecall IDs, Service Accounts or device IDs) managed by a Privileged ID Management system to establish accountability and confidentiality?
Answer: Yes
Q: Is our financial institution data encrypted when transmitted over your internal network?
Answer: Yes
Q: Is our financial institution data encrypted over public or untrusted networks (i.e., internet, b2b, via ftp, telnet, or r-protocols, etc.)?
Answer: Yes
Q: Is our financial institution data encrypted at rest within the environment?
Answer: Yes
Q: Is our financial institution data encrypted on hard drives? (workstations, laptops etc.)
Answer: Yes
Q: Is our financial institution data encrypted on all corporate or company owned mobile devices (laptops, iPads, etc.)?
Answer: Yes
Q: Is our financial institution data encrypted on removeable media (including backup tapes, USB devices)?
Answer: Yes
Q: Are encryption keys stored securely?
Answer: Yes
Q: Are the encryption keys used for encryption of stored data, backed up or escrowed?
Answer: Yes
Q: To protect against compromise, do the encryption keys expire and require renewal?
Answer: Yes
Q: If required by a regulator, for data protected by encryption (not necessarily the encryption keys themselves) are you able to provide the data in an accessible format?
Answer: Yes
Q: Is our financial institution data encrypted on employee personal devices?
Answer: Yes
Q: Do you have data loss prevention tools deployed at the network layer?
Answer: Yes
Q: Do you have data loss prevention tools deployed at the Email Gateway?
Answer: Yes
Q: Do you have data loss prevention tools deployed to all Endpoints?
Answer: Yes
Q: Are your backups encrypted?
Answer: Yes
Q: Do you comply with The European Union (EU) General Data Protection Regulation (GDPR)?
Answer: Yes
Q: The Payment Card Industry Data Security Standard (PCI DSS)?
Answer: Yes
Q: Does the product allow our financial institution to encrypt the payload as well (not just the transfer itself)?
Answer: Yes
Q: Does that monitoring include data loss prevention to block data exfiltration?
Answer: Yes
Q: Has your environment undergone any significant changes since the last review by our financial institution that would impact, positively or negatively, confidentiality, integrity, or availability?
Answer: No
Q: Are new employees/contractors/vendors required to sign/acknowledge a non-disclosure and confidentiality agreement?
Answer: Yes
Q: Has your company experienced any cyber-related incidents (e.g. theft or breach of data) within the past 3 years where customer confidential data was exposed to an unauthorized person (either external or internal)?
Answer: No
Q: Is our financial institution’s confidential data accessible to your organization’s employees or subcontractors operating outside the United States of America (USA)?
Answer: No
Q: Is our financial institution’s confidential data stored outside the United States of America (USA)?
Answer: No
Q: Does your company employ a method of protecting sensitive data that is communicated via e-mail?
Answer: No
Q: Is there an automated process in place to ensure data is securely deleted from your SFTP service after it has been transferred to a longer-term storage location?
Answer: Yes
Q: Do you allow TLS 1.0 and TLS 1.1?
Answer: No
Q: Is there a client portal?
Answer: Yes
Q: Does the tool collect and store PII/non-public personal information?
Answer: Yes
Q: What types of non-public personal information data is maintained?
Answer: Income, expenses, assets, liabilities.
Q: Does the vendor/application process any client information?
Answer: Yes
Q: Does the vendor/application store any client information?
Answer: Yes
Q: Does the vendor/application transmit any client information?
Answer: Yes
Q: Describe their compliance process with respect to international (Europe in particular) data privacy . Are they Safe Harbor certified? (Answer “NA” if data is not stored or processed outside of the US).
Answer: NA
Q: Can client data be accessed from the portable devices allowed in your company? (Mobile phone, tablet, etc.)
Answer: No
Q: Do you use AI to process any sensitive data, including but not limited to personally identifiable data or non-public data?
Answer: No
Q: Do you have measures in place to ensure that sensitive data provided by your organization to the AI model does not leave your enterprise network for supervised or unsupervised learning?
Answer: NA
3. Access Control & Authentication
Q: Are users provided local Admin access to their workstation?
Answer: Yes
Q: Do all systems, applications and data access require users to authenticate minimally with an ID and password?
Answer: Yes
Q: Are Privileged IDs (including Firecall ID or Service Accounts) associated with an individual owner?
