ControlTitle,ControlName,ControlSet,ControlSources,ControlDescription,TestingInformation,ControlStatus,ControlImportantText,EvidenceExtractionDetail,RemediationText,EvidenceCollectionType,Events,TemplateName,TemplateTitle,TemplateDescription,TemplateNecessity,TemplateOverview,TemplateStatus,TemplateLogo,ComplianceStandard,VendorName,VendorContactDetails Data Security 2.1.1 - Customer Data Ingested (Requires manual attestation),Everest Manual - DS 2.1.1,Data Security,Manual,Establish a list of data that is needed from the customer for product functionality.,,ACTIVE,,Describe all data that is ingested from the customer. Specify if sensitive and confidential data is ingested. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.2.1 - Data Storage Location (Requires manual attestation),Everest Manual - DS 2.2.1,Data Security,Manual,Specify the list of countries and regions in which data is stored. ,,ACTIVE,,Where is customer data stored? Please specify the list of countries and regions in which data is stored.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.3.1 - Access Control - Employee Access,Everest Manual - DS 2.3.1,Data Security,Manual,Do employees have access to unencrypted customer data?,,ACTIVE,,"Specify if employees have access to unencrypted customer data. If yes, explain briefly why they'll have access. If no, explain briefly how you control access.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.3.2 - Access Control - Mobile Access,Everest Manual - DS 2.3.2,Data Security,Manual,Can customer data be accessed through mobile devices?,,ACTIVE,,"Specify if customer data can be accessed using mobile devices. If yes, explain briefly why they'll have access via mobile and if there is a mobile policy in place. If no, explain briefly how you control mobile access.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.3.3 - Access Control - Countries Data is Transmitted to (Requires manual attestation),Everest Manual - DS 2.3.3,Data Security,Manual,Is customer data transmitted to countries outside the origin? ,,ACTIVE,,"Is customer data transmitted to countries outside the origin? If yes, specify the list of countries to which customer data will transmitted or received",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.3.4 - Access Control - Is Data Shared with Third Party Vendors (Requires manual attestation),Everest Manual - DS 2.3.4,Data Security,Manual,Is customer data shared with third party vendors? ,,ACTIVE,,"Is customer data shared with third party vendors? If yes, specify the list of third party vendors and their countries/region that you provide customer data to",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.3.5 - Access Control - Security Policy related to Third Party Vendors,Everest Manual - DS 2.3.5,Data Security,Manual,"Do you have policies/procedures in place to ensure that third party vendors maintain the confidentiality, availability, and integrity of customer data?",,ACTIVE,,"Specify if you have policies/procedures in place to ensure that third party vendors maintain the confidentiality, availability and integrity of customer data. If yes, could you share/upload a manual evidence of it?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.4.1 - Data Encryption - Data Encryption at Rest and in Transit,Everest Manual - DS 2.4.1,Data Security,Manual,Are all data encrypted at rest and in transit?,,ACTIVE,,Specify if all data is encrypted at rest and in transit. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.4.2 - Data Encryption - Strong Algorithms (Requires manual attestation),Everest Manual - DS 2.4.2,Data Security,Manual,Do you use strong encryption algorithms?,,ACTIVE,,"Do you use strong encryption algorithms? If yes, specify what encryption algorithms (like RSA, AES 256) are used.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.4.3 - Data Encryption - Unique Encryption Key,Everest Manual - DS 2.4.3,Data Security,Manual,Are clients provided with the ability to generate a unique encryption key?,,ACTIVE,,"Can clients provide/generate their own unique encryption keys? If yes, please provide more details/upload evidence. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.4.4 - Data Encryption - Encryption Keys Access,Everest Manual - DS 2.4.4,Data Security,Manual,Are staff able to access client's encryption keys?,,ACTIVE,,"Please specify if your employees can access client's encryption keys. If yes, explain briefly why they'll have access to their keys. If no, explain briefly how you control access.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.1 - Data Storage & Classification - Data Backup,Everest Manual - DS 2.5.1,Data Security,Manual,Do you back up customer data?,,ACTIVE,,"Specify if you back up customer data. If yes, please describe your back up policy (including details about how often backup is done, where the backup is stored, backup encryption and redundancy, etc)",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.2 - Data Storage & Classification - Data Access Control Policy,Everest Manual - DS 2.5.2,Data Security,Manual,Do you implement appropriate access controls for stored customer data? Provide your access control policies.,,ACTIVE,,Specify/Establish if appropriate access controls (like RBAC) is implemented for stored customer data. Please provide more details/manual evidence on how you control access to the data. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.3 - Data Storage & Classification - Access Customization,Everest Manual - DS 2.5.3,Data Security,Manual,"Can customers customize access to their data including placing a ""Legal hold"" in case of incident?",,ACTIVE,,"Specify if customers can customize access to their data including placing a ""Legal hold"" in case of incident.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.4 - Data Storage & Classification - Transaction Data (Requires manual attestation),Everest Manual - DS 2.5.4,Data Security,Manual,Is customer's transaction details stored in DMZ?,,ACTIVE,,"Specify if customer's transaction details will be stored in DMZ. If yes, please explain briefly why it gets stored. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.5 - Data Storage & Classification - Information Classification,Everest Manual - DS 2.5.5,Data Security,Manual,"Is information classified according to legal or regulatory requirements, business value, and sensitivity to unauthorized disclosure or modification?",,ACTIVE,,"Specify/Establish if information is classified by sensitivity. If yes, could you upload manual evidence of this classification?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.6 - Data Storage & Classification - Data Segmentation,Everest Manual - DS 2.5.6,Data Security,Manual,Is data segmentation and separation capability between clients provided?,,ACTIVE,,Specify if different client's data is segmented.