eXpress badging Vendor Security Questionnaire

Purpose: To assess the security posture of vendors who may access or process customer Personally Identifiable Information (PII). To assess additional risks associated with vendors involved in AWS infrastructure and software development.

Vendor Security Questionnaire

Submission Instructions:

Please fill out all relevant sections of this questionnaire and return it to the eXpress Badging Security Team at info@expressbadging.com. Please add any hyperlinks, attachments, or relevant content you wish to include.

If you have any questions or need any help, please feel free to contact the same email address.

TABLE OF  CONTENTS

Section 1: General Vendor Security Questionnaire

• General Vendor Information
• Organizational Security Governance
• Data Protection and Privacy
• Logical Access Control
• Incident Response
• Vendor Management
• Compliance and Certifications

Section 2: AWS Tech Stack & Code Development Supplement

• AWS Infrastructure
• Software Development Practices
• Personnel and Access
• Development and Deployment

Section 1: General Vendor Security Questionnaire

1. General Vendor Information

   1. Company Name:

1. 1. Primary Contact

      1. Name:

      2. Title:

   2. Contact Information

      1. Email:

      2. Phone:

   3. Company Website:

   4. Physical Address:

      1. Line 1:
      2. Line 2:
      3. CSZ:

   5. Type of Services Provided:

      1. Services:

   6. Duration of Business Operations:

      1. From:
      2. To:

   7. Number of Employees:

   8. Geographical Locations of Operations:

   9. Do you subcontract any services?

      1. Yes

      2. No

      3. If yes, please provide details.

2. Organizational Security Governance

   1. Does your organization have a documented cybersecurity policy?
      1. Yes
      2. No
      3. If yes, please provide a summary or a copy
   2. Who is responsible for cybersecurity within your organization?
      1. Name
      2. Title
      3. Email
   3. Do you have a dedicated Information Security team?
      1. Yes
      2. No
   4. Has your organization adopted any cybersecurity frameworks or standards (e.g., NIST CSF, ISO 27001)?
      1. Yes
      2. No
      3. If yes, please specify.

3. Data Protection and Privacy

   1. Does your organization have policies and procedures in place to protect customer PII

      1. Yes

      2. No

   2. How is customer PII stored and transmitted? Please describe the encryption methods used.

      1. At Rest
         1. Yes
         2. No
         3. If yes, state the method
      2. In Transit
         1. Yes
         2. No
         3. If yes, state the method
   3. Do you conduct regular data privacy training for employees?
      1. Yes
      2. No
   4. Have you experienced any data breaches in the past 24 months?
      1. Yes
      2. No
      3. If yes, please provide details.

4. Logical Access Control

   1. How do you manage user access to systems containing customer PII?
      Outline processes for user activation, monitoring, inactivation, granting full access when necessary, and providing limited access for general use by the same user.

      1. Process: 

   2. Do you implement multi-factor authentication (MFA) for system access?

      1. Yes

      2. No

   3. Are contracted non-employee workers given access to customer or end-user provided PII data?
      
      1. Yes
      2. No
      3. If yes, provide your vetting and compliance process

5. Incident Response

   1. Do you have an incident response plan in place?
      1. Yes
      2. No
   2. How quickly are customers notified in the event of a data breach involving their PII?
      1. Process:
   3. Please describe your process for incident detection and response.
      1. Process:

6. Vendor Management

   1. Do you use third-party vendors to process or store customer PII?
      1. Yes
      2. No
      3. Not Applicable
      4. If yes, how do you assess and monitor their security practices?
   2. Have contracts with third-party vendors been reviewed for data protection clauses?
      1. Yes
      2. No
      3. Not Applicable

7. Compliance and Certifications

   1. Is your organization compliant with any of the following regulations? (Check all that apply)
      1. GDPR
      2. HIPAA
      3. CCPA
      4. Other (please specify): ____________
   2. Do you hold any security certifications? (e.g., ISO 27001, SOC 2)
      1. Yes
      2. No
      3. If yes, please provide details.

Section 2: AWS Tech Stack & Code Development Supplement

1. AWS Infrastructure

   1. Do you manage or have access to any AWS environments related to eXpress badging?
      1. Yes
      2. No
   2. Are AWS environments configured following the principle of least privilege?
      1. Yes
      2. No
   3. How do you monitor and log activities within AWS environments?
      1. Process:
   4. Are AWS environments regularly audited for security compliance?
      1. Yes
      2. No

2. Software Development Practices

   1. Do you follow secure coding practices and guidelines?
      1. Yes
      2. No
   2. Are code reviews conducted regularly?
      1. Yes
      2. No
   3. Is static and dynamic code analysis performed?
      1. Yes
      2. No
   4. How are vulnerabilities in code identified and remediated?
      1. Process:

3. Personnel and Access

   1. Do any of your developers or contractors have access to production environments?

      1. Yes

      2. No

      3. If yes, please describe the access controls that are in place.

   2. Are background checks conducted for employees and contractors with access to sensitive systems?

      1. Yes

      2. No

   3. Do you employ any foreign nationals in roles that have access to customer PII or sensitive codebases?

      1. Yes

      2. No

      3. If yes, please specify countries and any additional safeguards in place.

4. Development and Deployment

   1. Do you use any third-party code libraries or frameworks?

      1. Yes

      2. No

      3. If yes, how do you assess their security?

   2. Describe your process for deploying code to production environments.

   3. Is there a rollback plan in case of deployment failures?

      1. Yes

      2. No