Answer: Yes
Q: Does your organization perform access reviews of rights to systems, applications, databases, and network devices, including Privileged access?
Answer: Yes
Q: Are access reviews performed to identify toxic combinations of privileges and / or roles, to confirm proper separation of duties (SOD)?
Answer: Yes
Q: Do all remote access processes (access to your internal network from an external network) require at least two-factor authentication?
Answer: Yes
Q: If or when user credentials are communicated in email, are the credentials communicated in 2 steps to ensure the user name or ID is not included in the same communication as the password?
Answer: Yes
Q: Are passwords only stored in encrypted/hashed form?
Answer: Yes
Q: Is password expiration enforced?
Answer: Yes
Q: Are complex passwords that include at least 3 of 4 characteristics (alpha, numeric, case or special characters) required?
Answer: Yes
Q: Is password reuse/history enforced?
Answer: Yes
Q: In a user self service password change process, is the user first authenticated prior to permitting a password change?
Answer: Yes
Q: In a Help or Service Desk password change process, is there validation of the user prior to performing a password reset?
Answer: NA, help desk personnel do not reset users’ passwords.
Q: Does your company have a formal termination of employment process to ensure proper and timely removal of logical and physical access privileges from employees/contractors/vendors?
Answer: Yes
Q: Are Data Center physical access restrictions in-place which log all physical access (limited access privileges, visitor logs and escort, CCTV cameras in and outside of the data center, proximity card/biometric readers, security guards)?
Answer: Yes
Q: Are employees/contractors/vendors provided access only to the systems, physical areas and information that they need to perform their job based on a “least privileges” or “need-to-know” basis?
Answer: Yes
Q: Is multi-factor authentication (e.g. code via text message, etc.) used for customers to access the application/API(s)?
Answer: At customers’ option.
Q: Are all application/API passwords salted and hashed?
Answer: Yes
Q: Are default passwords changed at first login?
Answer: We do not issue default passwords.
Q: What is the process for users to access the application/API(s), if they forget their username, password, or multi-factor information?
Answer: Password reset.
Q: How are usernames and passwords provided to users? (e.g. username and password distributed via separate emails, username and passwords distributed in the same email…)
Answer: Separate emails.
Q: Are customer passwords encrypted when sent over electronic networks or stored in memory?
Answer: Yes
Q: If this is a vendor-managed implementation, does our financial institution have the ability to define the following configurations? A. logging configuration B. Password configuration (complexity, length, maximum lifetime, re-use, lockout) C. Timeout
Answer: No
Q: For all workstations which access systems or applications, are password-protected screen savers enabled after a minimum of 15 minutes of inactivity?
Answer: NA
Q: Is Single Sign On (SSO) being used?
Answer: No
Q: Do you have formal processes for granting, modifying, revoking, and reviewing user access rights to system resources?
Answer: Yes
Q: Do you require multi-factor authentication for all key third- party platforms?
Answer: Yes
If requested, could a daily log of activity related to material financial transactions relevant to our financial institution be provided?
Answer: Yes
Q: Does your company have a data/records retention schedule that is maintained and practiced?
Answer: Yes
Q: If there is a native mobile application component, would users be able to use rooted or “jailbroken” devices?
Answer: There is no native mobile application component.
Q: If a SOC report is not available, how will controls be tested?
Answer: A SOC 2 report is available.
Q: What is the process for our financial institution personnel to engage your technical support if the portal is down or user credentials are not working?
Answer: Email to support
Q: Are user activities logged?
Answer: Yes
Q: Are alerts generated by security devices?
Answer: Yes
Q: How long are security logs kept?
Answer: Yes
Q: Are servers, databases, middleware, and networking equipment scanned and hardened to ensure they are securely configured?
Answer: Yes
Q: Are Critical Findings remediated within a defined timeline?
Answer: Yes
Q: Are High Findings remediated within a defined timeline?
Answer: Yes
Q: Are Medium Findings remediated within a defined timeline?
Answer: Yes
Q: Do all users have unique user identifiers (user id’s)?
Answer: Yes
Q: Before any access is granted, is the requested access approved by the appropriate manager?
Answer: Yes
Q: Is access to data and systems limited to minimum necessary?
Answer: Yes
Q: What is the timeline to delete or disable access of a terminated user?