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.5.7 - Data Storage & Classification - Legal Demonstration of Data Segmentation ,Everest Manual - DS 2.5.7,Data Security,Manual,"If data segmentation and separation capability is present, do you have means to demonstrate legally sufficient data segmentation?",,ACTIVE,,Establish if you can demonstrate sufficient data segmentation (legally) if required to do so.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.6.1 - Data Retention ,Everest Manual - DS 2.6.1,Data Security,Manual,How long do you retain data?,,ACTIVE,,"Specify the duration of data retention. If the retention period differs by data classification/sensitivity, can you provide details on each retention period? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Data Security 2.6.2 - Data Retention after Client's Unsubscribe,Everest Manual - DS 2.6.2,Data Security,Manual,How long do you retain data after buyers unsubscribe?,,ACTIVE,,Specify the duration of data retention after customers unsubscribe. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Audit & Compliance 1.1.1 - Certifications Completed (Requires manual attestation),Everest Manual - Cert 1.1.1,Audit & Compliance,Manual,Specify the list of certifications that you have. Please upload a copy of the certificate.,,ACTIVE,,Specify the list of certifications that you have. Please upload a copy of the certificate.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Audit & Compliance 1.2.1 - Procedures ensuring Compliance - Procedures ensuring Compliance (Requires manual attestation),Everest Manual - Cert 1.2.1,Audit & Compliance,Manual,"Do you have a policy/procedure to ensure compliance with applicable legislative, regulatory and contractual requirements?",,ACTIVE,,"Specify if you have a policy/procedure to ensure compliance with applicable legislative, regulatory and contractual requirements. If yes, could you share details about the procedure/upload a manual evidence?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Audit & Compliance 1.2.2 - Procedures ensuring Compliance - Internal Audits,Everest Manual - Cert 1.2.2,Audit & Compliance,Manual,Are internal audits done to track outstanding regulatory requirements?,,ACTIVE,,"Specify if internal audits are done to track outstanding requirements. If yes, how do you do it?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Audit & Compliance 1.2.3 - Procedures ensuring Compliance - Deviations and Exceptions (Requires manual attestation),Everest Manual - Cert 1.2.3,Audit & Compliance,Manual,Is there a process to handle deviations and exceptions from compliance requirements?,,ACTIVE,,"Specify/Establish if there is a process to handle exceptions/deviations from compliance requirements. If yes, please provide details on how you do it. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Audit & Compliance 1.3.1 - Certification in Progress (Requires manual attestation),Everest Manual - Cert 1.3.1,Audit & Compliance,Manual,Do you have a roadmap to acquire additional certifications in the future?,,ACTIVE,,"Specify if there is a roadmap for additional certifications in the future. If yes, please provide the name and the approximate completion date for each of these certifications?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Security & Configuration Policy 10.1.1 - Policies for Information Security - Information Security Policy ,Everest Manual - SP 10.1.1,Security & Configuration Policy,Manual,Do you have an information security policy that is owned and maintained by a security team?,,ACTIVE,,"Specify/Establish if you have a information security policy. If yes, could you share/upload a manual evidence?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Security & Configuration Policy 10.1.2 - Policies for Information Security - Policy Review,Everest Manual - SP 10.1.2,Security & Configuration Policy,Manual,Are all security policies reviewed periodically?,,ACTIVE,,"Specify if security policies are reviewed frequently. If yes, specify the frequency of review.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Security & Configuration Policy 10.2.1 - Policies for Security Configurations - Security Configurations,Everest Manual - SP 10.2.1,Security & Configuration Policy,Manual,Are security configuration standards maintained and documented?,,ACTIVE,,"Specify if all security configuration standards are maintained and documented. If yes, could you share/upload a manual evidence? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Security & Configuration Policy 10.2.2 - Policies for Security Configurations - Security Configurations Review,Everest Manual - SP 10.2.2,Security & Configuration Policy,Manual,Are security configurations reviewed frequently?,,ACTIVE,,"Specify if security configurations are reviewed frequently. If yes, specify the frequency of review.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Security & Configuration Policy 10.2.3 - Policies for Security Configurations - Changes to Configurations,Everest Manual - SP 10.2.3,Security & Configuration Policy,Manual,Are changes to configurations logged?,,ACTIVE,,Specify if configuration changes are logged. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.1 - Secure Authentication - Password Use to Access the Production Environment,Everest Manual - AC 3.1.1,Access Management,Manual,Do you support password based authentication to access the production environment?,,ACTIVE,,Specify if password authentication is enabled to access the production environment.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.2 - Secure Authentication - Application Supports Password Use (Requires manual attestation),Everest Manual - AC 3.1.2,Access Management,Manual,Does the application require/support password-based authentication? ,,ACTIVE,,Specify if password authentication is enabled for the application.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.3 - Secure Authentication - Personal Data in UserId (Requires manual attestation),Everest Manual - AC 3.1.3,Access Management,Manual,Do you get personal data (other than name or email ID) in user ID?,,ACTIVE,,"Specify if personal data other than name or email address is used in user ID. If yes, what data will be used? What usecase is it used for?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.4 - Secure Authentication - Single Sign-on (Requires manual attestation),Everest Manual - AC 3.1.4,Access Management,Manual,Is SSO enabled to access the production environment?,,ACTIVE,,"Specify if SSO can be used with the application. If yes, what tool is used for SSO?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.5 - Secure Authentication - Two Factor Authentication ,Everest Manual - AC 3.1.5,Access Management,Manual,Is two factor authentication required to access the production/hosted environment?,,ACTIVE,,"Specify if two factor authentication (2FA) is required for access to production environment. If yes, what tool is used for 2FA?