A good third party risk management is required by UE Act DORA (Digital Operational Resilience Act). Third party risk management is one of the pillars of DORA.
How do we manage the risk of the third parties regarding Toqio?
- ONE TIME OFF: Before starting the integration work, an evaluation of the security measures implemented by you as an integrator should be made by Toqio. This is done by asking you a series of questions regarding the security measures (technical, procedural and compliance) and, depending on the answers, a risk level will be assessed. You will need to answer the questions in writing and provide evidence of compliance. The questions and evidence to be provided are defined by Toqio. The more questions are answered with “Yes” the lower is the risk of your integration with Toqio. Find below an example of the questionnaire you will be asked to fill in:
Code | Question | Yes/No | Procedure | Evidence |
---|---|---|---|---|
1 | Does the system integrator have an information security policy (ISP)? | Developing and reviewing an information security policy outlining information security guidelines. | The system integrator must provide a clear ISP that does not violate any existing confidentiality agreements or policies. | |
2 | Does the system integrator have an incident management plan/procedure (IMP)? | Developing an incident management plan to define incident types, roles and responsabilities, implementing tools and procesess to detect and identify security incidents, taking steps to isolate and contain incidents, eliminating the cause of incidents and analizing incidents to identify lessons learned. | The system integrator should provide a clear IMP that does not violate any existing confidentiality agreements or policies. | |
3 | Is the system integrator PCI-DSS compliant? | PCI-DSS compliance is required to manage cardholder data. | PCI-DSS compliance certificate. | |
4 | Is the system integrator ISO 27001 certified? | Establishing effective policies and controls required by the ISO 27001 standard and implementing an ISMS to protect the information and assets from cyber threats, data breaches, and other security risks. | ISO 27001 certificate. | |
5 | Is the system integrator EU - DORA Act compliant? | Following DORA requirements for the protection, detection, containment, recovery, and repair capabilities in light of ICT-related incidents. | The system integrator must clearly demonstrate compliance with DORA regulations. | |
6 | Is the system integrator GDPR compliant? | Implementing data protection policies and procedures and ensuring the security of personal data through technical and organizational measures. | The system integrator must explain how GDPR compliance is achieved. | |
7 | Does the system integrator manage personal information? | If the system integrator manages personal information, it must be GDPR-compliant and there should be security measures in place to protect it. | The system integrator must disclose what kind of personal information is managed, while not disclosing any personal information. | |
8 | Does the system integrator have servers within the UE? | To be GDPR-compliant, system integrator servers must be within the UE. | The system integrator must disclose the location(s) of servers. | |
9 | Are the system integrator's communications encrypted? | Ensuring application connections are encrypted by implementing HTTPS with SSL/TLS certificates, using strong encryption protocols for data transmission and storage, and regularly updating security measures to protect against vulnerabilities. | The system integrator must provide encryption policy documentation and evidence of compliance. | |
10 | Is the system integrator's data at rest encrypted? | Implementing strong encryption standards and secure key management practices according to established policies and procedures. Using encryption at rest helps maintain the confidentiality and integrity of the information. | The system integrator must demonstrate its use of encryption on data at rest by providing encryption policy documentation, information on technical configurations utilizing strong encryption methods, evidence of compliance with relevant standards, audit reports, and secure encryption key management practices. | |
11 | Does the system integrator have a user management policy (UMP)? | Implementing user authentication mechanisms that verify and manage individual user identities securely. A good user management policy is essential because successful attacks are often due to credential theft. | The system integrator must provide documentation and offer information on practices related to user access, permissions, and data handling within systems. | |
12 | Does the system integrator have a business continuity plan (BCP) and a disaster recovery plan (DRP)? | Ensuring these plans are regularly tested and updated. | The system integrator must show up-to-date documentation of both a BCP and a DRP. Details on policies and procedures should also be included. | |
13 | Does the system integrator have a security training programme for employees? | Ensuring regular training and updates on security best practices. | The system integrator should provide training policy documents to demonstrate the company´s security training. Training completion records should also be up to date. | |
14 | Does the system integrator perform regular penetration testing on software? | Identifying and mitigating security weaknesses. | The system integrator must provide penetration testing reports including dates, scope of the penetration test(s), methodology, identified vulnerabilities, and a remediation plan. | |
15 | How does the system integrator manage other integrators and subcontractors? | Ensuring continual and excellent third party practices. | The system integrator must provide integrator contracts, integrator risk assessments, and integrator performance monitoring. | |
16 | Does the system integrator perform data backups and are these securely stored? | Ensuring data backups are carried out regularly. | The system integrator must show backup policy documentation, backup logs and reports, backup verification procedures, and details on offsite backup storage if applicable. | |
17 | Does the system integrator ensure secure coding practices? | Implementing a secure coding policy, providing developers with training on secure coding, using code analysis tools. | The system integrator must provide a clear secure coding policy, as well as records demonstrating that developers have received training on secure best practices and the use of code analysis tools to identify potential vulnerabilities. | |
18 | Is the system integrator using firewalls and intrusion detection/prevention systems (IDS and IDP)? | Implementing robust security policies, configuring systems to monitor and block unauthorized access and threats, and regularly updating their defenses against evolving cyber threats. | The system integrator must provide documentation outlining what firewalls and IDP/IDS systems are beng used, as well as configuration policies, log files, and reports. | |
19 | Is the system integrator ensuring regular vulnerability scanning? | Developing a vulnerability scanning policy, using scanning tools, scheduling regular scans, analyzing scan results, remediating identified vulnerabilities, and maintaining records of vulnerabilty scans and remediation actions taken. | The system integrator must demonstrate a clear vulnerability scanning policy, as well as vulnerability scanning reports and vulnerability remediation records. | |
20 | Is the system integrator ensuring an appropiate application of security patches and updates? | Creating a patch management policy, using patch management tools, conducting regular vulnerability scans, deploying approved patches and monitoring them, maintaining records of patch deployments. | The system integrator must provide a patch management policy, patch management records, vulnerability scanning records, and demonstrate that its IT team has the knowledge and resources to manage the patch management process effectively. | |
21 | Does the system integrator implement network segmentation? | Assessing network assets, defining security zones, designing a segmentation strategy using VLANs and firewalls then implementing the configuration, testing for proper isolation and access controls, monitoring for anomalies, and maintaining documentation and policies. | The system integrator must provide documentation detailing segmented VLAN configurations, access control policies, and monitoring reports validating effective isolation and security measures. | |
22 | Is the system integrator performing an annual risk assesment? | Risk assessment is required to be PCI-DSS and DORA compliant. | The system integrator must provide risk assessment documentation. | |
23 | Does the system integrator have a risk management framework? | A risk management framework is required to be DORA compliant. | The system integrator must provide risk assessment framework documentation. |
- YEARLY: Once you are integrating with Toqio, the same or similar security questionnaire will be passed annually and you will have to update the answers and evidence. In addition, depending on the integration and the legal requirements, a formal risk assessment (annually) could be required in order to accurately evaluate the risk of the integrating regarding Toqio. This formal risk assessment should be performed under a standard framework (Magerit, Octave, NIST, etc.) and it should be done by you and share the results with Toqio, as we have to do a formal risk assessment every year and show it to, for example, the PCI auditor. In fact, some of the questions in the questionnaire will be of the type “Have you performed a formal risk assessment of your company?” , “Is the risk assessment performed annually?”, evidence: risk assessment document.
- Toqio will keep a history of all these documents, as evidence to be shown in audits if needed.