Answer: Immediate
Q: With the exception of Firecall or Service Accounts, are users permitted to share accounts?
Answer: No
Q: Are shared accounts (Firecall, Service Account, etc.) reviewed and approved by Leadership?
Answer: Yes
Q: What is the defined time limit (checkout time) to use the Firecall ID or Service Account?
Answer: 1 day
Q: Are locked accounts auto unlocked after a specified period of time?
Answer: Yes
Q: Are account lockouts monitored and investigated?
Answer: Yes
Q: Is access to critical systems deactivated after a defined period non-use / inactivity?
Answer: Yes
Q: Is access to private keys restricted on a need to know basis?
Answer: Yes
Q: What is the timeout period for the application?
Answer: 60 minutes
4. Network Security & Infrastructure
Q: Do you have network intrusion prevention or detection systems at all entry or exit points on your network?
Answer: Yes
Q: Do you have a Host Based Intrusion Detection System installed on workstations, servers, etc. to detect any malicious activities?
Answer: Yes
Q: Do you restrict split tunneling while performing VPN connections?
Answer: Yes
Q: Are firewalls protecting all entry and exit points in your network?
Answer: Yes
Q: How frequently is a review of firewall configuration and rules performed?
Answer: Quarterly.
Q: Since the last review performed by our financial institution, have there been any significant changes to your network infrastructure or to the third-parties that provide services to you? If so, please describe.
Answer: No
Q: Does your company utilize remote access capabilities allowing access to internal systems or applications?
Answer: Yes
Q: Does your company allow 3rd/4th Party direct and/or remote access to your network and/or systems (Auditors, developers, other preferred partners, etc.)?
Answer: No
Q: Are you using stateful firewalls internally and externally to support network segregation?
Answer: Yes
Q: Do you blacklist IPs/domains/addresses based on Threat Intelligence?
Answer: Yes
Q: Do you use firewalls or other filtering technologies inside your network?
Answer: Yes
Q: Are there specific company regulations regarding IP VPN for work-from-home employees?
Answer: Yes
Q: Do you use an email filtering solution which blocks known malicious attachments and suspicious files, including executables?
Answer: Yes
Q: Do you use an email filtering solution which blocks suspicious messages based on their content or attributes of the sender?
Answer: Yes
Q: Do you use an email filtering solution that has the capability to run suspicious attachments in a sandbox?
Answer: Yes
Q: Do you block uncategorized and newly registered domains using web proxies or DNS filters?
Answer: Yes
Q: Do you employ a multi-layer or defense in depth model to your anti-malware protection program across your environment? (Anti-malware protection technology at the perimeter, email gateway, end point etc.)
Answer: Yes
Q: Are your email systems protected from malware for inbound and outbound email?
Answer: Yes
Q: Pursuant to the UK’s Modern Slavery Act 2015, are you ensuring that slavery and human trafficking are not taking place within your existing business and supply chains?
Answer: Yes
5. Business Continuity & Disaster Recovery
Q: Are pre-employment background checks completed for all employees of the firm, contractors, sub-contractors or other vendor personnel? Which should include, but is not limited to: prior employment, criminal, credit, professional, academic, references and drug screening (unless prohibited by law)?
Answer: Yes
Q: Do you perform backups of all data that is required to ensure continuity of services to our financial institution?
Answer: Yes
Q: What is the frequency of your system/data backups?
Answer: Daily
Q: What backup type do you utilize?
Answer: Off-internet backup.
Q: How often do you test backup recovery?
Answer: Monthly
Q: Are your backups air gapped to avoid compromise from malware, ransomware or accidental deletion? (e.g. WORM/SEC 17a-4(f)(2)(ii))
Answer: Yes
Q: Do you have documented Business Continuity and Disaster Recovery Plans that cover loss of data, hardware failure, and loss of your premises?
Answer: Yes
Q: Does your BC/DR plan ensure continuity of services to our financial institution?
Answer: Yes
Q: How often do you test your Business Continuity and Disaster Recovery plans?
Answer: Quarterly
Q: If yes to D5, are backups protected from malicious tampering or deletion (e.g. Ransomware, offline backups, WORM media, etc.)?
Answer: Yes
Q: Is key / critical third party security provider failure impact analysis performed? (an analysis to identify key third party security provider’s and to understand the impact to business if that third party security provider fails)
Answer: Yes
Q: Are data flows for mission critical data documented?