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.6 - Secure Authentication - Application Supports Two Factor Authentication ,Everest Manual - AC 3.1.6,Access Management,Manual,Does the application support two factor authentication? ,,ACTIVE,,"Specify if two factor authentication (2FA) can be used with the application. If yes, what tools can be used for 2FA?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.7 - Secure Authentication - Account Lockout (Requires manual attestation),Everest Manual - AC 3.1.7,Access Management,Manual,Is the customer's account locked if there are multiple failed logins?,,ACTIVE,,"Specify if account lockout is enabled if there are multiple failed logins. If yes, specify the number of tries after which account will be locked out.",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.8 - Secure Authentication - Root User,Everest Manual - AC 3.1.8,Access Management,Manual,Is root user used only by exception to access the production environment?,,ACTIVE,,"Specify that the root user is only used by exception. If yes, can you establish the cases it'll be used for?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.9 - Secure Authentication - Root User MFA,Everest Manual - AC 3.1.9,Access Management,Manual,Does root user require multi-factor authentication (MFA)?,,ACTIVE,,"Specify if logging in as root user requires multi factor authentication. If yes, what tool is used for MFA? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.1.10 - Secure Authentication - Remote Access,Everest Manual - AC 3.1.10,Access Management,Manual,Is remote access to the production environment permitted and is the access secure? ,,ACTIVE,,"Specify if the application permits remote access. Is yes, what is remote access used for? Is the access secured (for example : will key based authentication be used and will the communication be over encrypted channels)?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.2.1 - Credential Management - Password Policy,Everest Manual - AC 3.2.1,Access Management,Manual,Does the application have a strong password policy? Does the password policy require changing it at frequent intervals?,,ACTIVE,,Specify/Establish if a strong password policy is present. Does it require password change at frequent intervals? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.2.2 - Credential Management - Password Encryption,Everest Manual - AC 3.2.2,Access Management,Manual,Does the password policy require passwords to be encrypted in transit and to be hashed with salt when stored?,,ACTIVE,,"Specify if passwords are encrypted in transit and when stored, is the password hashed with salt. If yes, can you provide more details? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.2.3 - Credential Management - Secret Management,Everest Manual - AC 3.2.3,Access Management,Manual,Do you use secrets management service?,,ACTIVE,,"Specify/Establish if there is a secrets management in place. If yes, can you provide more details? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.2.4 - Credential Management - Credentials in Code,Everest Manual - AC 3.2.4,Access Management,Manual,Are credentials included in the code?,,ACTIVE,,"Specify if credentials are included in the code. If yes, can you provide more details? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.3.1 - Access Control Policy - Least Privilege Access ,Everest Manual - AC 3.3.1,Access Management,Manual,Do you follow least privilege access policy for users to access production environment?,,ACTIVE,,"Specify/Establish if least privileges are assigned to users. If no, how do you control access?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.3.2 - Access Control Policy - Access Policy Review,Everest Manual - AC 3.3.2,Access Management,Manual,Are all access policies in the production environment reviewed regularly?,,ACTIVE,,"Specify if all access policies are reviewed regularly. If yes, can you provide more details on how often the policies are reviewed? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.3.3 - Access Control Policy - Separate Accounts (Requires Manual Attestation),Everest Manual - AC 3.3.3,Access Management,Manual,Are there separate accounts for hosting critical and shared services?,,ACTIVE,,Specify/Establish if there are separate accounts for hosting critical and shared services. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.3.4 - Access Control Policy - Users & Security Policy Configuration (Requires manual attestation),Everest Manual - AC 3.3.4,Access Management,Manual,Can customers configure user & security policies for sign in?,,ACTIVE,,Specify if customers can configure which users (from the customer's and the vendor's end) will have access to their environment ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.3.5 - Access Control Policy - Logical Segmentation,Everest Manual - AC 3.3.5,Access Management,Manual,Is there logical segmentation of application users?,,ACTIVE,,Specify/Establish if there is logical segmentation of users. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Access Management 3.4.1 - Access Logs,Everest Manual - AC 3.4.1,Access Management,Manual,Are there logs of access attempts to production environment?,,ACTIVE,,"Specify if access attempts are logged. If yes, how long are the logs retained? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.1.1 - Secure Software Development Lifecycle - Separate Environment,Everest Manual - Appsec 4.1.1,Application Security,Manual,"Is development, test, and staging environment separate from the production environment?",,ACTIVE,,"Specify if development, test, and staging environment is separate from the production environment. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.1.2 - Secure Software Development Lifecycle - Secure Coding Practice,Everest Manual - Appsec 4.1.2,Application Security,Manual,Do security engineers work with developers on security practices?,,ACTIVE,,Specify if developers and security engineer work together on secure coding practices. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.1.3 - Secure Software Development Lifecycle - Use of Customer Data in Test Environment,Everest Manual - Appsec 4.1.3,Application Security,Manual,"Is customer data ever used in the test, development, or QA environments?",,ACTIVE,,"Is customer data ever used in the test, development, or QA environments? If yes, what data is used and what is it used for? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.1.4 - Secure Software Development Lifecycle - Secure Connection,Everest Manual - Appsec 4.1.4,Application Security,Manual,Is SSL/TLS enabled for all web pages/communications that uses customer data?,,ACTIVE,,Specify/Establish if a secure connection (like SSL/TLS) is used for all communications with customer data. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.1.5 - Secure Software Development Lifecycle - Image Backup,Everest Manual - Appsec 4.1.5,Application Security,Manual,Are application image snapshots backed up?,,ACTIVE,,"Specify if image snapshots are backed up. If yes, is there a process to ensure that image snapshots containing scoped Data are authorized prior to being snapped? Is access control implemented for the image snapshots? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.1 - Application Security Review - Secure Code Review,Everest Manual - Appsec 4.2.1,Application Security,Manual,Is secure code review done prior to each release?,,ACTIVE,,Specify if a security code review is done prior to each release.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.2 - Application Security Review - Penetration Test,Everest Manual - Appsec 4.2.2,Application Security,Manual,Are penetration tests performed? Can we get reports of penetration testing?,,ACTIVE,,"Specify if penetration tests are performed on the application. If yes, can you share the last 3 reports as manual evidence?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.3 - Application Security Review - Security Patches,Everest Manual - Appsec 4.2.3,Application Security,Manual,Are all available high-risk security patches applied and verified regularly?,,ACTIVE,,"Specify if high risk security patches are applied regularly. If yes, how often is it applied? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.4 - Application Security Review - Vulnerability Scans on Applications,Everest Manual - Appsec 4.2.4,Application Security,Manual,Are vulnerability scans performed against all internet facing applications regularly and after significant changes?,,ACTIVE,,"Specify if vulnerability scans are performed on all internet facing applications. If yes, how often is it done? Can we get a copy of the report?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.5 - Application Security Review - Vulnerability Scans on Internal Networks,Everest Manual - Appsec 4.2.5,Application Security,Manual,Are vulnerability scans performed against internal networks and systems?,,ACTIVE,,"Specify if vulnerability scans are performed on internal networks and systems. If yes, how often is it done? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.6 - Application Security Review - Third Party Alerts on Vulnerabilities,Everest Manual - Appsec 4.2.6,Application Security,Manual,Are third party alert services used to keep up to date with the latest vulnerabilities?,,ACTIVE,,"Specify if third party alert services are used to stay up to date on latest vulnerabilities. If yes, could you provide more details? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.7 - Application Security Review - Threats and Vulnerabilities Management,Everest Manual - Appsec 4.2.7,Application Security,Manual,Are there processes to manage threat and vulnerability assessment tools and the data they collect?,,ACTIVE,,Specify if there are processes to manage threat and vulnerability assessment tools and their findings. Could you provide more details on how threats and vulnerabilities are managed?,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.8 - Application Security Review - Configuration Modification by Buyers (Requires manual attestation),Everest Manual - Appsec 4.2.8,Application Security,Manual,Is there a self service portal where buyers can modify their application security configurations?,,ACTIVE,,Specify if there is a self service portal for buyers to modify their security configuration. Can you provide details on how this can be done? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.2.9 - Application Security Review - Anti Malware Scans,Everest Manual - Appsec 4.2.9,Application Security,Manual,Is anti-malware scanning done against the network and systems hosting the application regularly?,,ACTIVE,,"Specify if anti-malware scanning is done against the network and systems hosting the application. If yes, how often is it done? Can you provide the report? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.3.1 - Application Logs - Alerts on Application Logs,Everest Manual - Appsec 4.3.1,Application Security,Manual,Are application logs collected and reviewed? Do you have tools/alerts in place to monitor events uncover potential incidents?,,ACTIVE,,"Specify if application logs are collected and reviewed. If yes, do you have tools in place to monitor these logs for potential incidents?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.3.2 - Application Logs - Access to Logs,Everest Manual - Appsec 4.3.2,Application Security,,"Are operating system and application logs protected against modification, deletion, and/or inappropriate access?",,ACTIVE,,"Establish that operating system and application logs are protected against modification, deleted and/or inappropriate access",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.3.3 - Application Logs - Data Stored in Logs (Requires manual attestation),Everest Manual - Appsec 4.3.3,Application Security,Manual,Do you store customer's personally identifiable information (PII) in logs?,,ACTIVE,,What data will be stored in application logs? Do you store customer's personally identifiable information (PII)?,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.4.1 - Change Control Policy - Functional and Resiliency Testing,Everest Manual - Appsec 4.4.1,Application Security,Manual,Is functional and resiliency testing done before implementing a change?,,ACTIVE,,Specify if functional and resiliency testing is done on the application before a new release. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.4.2 - Change Control Policy - Change Control Procedures,Everest Manual - Appsec 4.4.2,Application Security,Manual,Are change control procedures required for all changes to the production environment?,,ACTIVE,,Specify if change control procedures are in place for all changes made in the production environment. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.4.3 - Change Control Policy - Avoid Human Error/Risks in Production,Everest Manual - Appsec 4.4.3,Application Security,Manual,Do you have a process in place to verify that human error/risks don't get pushed into production?,,ACTIVE,,Specify/Establish that there's a process to verify that human error/risks don't get pushed into production.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.4.4 - Change Control Policy - Document and Log Changes,Everest Manual - Appsec 4.4.4,Application Security,Manual,Do you document & log changes that may impact their service?,,ACTIVE,,Specify if changes are documented & logged. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Application Security 4.4.5 - Change Control Policy - Change Notification for Buyers (Requires manual attestation),Everest Manual - Appsec 4.4.5,Application Security,Manual,Is there a formal process to ensure clients are notified prior to changes being made which may impact their service?,,ACTIVE,,Specify if clients will be notified prior to making changes that may impact their service. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.1 - Risk Assessment - Address and Identify Risks,Everest Manual - IR 5.1.1,Risk Management/Incident Response,Manual,Is there a formal process focused on identifying and addressing risks of disruptive incidents to the organization?,,ACTIVE,,Specify if there is a process to identify and address risks that cause disruptive incidents for the organization. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.2 - Risk Assessment - Risk Management Process,Everest Manual - IR 5.1.2,Risk Management/Incident Response,Manual,Is there a program/process to manage the treatment of risks identified during assessments?,,ACTIVE,,"Specify if there is a program/process to manage risks and their mitigations. If yes, can you provide more details about the risk management process?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.3 - Risk Assessment - Risk Assessments,Everest Manual - IR 5.1.3,Risk Management/Incident Response,Manual,Are risk assessments done frequently?,,ACTIVE,,"Are risk assessments done frequently? If yes, specify the frequency of risk assessments. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.4 - Risk Assessment - Third Party Vendors Risk Assessment,Everest Manual - IR 5.1.4,Risk Management/Incident Response,Manual,Is risk assessment done for third party vendors?,,ACTIVE,,"Specify if risk assessments are done for all third party vendors. If yes, how often is it done? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.5 - Risk Assessment - Risk Reassessment when Contract Changes,Everest Manual - IR 5.1.5,Risk Management/Incident Response,Manual,Is risk reassessment done when service delivery or contract changes?,,ACTIVE,,Will risk assessments be done everytime a service delivery or contract changes? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.6 - Risk Assessment - Accept Risks,Everest Manual - IR 5.1.6,Risk Management/Incident Response,Manual,Is there a process for management to knowingly and objectively accept risks and approving action plans?,,ACTIVE,,"Specify if there is a process for management to understand and accept risks, and to approve action plans and timelines to fix it. Does the process include providing details of the metrics behind each risk to the management?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.1.7 - Risk Assessment - Risk Metrics,Everest Manual - IR 5.1.7,Risk Management/Incident Response,Manual,"Do you have measures in place to define, monitor and report risk metrics?",,ACTIVE,,"Specify if there is a process to define, monitor and report risk metrics. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.2.1 - Incident Management - Incident Response Plan,Everest Manual - IR 5.2.1,Risk Management/Incident Response,Manual,Is there a formal incident response plan?,,ACTIVE,,Specify if there is a formal incident response plan. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.2.2 - Incident Management - Contact to Report Security Incidents,Everest Manual - IR 5.2.2,Risk Management/Incident Response,Manual,Is there a 24x7x365 staffed phone number available to clients to report security incidents?,,ACTIVE,,Is there a 24x7x365 staffed phone number/portal available to clients to report security incidents? Can you share the contact details? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.2.3 - Incident Management - Report Incidents/Key Activities,Everest Manual - IR 5.2.3,Risk Management/Incident Response,Manual,Do you report key activities?,,ACTIVE,,Do you report key activities? What is the SLA for reporting key activities?,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.2.4 - Incident Management - Incident Recovery,Everest Manual - IR 5.2.4,Risk Management/Incident Response,Manual,Do you have disaster recovery plans?,,ACTIVE,,"Specify if you have plans for recovery after an incident occurs. If yes, can you share details about the recovery plans?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.2.5 - Incident Management - Logs Available to Buyers in case of an Attack,Everest Manual - IR 5.2.5,Risk Management/Incident Response,Manual,"In case of an attack, will relevant logs be available to customers?",,ACTIVE,,Will logs related to their use be available to customers in case an attack/incident occurs? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.2.6 - Incident Management - Security Bulletin (Requires manual attestation),Everest Manual - IR 5.2.6,Risk Management/Incident Response,Manual,Do you have a security bulletin that outlines latest attacks and vulnerabilities affecting your applications?,,ACTIVE,,"Specify if you have a security bulletin that outlines latest attacks and vulnerabilities affecting your applications. If yes, can you provide the details?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.3.1 - Incident Detection - Comprehensive Logging,Everest Manual - IR 5.3.1,Risk Management/Incident Response,Manual,Is there comprehensive logging to support the identification and mitigation of incidents?,,ACTIVE,,Specify if there is comprehensive logging enabled. Identify the types of events that the system is capable of logging. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.3.2 - Incident Detection - Log Monitoring,Everest Manual - IR 5.3.2,Risk Management/Incident Response,Manual,Are logs monitored for unusual/suspicious behavior? Is there regular security monitoring done?,,ACTIVE,,"Specify if regular security monitoring is done. If yes, does it include log monitoring for unusual/suspicious behavior? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.3.3 - Incident Detection - Alerts on Suspicious Activities,Everest Manual - IR 5.3.3,Risk Management/Incident Response,Manual,Do you have detection mechanisms in place? Are there alerts on unusual/suspicious activities?,,ACTIVE,,"Specify if tools/mechanisms are in place for detecting suspicious behavior. If yes, will alerts be raised if a suspicious behavior was detected?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.3.4 - Incident Detection - Third Party Data Breach,Everest Manual - IR 5.3.4,Risk Management/Incident Response,Manual,"Is there a process to identify/detect and log subcontractor information security, privacy and/or data breach issues?",,ACTIVE,,Specify if there is a process in place to identify/monitor third party vendors/subcontractors for data breach or security issues.