Vendor Checklist

Answer the questions by checking either the Yes or No answer.

The Attack Surface Security Metric will be calculated after you clicked the Submit-button.

To recalculate after you made changes, remember to click the Submit button again.

Questions for Security Metrics

1YesNo Does the vendor provides a private identification code for administrative requests, service change requests, billing contact, or support whether by phone, in person, or online?
2YesNo Does the vendor maintain a list of pre-selected persons on your staff with whom they will allow contact for administrative requests, service change requests, billing contact, or support?
3YesNo Does the vendor require a secure key, password, or secret code for administrative requests, billing contact, or support?
4YesNo Does the vendor provide reasonable, strong authentication to connect with, access, or interact with data and an equally strong means for new account creation and password recovery?
5YesNo Does the vendor meet the required legal or regulatory requirements for the product or service (HIPAA, PCI, BASEL2, SOX, SAS70, OSSTMM, etc.)?
6YesNo Does the vendor agree to protect and defend customer legal rights and will provide reasonable and timely support (such as connection logs, communication logs, etc.) to defend against legal claims from third parties?
7YesNo Does the vendor provide monetary compensation for losses involving their product or service regardless of fault being theirs or a subsequent third party (clawback provision)?
8YesNo Is the vendor insured for up to the cost of replacing product or service infrastructure in case of accident or malicious attacks (disaster recovery)?
9YesNo Does the vendor require all data from the product or service automatically, both off-site and within the application, is transported and stored by a sufficiently protected means (such as strong encryption)?
10YesNo Does the vendor disallow the change or removal of any of the protection mechanisms placed upon the data or service whether local or remote.
11YesNo Does the vendor provide a fallback service for business continuity or a timely, alternate means for connecting back to the data of the product or service (disaster recovery)?
12YesNo Does the vendor maintain regular and timely back-ups and restoration process of all collected data and configurations?
13YesNo Does the vendor maintain a record of all interactions with the data or service with time, date, and type with ready access to recover said records?
14YesNo Does the vendor provide advanced maintenance and operational schedules of changes or administration of systems and the personnel responsible?
15YesNo Does the vendor provide acceptable protection for the transport and interaction of data or service requests whether over the network with valid encryption certificates for networks, secure protocols or physically using secure courier services and encrypted media?
16YesNo Does the vendor provide assurance of complete and total destruction of all records not related to billing or other regulatory or legal requirements at a request of contract or service termination including legal ceasement of operations (vendor or client)?
17YesNo Does the vendor maintain low visibility of operations by not sharing or disclosing specific operational information about its services such as location, maintenance processes, core operations personnel, network maps and info, security processes, or lists of customers?
18YesNo Does the vendor restrict all customer data and services within the borders of the country of origin?
19YesNo Does the vendor run regular and timely checks on the authenticity and integrity of stored data and information with a recovery process in place for corruptions whether accidental or malicious?
20YesNo Does the vendor have a process to provide legal entities access for eDiscovery and forensics in the case of criminal or regulatory proceedings?
21YesNo Does the vendor provide a reasonable process of immediate notification of damages, threats, or any incident response action taken due to issues surrounding the safety or security of customer services and data regardless if digital or physical?
22YesNo Does the vendor provide an immediate notification through an alternate channel from how the request was made of any support, administrative or operational changes (including a change in the company's owners).
23YesNo Does the vendor restrict physical access to server rooms or on-site access for services to vetted, contracted personnel only.
24YesNo Does the vendor maintain all of their services in-house (no subcontracting) with respect to the transport, management, configuration, support, or administration of customer service or data?
25YesNo Does the vendor require and enforce non-disclosure agreements of employees and partners?

Results for Security Metrics

All above results together lead to the following results.

Attack Surface Security Metrics
RAV version 3.0 - OSSTMM version 3.0

Fill in the white number fields for OPSEC, Controls, and Limitations with the results of the security test. Refer to OSSTMM 3 for more information.

OPSEC
Visibility 0
Access 1  
Trust 1 OPSEC
Total (Porosity) 2 5.304712
CONTROLS True Controls
Class A Missing 0.000000

Authentication 0 2  
Indemnification 0 2 Full Controls
Resilience 0 2 0.000000
Subjugation 0 2  
Continuity 0 2 True Coverage A
Total Class A 0 10 0.00%
Class B Missing True Coverage B
Non-Repudiation 0 2 0.00%
Confidentiality 0 2  
Privacy 0 2 Total True Coverage
Integrity 0 2 0.00%
Alarm 0 2
Total Class B 0 10
True Missing
All Controls Total 0 20
Whole Coverage 0.00% 100.00%
LIMITATIONS Item Value Total Value Limitations
Vulnerabilities 0 11.000000 0.000000 0.000000
Weaknesses 0 6.000000 0.000000  
Concerns 0 6.000000 0.000000 Δ
Exposures 0 0.500000 0.000000 -5.304712
Anomalies 0 0.500000 0.000000  
Total # Limitations 0 0.000000 True Protection
94.70

Report Score

8.9

Actual Security:

94.70
OSSTMM RAV - Creative Commons 3.0 Attribution-NonCommercial-NoDerivs 2009, ISECOM