Answer: Yes
Q: How frequently are the data flows refreshed?
Answer: Quarterly
6. Incident Response & Breach Management
Q: Do you use Breach and Attack Simulation (BAS) software to verify the effectiveness of security controls?
Answer: Yes
Q: Do you define various cyber incident types in your Incident Response (IR) playbook?
Answer: Yes
Q: Have you experienced a cybersecurity breach or significant cybersecurity incident in the past year?
Answer: No
Q: If yes, what measures were taken to prevent a data breach in the future?
Answer: NA
Q: Do you have a defined incident management process?
Answer: Yes
Q: Does the Incident Response Plan include internal escalation to a Crisis Response Team and notification to external parties (e.g. law enforcement) regarding the incident in case it is affecting their data or application?
Answer: Yes
Q: Does the incident management process include a contact at our financial institution to be notified in case of an incident affecting our financial institution data and/or systems?
Answer: Yes
Q: Do you have a third party security provider that is part of the services you provide to our financial institution that had a security breach?
Answer: No
Q: Does your company have an Incident Management process for both information and physical incidents?
Answer: Yes
Q: Does your Incident Management process include a communication plan to notify customers/clients in a timely manner of unauthorized activity related to our data?
Answer: Yes
Q: Will a report for any breach of our financial institution data be available for review within 72 hours of determination of event?
Answer: Yes
Q: Does your Incident Management process include the following: Incident Classification, Incident Severity, Roles and Responsibilities, Communication Plan, and Legal/Counsel Input?
Answer: Yes
Q: Who would perform forensic analysis of a breach if one were to occur?
Answer: Our developers.
Q: Have your Third Party Vendors suffered a security breach or issues in the past 36 months? If so please elaborate in the additional information section.
Answer: NA
7. Vulnerability Management & Patching
Q: How often do you perform infrastructure security scans/vulnerability assessment on systems housing our financial institution data?
Answer: Quarterly.
Q: Is there a formal process to monitor for new patches and security vulnerabilities?
Answer: Yes
Q: Are Security patches applied to technology assets? (e.g. applications, servers, databases, middleware, and networking equipment)
Answer: Yes
Q: Are Critical severity Patches applied within a defined timeline?
Answer: Yes
Q: Are High severity Patches applied within a defined timeline?
Answer: Yes
Q: Are Medium severity Patches applied within a defined timeline?
Answer: Yes
Q: Does the program include review of an independent network penetration test (or executive summary) of third party security provider’s?
Answer: Yes
Q: Does the program include review of third party security providers application vulnerability assessments?
Answer: Yes
Q: Does the program include tracking and remediation of deficiencies identified in the third party security provider review?
Answer: Yes
Q: How frequently are patches applied to the file transfer system and product?
Answer: The file transfer system is rarely touched. The product is updated regularly.
Q: Is your AI tool or application included in your vulnerability management program?
Answer: Yes
Q: Do you leverage the same development, end of life, and vulnerability scanning processes and procedures for mobile application security that you do for non-mobile application security?
Answer: We do not have a mobile application.
Q: Have you or a key vendor experienced a breach or cyber incident in the last 3 years? This includes, but is not limited to attacks such as: – SolarWinds Orion – Cisco ASA & Firepower Threat Defense Vulnerability – Kaseya Ransomware – Mimecast; – Microsoft exchange (on prem), – Microsoft Azure, Microsoft 365; – Pulse Connect Secure appliances, – Other
Answer: No
8. Malware & Antivirus Protection
Q: Do you employ advanced malware protection?
Answer: Yes
Q: DDoS protection?
Answer: Yes
Q: Do you restrict the commonly exploited services used by Ransomware i.e. SMB (TCP/445, TCP/135, TCP/139), Remote Desktop Protocol (TCP/3389), Windows Remote Management / Remote PowerShell (TCP/80, TCP/5985, TCP/5986), WMI (dynamic port range assigned through DCOM) via Group Policy?
Answer: Yes
Q: Is there malware protection on all systems that support/process our financial institution data?
Answer: Yes
Q: Are all servers required to have Anti-Virus?
Answer: Yes
Q: Are all workstations required to have Anti-Virus?
Answer: Yes
Q: What Antivirus product do you use?