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Risk Management/Incident Response 5.4.1 - SLA for Incident Notification,Everest Manual - IR 5.4.1,Risk Management/Incident Response,Manual,What is the SLA for sending notification about incidents/breaches?,,ACTIVE,,What is the SLA for sending notification about incidents/breaches?,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.1 - Business Resiliency - Review of Business Resiliency Program,Everest Manual - BC 6.1.1,Business Resiliency & Continuity,Manual,Is there a periodic review of your business resiliency program?,,ACTIVE,,"Specify if the business resiliency program is reviewed periodically. If yes, how often is the program reviewed?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.2 - Business Resiliency - Failover Tests,Everest Manual - BC 6.1.2,Business Resiliency & Continuity,Manual,Are site failover tests performed at least annually?,,ACTIVE,,"Specify if failover tests are performed annually. If no, how often are they performed? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.3 - Business Resiliency - Business Impact Analysis ,Everest Manual - BC 6.1.3,Business Resiliency & Continuity,Manual,Has a business impact analysis been conducted?,,ACTIVE,,"Specify if a business impact analysis was done. If yes, when was it done last? Please provide more details on the analysis conducted. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.4 - Business Resiliency - Dependencies on Third Party Vendors,Everest Manual - BC 6.1.4,Business Resiliency & Continuity,Manual,Are there any dependencies on critical third party service providers?,,ACTIVE,,"Specify if there is any dependency on third party vendors. If yes, can you provide more details on the vendors? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.5 - Business Resiliency - Third Party Continuity and Recovery Tests,Everest Manual - BC 6.1.5,Business Resiliency & Continuity,Manual,Are all third party providers for the application involved in annual continuity and recovery tests?,,ACTIVE,,Specify if continuity and recovery tests will be performed on all third party vendors that provide critical services. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.6 - Business Resiliency - Third Party Vendors Breach of Contract,Everest Manual - BC 6.1.6,Business Resiliency & Continuity,Manual,Do contracts with critical service providers include a penalty or remediation clause for breach of availability and continuity SLAs?,,ACTIVE,,Is penalty or remediation steps for breach of availability and continuity included in contracts with third party vendors? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.1.7 - Business Resiliency - Health of the System,Everest Manual - BC 6.1.7,Business Resiliency & Continuity,Manual,Do you have monitors/alerts to understand the health of the system?,,ACTIVE,,Specify if monitors/alerts are in place to understand the health of the system. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.2.1 - Business Continuity - Business Continuity Policies/Procedures,Everest Manual - BC 6.2.1,Business Resiliency & Continuity,Manual,Are formal business continuity procedures developed and documented?,,ACTIVE,,"Specify if formal business procedures are developed and maintained for business continuity. If yes, provide more details on the procedures. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.2.2 - Business Continuity - Response and Recovery Strategies,Everest Manual - BC 6.2.2,Business Resiliency & Continuity,Manual,Are specific response and recovery strategies defined for the prioritized activities?,,ACTIVE,,Specify if recovery and response strategies are developed for customer facing activities/services,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.2.3 - Business Continuity - Systems to Assure Business Continuity,Everest Manual - BC 6.2.3,Business Resiliency & Continuity,Manual,Do you have a system in place to assure business continuity in case of a failure?,,ACTIVE,,"Specify if you have a system in place to assure business continuity in case of a failure. If yes, within how long will this system be activated? Could you provide more details?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.2.4 - Business Continuity - Availability Impact in Multi-Tenancy Environments (Requires manual attestation),Everest Manual - BC 6.2.4,Business Resiliency & Continuity,Manual,Do you limit a buyer's ability to impose load that may impact availability for other users of your system?,,ACTIVE,,"Specify if one buyer's load can impact availability for another buyer. If yes, what is the threshold until which there will be no impact? If no, can you provide more details on how you ensure services are not impacted during peak usage and above? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.3.1 - Application Availability - Availability Record (Requires manual attestation),Everest Manual - BC 6.3.1,Business Resiliency & Continuity,Manual,Have there been any issues related to reliability/availability in the last 90 days? Could you provide an availability record?,,ACTIVE,,Specify if there have been any issues related to reliability/availability in the past. Could you provide an availability record? ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.3.2 - Application Availability - Scheduled Maintenance Window,Everest Manual - BC 6.3.2,Business Resiliency & Continuity,Manual,"Is there a scheduled maintenance window which results in client downtime? If yes, what is the downtime?",,ACTIVE,,"Specify if there is a scheduled maintenance window during which services might be down. If yes, how long is the downtime? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.3.3 - Application Availability - Online Incident Portal (Requires manual attestation),Everest Manual - BC 6.3.3,Business Resiliency & Continuity,Manual,"Is there an online incident response status portal, which outlines planned and unplanned outages?",,ACTIVE,,"Specify if there is an incident status portal that outlines planned and unplanned outages. If yes, provide details on how a customer can access it? How long after the outage will the portal be updated? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Business Resiliency & Continuity 6.3.4 - Application Availability - Recovery Time Objective,Everest Manual - BC 6.3.4,Business Resiliency & Continuity,Manual,Is there a specific recovery time objective (RTO)?,,ACTIVE,,"Is there a specific recovery time objective (RTO)? If yes, can you provide the recovery time objective (RTO)?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.1.1 - Asset/Software Inventory - Asset Inventory,Everest Manual - ES 7.1.1,End User Device Security,Manual,Is the asset inventory list updated periodically?,,ACTIVE,,"Specify if an asset inventory is maintained. If yes, how often is it updated? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.1.2 - Asset/Software Inventory - Software and Applications Inventory,Everest Manual - ES 7.1.2,End User Device Security,Manual,Are all installed software platforms and applications on scoped systems inventoried?,,ACTIVE,,"Specify if inventory of all installed softwares and applications is maintained. If yes, how often is it updated?