Answer: MalewareBytes
Q: Do you employ Antivirus software on servers and/or staff computers?
Answer: Yes
9. Third-Party & Vendor Management
Q: Is our financial institution’s data removed from devices, workstations, servers, and storage media prior to disposal, reuse, vendor separation, etc.?
Answer: Yes
Q: Do you use any third party service providers (third party security provider) that store, process or otherwise interact with our financial institution’s data as part of services you provide to our financial institution? (This question applies to third party security provider’s directly or indirectly involved – including outsourced data centers, subcontractors, SaaS providers, etc.)
Answer: Yes
Q: As a part of the engagement with our financial institution, does your firm provide or sell to us any third party-created software, applications, hardware, or equipment (i.e., applications or hardware not created or developed by your firm)?
Answer: No
Q: What third party service provider do you use for secure data transfer of our financial institution’s data?
Answer: AWS
Q: Is this vendor only providing secure file transfer services or do they also provide storage or hosting of our financial institution’s data?
Answer: They also store customer data.
Q: Which entity (you or your third party) monitors to identify unauthorized activity?
Answer: AWS
Q: Are all employees/contractors/vendors required to sign/acknowledge acceptable use and code of conduct agreement annually?
Answer: Yes
Q: Are visitor/vendor/contractor access restrictions in-place (sign-in, ID badge, escorted)?
Answer: Yes
Q: Does your company have a Third-Party Management process which includes a risk assessment process, due diligence practices, contract structuring and review routines, and on-going monitoring oversight?
Answer: Yes
Q: Does your software/application require additional third-party software or data processing to function (including dependency libraries)?
Answer: Yes
Q: Are users able to screen-share directly in the tool with their client or would this need to be done via a third-party tool such as Zoom?
Answer: They need Zoom.
Q: Does the tool utilize any sort of data entry service (third-party) to assist clients with the setup and maintenance of the tool/data?
Answer: No.
Q: Does this vendor/application require any integration with our financial institution? (i.e., Outlook Exchange environment to send/receive emails through your designated email account)
Answer: No
Q: Do you host at a third-party? If so, please describe the facility’s security systems.
Answer: Yes
Q: What is the vendor’s process for managing critical events after hours?
Answer: Alarms alert personnel who are available at all times.
Q: Is the vendor able to collect evidence using proper chain-of-custody procedures?
Answer: Yes.
Q: Have you or your critical vendors found evidence of network compromise? Please explain.
Answer: No
Q: Were Indications of Compromise (“IOC”) found on your or your critical vendor’s systems?
Answer: No
10. Application Security & Development
Q: Is your AI tool or application included in your development lifecycle?
Answer: Yes
Q: Do you have a documented Software Development Life Cycle (SDLC)?
Answer: Yes
Q: Are developers required to take additional secure coding training?
Answer: Yes
Q: For web applications and any web based APIs, is data input scrubbed for injections?
Answer: Yes
Q: If there is a native mobile application component, is the application secured according to OWASPS Mobile Application Security Verification Standard (MASVS)?
Answer: There is no native mobile application component.
Q: Do you use a WAF or other web application security device that operates at layer 7 of the OSI model?
Answer: No
11. Cloud Security & Infrastructure
Q: If the solution does generate email, what is the sending address domain and is it configurable?
Answer: centerbase.com, not user configurable
Q: Are our financial institution’s documents stored exclusively on a stateside cloud server?
Answer: Yes
Q: How and where is the data being backed up?
Answer: Stored on AWS servers in Ohio.
Q: Where do you store backup archives?
Answer: Oregon and New York.
Q: Do you have policies to address remote work?
Answer: Yes
Q: At the end of the contractual relationship, how is our financial institution data destroyed, including backups?
Answer: Resolved case-by-case.
12. Physical Security
Q: Are building physical access restrictions in-place (doors locks, proximity card readers, glass breaks, motion detectors, security alarms, CCTV cameras, guards)?
Answer: Yes
Q: Is all physical access logged?
Answer: Yes
Q: Are environmental measures (e.g. HVAC, fire detection/suppression systems, water detection, raised floor) in-place within the Data Center?
Answer: Yes
Q: Does your facility and Data Center have, and regularly test, back-up power (e.g. generator, UPS, battery) in the event of an outage?
Answer: Yes
Q: Where are your primary and secondary (if applicable) Data Center location(s)?
Answer: AWS
Q: Are visitors escorted while at your company?
Answer: Yes
Q: Are logs kept of visitors?
Answer: Yes
13. Logging, Monitoring & Auditing
Q: Is logging enabled on security devices, servers, and applications?
Answer: Yes
Q: Do you use a Security Information and Event Management tool (SIEM) for correlation of events gathered from different logs or security sources to identify an unauthorized access and threats in your environment?
Answer: Yes
Q: Is access to Firecall accounts granted only temporarily, revoked after a standard window and with logging of account checkout enabled?
Answer: Yes
Q: How long are network logs retained?
Answer: 3 months.
Q: Do you have DDoS (distributed denial-of-service) or other monitoring services to ensure resource availability?
Answer: Yes
Q: Do you employ a Security Information and Event Management (“SIEM”) system?
Answer: Yes
Q: Do you employ a File Integrity Monitoring (“FIM”) system?
Answer: Yes
14. Asset Management & Inventory
Q: Does your company have an Asset Management program/process in place which includes maintaining an inventory of all company-related hardware and software (e.g. laptops, desktops, tablets, printers, copiers, cell phones, and other computer peripherals)?
Answer: Yes
Q: Are you actively using a Configuration Management Database (CMDB)?
Answer: No
Q: Does your asset management program ensure all hardware and software is supported and that appropriate actions are taken prior to a device or software becoming End-of-Life?
Answer: Yes
Q: Are physical devices and systems inventoried? Physical devices include workstations, laptops, servers, infrastructure components, etc. If the answer is not “All physical devices are inventoried”, please describe what is not inventoried in the comments section
Answer: Yes
Q: Are software platforms and applications inventoried?
Answer: Yes
Q: Within the inventories, are the critical items identified?
Answer: Yes
15. Change Management
Q: Do you follow a defined change control process for any changes related to IT Infrastructure or applications and does the process include approvals, test plans and backout plans?
Answer: Yes
Q: Since the last review performed by our financial institution, have there been any significant changes to your enterprise (mergers, acquisitions, major sales, expansion, globalization, etc.) ? If so, please describe.
Answer: No
16. Risk Assessment & Management
Q: Does your company perform threat analytics?
Answer: Yes
Q: Does your company track on-going threat intelligence?
Answer: Yes
Q: Do you perform cyber threat intelligence activities?
Answer: Yes
Q: Do you perform Risk Assessments annually and prior to launching new services?
Answer: Yes
17. Compliance & Regulatory
Q: Is compliance to the policies and standards monitored?
Answer: Yes
Q: How often do you perform security configuration scans to validate compliance on systems housing our financial institution’s data (nCircle/TripWire CCM)?
Answer: NA
Q: Are you required to comply with any legal, regulatory, or industry requirements (GLBA, PCI-DSS, SOX, HIPAA, FFIEC, NYS DFS 23 NYCRR500, NY GBL 899aa, etc.)? If so, please identify.
Answer: No
Q: Is there an internal audit department or similar oversight unit with responsibility for assessing, identifying and tracking resolution of outstanding regulatory issues?
Answer: Yes
Q: Are the consequences of non‐compliance to the policies clearly documented?
Answer: Yes
18. Security Awareness & Training
Q: Are all employees and contractors required to undergo annual security training?
Answer: Yes
Q: Does the program include validation the third party security provider employees and contractors are required to undergo annual security training?
Answer: Yes
Q: Have your employees and contractors been instructed in security awareness, including how to identify, handle and protect sensitive and/or confidential information on an at least annual basis?
Answer: Yes
19. Policies & Procedures
Q: Does your organization have an end user computing policy covering topics such as acceptable use of electronic resources and social media?
Answer: Yes
Q: Are policies reviewed and updated, as necessary, at least annually?
Answer: Yes
Q: What level of management is responsible for reviewing and approving policies?
Answer: CEO
Q: Are procedures in place to review access permissions to systems and applications on a regular basis (at least annually)?
Answer: Yes
Q: Do you have a whistleblower policy?
Answer: No
Q: Are documented procedures in place for the secure disposal/destruction of electronic data?
Answer: Yes
Q: Is your default access policy deny-all with appropriate traffic whitelisted?