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.2.1 - Asset Security - Security Patches,Everest Manual - ES 7.2.1,End User Device Security,Manual,Are all available high-risk security patches applied and verified at least monthly on all end user devices?,,ACTIVE,,"Specify if all high risk security patches are applied at least monthly. If no, how often is it applied? Can you provide more details on how you manage patching? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.2.2 - Asset Security - Endpoint Security,Everest Manual - ES 7.2.2,End User Device Security,Manual,Do you have endpoint security?,,ACTIVE,,"Specify if endpoint security is installed on all devices. If yes, can you provide more details on the tool and how it is maintained? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.2.3 - Asset Security - Maintenance and Repair of Assets,Everest Manual - ES 7.2.3,End User Device Security,Manual,"Is maintenance and repair of organizational assets performed and logged, with approved and controlled tools? Could the maintenance window lead to downtime?",,ACTIVE,,"Is maintenance and repair of all assets performed and logged with controlled tools? If yes, could you provide more details on how it is managed? Will the maintenance lead to downtime for customers?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.2.4 - Asset Security - Access Scoped Data from End User Devices (Requires manual attestation),Everest Manual - ES 7.2.4,End User Device Security,Manual,"Are end user devices (desktops, laptops, tablets, smartphones) used for transmitting, processing or storing scoped data?",,ACTIVE,,"Will end user devices be used to transmit, process or store scoped data? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.2.5 - Asset Security - Employee Access of Production Devices from Private Devices,Everest Manual - ES 7.2.5,End User Device Security,Manual,Are employees prevented from accessing production environment via private unmanaged devices?,,ACTIVE,,Specify if stringent access control is enabled for access to production environment (for ex : are employees prevented from accessing production environment via private unmanaged devices?). ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.2.6 - Asset Security - Access Control for Devices,Everest Manual - ES 7.2.6,End User Device Security,Manual,Do the devices have access control enabled?,,ACTIVE,,Specify if devices have access controls (like RBAC) enabled. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.3.1 - Device Logs - Sufficient Details in Logs,Everest Manual - ES 7.3.1,End User Device Security,Manual,Are sufficient details logged in operating system and device logs to support incident investigation?,,ACTIVE,,"Specify if sufficient details (like successful and failed login attempts and changes to sensitive configuration settings and files) are included in the logs to support incident investigation. If no, can you provide more details on how you handle incident investigation? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.3.2 - Device Logs - Access to Device Logs,Everest Manual - ES 7.3.2,End User Device Security,Manual,"Are device logs protected against modification, deletion and/or inappropriate access?",,ACTIVE,,"Establish that device logs are protected against modification, deleted and/or inappropriate access. If yes, can you provide more details on how you enforce it? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.3.3 - Device Logs - Log Retention,Everest Manual - ES 7.3.3,End User Device Security,Manual,Are logs retained for sufficient time to investigate an attack?,,ACTIVE,,How long will the logs be retained?,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.4.1 - Mobile Device Management - Mobile Device Management Program ,Everest Manual - ES 7.4.1,End User Device Security,Manual,Is there a mobile device management program?,,ACTIVE,,"Specify if there is a mobile device management program. If yes, please specify what tool is used for mobile device management",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.4.2 - Mobile Device Management - Access Production Environment from Private Mobile Devices,Everest Manual - ES 7.4.2,End User Device Security,Manual,Are staff technically prevented from accessing production environment via non-managed private mobile devices?,,ACTIVE,,"Specify if employees are prevented from accessing production environment via unmanaged private mobile devices. If no, how do you enforce this control? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.4.3 - Mobile Device Management - Access Customer Data from Mobile Devices,Everest Manual - ES 7.4.3,End User Device Security,Manual,Are employees allowed to use mobile devices to view or process customer data?,,ACTIVE,,"Specify if employees are allowed to access scoped data via their mobile phones. If yes, what is the usecase for allowing access via mobile phones? how do you control/monitor access? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ End User Device Security 7.4.4 - Mobile Device Management - Offboard Mobile Devices upon Employee Termination,Everest Manual - ES 7.4.4,End User Device Security,Manual,"Is there an approved process for IT to off-board mobile devices upon employee termination, or when an employee requests to on-board a new mobile device?",,ACTIVE,,"Is there an approved process for IT to off-board mobile devices upon termination, or when an employee requests to on-board a new mobile device? If yes, specify/establish that this process includes secure disposal of data on these devices. ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.1.1 - Physical Security - Physical Access to Facilities,Everest Manual - IS 8.1.1,Infrastructure Security,Manual,"Are all individuals that need to access a facility, property, vehicle, or other asset in-person required to provide photo ID and credentials?",,ACTIVE,,"Are all individuals that need to access a facility, property, vehicle, or other asset in-person required to provide photo ID and credentials?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.1.2 - Physical Security - Physical Security and Environmental Controls in Place,Everest Manual - IS 8.1.2,Infrastructure Security,Manual,Are physical security and environmental controls in place in the data center and office buildings?,,ACTIVE,,Specify if physical security and environment controls are in place for all the facilities,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.1.3 - Physical Security - Visitor Access,Everest Manual - IS 8.1.3,Infrastructure Security,Manual,Are visitors permitted in the facility? Are you recording visitor access?,,ACTIVE,,"Specify if visitors are permitted in the facility. If yes, are logs maintained? How long will it be maintained?