Answer: Yes
Q: If any third-parties have access to our data or your systems, how do you ensure that such third parties adhere to your policies?
Answer: Yes
Q: How often are these policies reviewed?
Answer: Quarterly
20. Human Resources & Personnel
Q: Are all employees required to sign non-disclosures and/or ethics agreements?
Answer: Yes
Q: Do you use a web filtering solution which stops employees from visiting known malicious or suspicious web pages?
Answer: Yes
Q: Do you do Threat Hunting to proactively identify Indicators of Compromise (IOC) by collecting known bad indicators of compromise from a broad variety of sources, and search for those indicators in your environment?
Answer: Yes
Q: Is the team staffed 24/7?
Answer: Yes
Q: Are system access accounts of transferred personnel approved based on new job responsibilities and previous access accounts or entitlements removed or deactivated on a timely basis?
Answer: Yes
Q: Are employees permitted to access our financial institution’s data from their personal devices? (home PC’s, Personal laptops, Mobile Phones etc.)
Answer: No
Q: Are the use of network analyzers restricted to authorized employees or contractors?
Answer: Yes
Q: Have you implemented secure standard configurations for hardware and software?
Answer: Yes
Q: Can employees transfer our data from databases, applications, or other internal programs to their local machines?
Answer: Yes
Q: How many staff have access to our data?
Answer: 5
Q: Do you provide a call center for our financial institution to request support? If so, list locations of these call centers and support teams.
Answer: Yes. Email to support@familylawsoftware.com.
Q: Do you use a ticketing system for request tracking, management, and development?
Answer: Yes
21. Artificial Intelligence & Machine Learning
Q: Do you use AI?
Answer: Yes, in development. Not at runtime.
Q: Do you restrict access to open source AI I in your environment to minimum necessary or to specific groups/roles?
Answer: Yes
Q: Do you check if there is use of open source AI in the development of your applications?
Answer: Yes
Q: Is your AI tool or application included in your path management program?
Answer: Yes
Q: How frequently do you review your AI tool application or Model to ensure it is working as intended and does not introduce bias?
Answer: Monthly
Q: Does the tool utilize any generative AI features?
Answer: No
Q: Are there any interactive/communication features of this tool?
Answer: NA
Q: Are there any integrations available with this tool?
Answer: NA
Q: Does your organization ingest any data into Artificial Intelligence Machine Learning Models? (If Yes, complete the “AI Questionnaire” tab below)
Answer: No
22. Insurance & Legal
Q: Does your organization have Privacy/Cybersecurity Insurance?
Answer: Yes
Q: Has your company been subject to litigation or investigation in the last 5 years?
Answer: No
23. Business Information & Operations
Q: How long has the company been in business?
Answer: Founded 1996.
24. Data Storage & Transmission
Q: How often are security logs reviewed on systems storing/accessing/processing our financial institution’s data?
Answer: Weekly
Q: What method or methods do you use to transfer data between your company and our financial institution?
Answer: We do not transfer data to any financial institutions.
Q: Do you utilize an SFTP server/service to send and/or transmit our financial institution data between yourself, our financial institution, and/or other 3rd parties?
Answer: No
_________________________________________________________________________________
Security Policies
Access Control Policy
Authentication Information Management Policy
Business Continuity Plan
Centerbase Holding LLC – Cybersecurity Insurance Certificate
Centerbase LLC – SOC 2 Report
Change Management Process
Client Confidential Information Policy
Configuration Management Plan
Data Archive Policy
Data Backup Policy
Data Breach and Management Response Policy
Data Encryption Policy
Family Law Software Acceptable Use Policy
Human Resources Security Policy and Procedures
Identity Management Policy
Incident management plan
Incident Recovery Plan
Information Handling and Classification Policy
Information Security Awareness and Training Program
Information Security Policy
Information Transfer Policy
Insurance Certificate for Centerbase
Legal and Regulatory Requirements
Legal and regulatory requirements concerning information security and privacy
Operating System and Infrastructure Hardening Policy
Password Policy
Patch Management Process
Physical Security Program
Privacy Program
Records Management Process
Remote Work Policy
Risk Assessment Policy
Secure Software Development Lifecycle Policy
Securing Access on Public Networks
Security Assessment Plan
Security Configuration Standard Web Server Software
Supply Chain Risk Management Plan
User Endpoint Device Policy