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.2.1 - Network Security - Production Environment Open to External Network Connections,Everest Manual - IS 8.2.1,Infrastructure Security,Manual,Is the production environment/systems open to external network connections?,,ACTIVE,,"Specify if the production environment is open to external network connections. If yes, how do you control access?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.2.2 - Network Security - Use of Firewalls,Everest Manual - IS 8.2.2,Infrastructure Security,Manual,Are firewalls used to isolate critical and sensitive systems into network segments separate from network segments with less sensitive systems?,,ACTIVE,,Specify if firewalls are used to isolate critical and sensitive segments from segments with less sensitive systems,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.2.3 - Network Security - Firewall Rules Review,Everest Manual - IS 8.2.3,Infrastructure Security,Manual,Are all firewalls rules reviewed and updated regularly?,,ACTIVE,,How often are firewall rules reviewed and updated?,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.2.4 - Network Security - Intrusion Detection/Prevention Systems,Everest Manual - IS 8.2.4,Infrastructure Security,Manual,Are intrusion detection/prevention systems employed in all sensitive network zones and wherever firewalls are enabled?,,ACTIVE,,Specify if intrusion detection/prevention systems are enabled in all sensitive network zones. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.2.5 - Network Security - Security and Hardening Standards,Everest Manual - IS 8.2.5,Infrastructure Security,Manual,Do you have security and hardening standards in place for network devices?,,ACTIVE,,"Specify if you have security and hardening standards in place for network devices. If yes, can you provide more details (including details about how often these standards are implemented/updated)",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.3.1 - Cloud Services - Platforms Used to Host Application (Requires manual attestation),Everest Manual - IS 8.3.1,Infrastructure Security,Manual,List the cloud platforms you use for hosting your application.,,ACTIVE,,List the cloud platforms you use for hosting your application.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.3.2 - Cloud Services - Client Account Management Portal (Requires manual attestation),Everest Manual - IS 8.3.2,Infrastructure Security,Manual,Is there a client management portal which allows distributed business accounts to be managed under a single central corporate account?,,ACTIVE,,"Specify if there is a client management portal which allows distributed business accounts to be managed under a single central corporate account. If yes, can you provide details on how this portal can be accessed? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.3.3 - Cloud Services - Self Service Portal for Clients (Requires manual attestation),Everest Manual - IS 8.3.3,Infrastructure Security,Manual,Are application self service features or an Internet accessible self-service portal available to clients? ,,ACTIVE,,"Are application self service features or an Internet accessible self-service portal available to clients? If yes, what usecases can this portal be used for?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.3.4 - Cloud Services - Client's Security Service for the Application (Requires manual attestation),Everest Manual - IS 8.3.4,Infrastructure Security,Manual,Can clients run their own security services within their own cloud environment? ,,ACTIVE,,"Can clients run their own security services within their own cloud environment? If yes, are there any exceptions to the kind of services they can run?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Infrastructure Security 8.3.5 - Cloud Services - Client's Data Isolation (Requires manual attestation),Everest Manual - IS 8.3.5,Infrastructure Security,Manual,Are there controls in place to prevent clients from accessing the data of others in a multi-tenant environment?,,ACTIVE,,"Specify if there are controls in place to prevent one client from accessing the data of another client in a multi-tenant environment. If yes, can you provide more details about these controls?",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.1 - Human Resources Policy - Background Screening for Employees,Everest Manual - HR 9.1.1,Human Resources,Manual,Is background screening done before employment?,,ACTIVE,,Specify if background screening is done for all employees before employment.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.2 - Human Resources Policy - Employee Agreement,Everest Manual - HR 9.1.2,Human Resources,Manual,Is an employment agreement signed before employment?,,ACTIVE,,Specify if an employment agreement is signed before employment.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.3 - Human Resources Policy - Security Training for Employees,Everest Manual - HR 9.1.3,Human Resources,Manual,Do all employees undergo security awareness training regularly?,,ACTIVE,,"Specify if employees undergo security training regularly. If yes, how often do they undergo security training? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.4 - Human Resources Policy - Disciplinary Process for Non Compliance of Policies,Everest Manual - HR 9.1.4,Human Resources,Manual,Is there a disciplinary process for non compliance of human resource policies?,,ACTIVE,,Specify if there is a disciplinary process for non compliance of human resource policies.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.5 - Human Resources Policy - Background Checks for Contractors/Subcontractors,Everest Manual - HR 9.1.5,Human Resources,Manual,Are background checks performed for service provider contractors and subcontractors?,,ACTIVE,,"Specify if background checks are done for third party vendors and contractors/subcontractors. If yes, is the background check done regularly? ",,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.6 - Human Resources Policy - Security Certifications,Everest Manual - HR 9.1.6,Human Resources,Manual,Do information security personnel have professional security certifications?,,ACTIVE,,Specify if all critical security personnel have security certifications.,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/ Human Resources 9.1.7 - Human Resources Policy - Return of Assets upon Termination,Everest Manual - HR 9.1.7,Human Resources,Manual,Is there a process to verify return of constituent assets upon termination?,,ACTIVE,,Specify if there is a process to verify return of constituent assets upon employee termination. ,,MANUAL,"{""events"": []}",Third Party Software Risk Assessment Template,Third Party Software Risk Assessment,Third Party Software Risk Assessment is used for gathering information required to assess risks and threats in a third party softwares,,,ACTIVE,buyer.svg,AWS Custom Risk Asssessment,AWS,https://aws.amazon.com/marketplace/