Document Version Number:

Introduction
Auditor Name:
Auditor Email / Contact:
Auditor's Recommendation:
Overall Rating MARGINAL IMPROVEMENT

Audit Report

Compliance Percentage
Rating Count Percentage
Compliant 0 0.00%
Partially Compliant 0 0.00%
Non-Compliant 0 0.00%
Not-Applicable 0 0.00%
Total 0 0.00%

Observation Percentage

Rating Count Percentage

High 0 0.00%
Medium 3 100.00%
Low 0 0.00%
Total 3 100.00%
3
MPROVEMENT
S.No Parameter
1 Vendor Name
2 Vendor Location / Address
3 Vendor Contact Name & Contact
4 Vendor Interviewee Name & Contact
5 Physical Audit Date (If Applicable)
6 Vendor Audit Period

7
What information does the vendor receive from Bank?
8 What is the criticality of this information?
Which are the systems, applications used for storing
9
critical information?
What is the basic software required to do the job
10
function?
Whether the vendor stores any information on public
11 cloud architecture? If yes, where is it stored. Describe
briefly
Whether the process on public cloud is fully
12 automated or there is requirement of manual
intervention?
13 Contract Signing Date
Vendor Comment
Tick mark Legend

High

Medium
Control Risk Rating

Low

Compliant

Vendor Compliance Partially Compliant

Result
Non-Compliant

Not Applicable

Question

S.No. Domain

1
2

Governance
8

9
Governance

10

11

12

13

14

15
16

17

18

19

20

21

22

23

24 Threat & Vulnerability Management

 Threat & Vulnerability Management

25

26

27

End Point Security

28

Logical access management

29
Cloud & Email Security

30

31

32
33
Application Security
34

35

36

37

38

39

40

41
Communication Security

42

43

44
45
46

47

Change Management
48

49

50

51

52

53

54

55 Asset Management

56

57

58

59

60
61
CERT-IN compliance evaluation
62
 CERT-IN compliance evaluation

63

64
65

66

67
Supplier Relationship

68

69

70

71

72

73

74
75

76

Resilient

77

78
79

80

81

82

83

84

85

Data Privacy
86

Data Privacy

87
88

89

90

Data Protection

91

Intellectual Property

92

93

94

Ethics, Regulatory & Compliance

95

Ethics, Regulatory & Compliance

96

97

98

99
Health Safety & Environment
100

101

102
103

104

105

106

Operational Controls
107

Operational Controls

108
109

110

111

112
Strategic and Geographical

113

Financial Risk
114

Financial Risk

115

116

Legal Risk

117

Human Resources Risk

This category observations are the ones that have critical or
catastrophic consequence on confidentiality, integrity & availability
of information, systems, assets, business operations / functions.
The management of the 3rd party should strengthen internal
controls and / or develop and implement key policies and
processes to address this risk immediately.

This category observations are the ones that have major or

moderate consequence on confidentiality, integrity & availability of
information, systems, assets, business operations / functions. The
management of the 3rd party should take corrective actions on the
noncompliance observed in internal controls and / or key policies
and processes to address this risk.

This category observations are the ones that have

marginal/minor/insignificant.
consequence OR are areas of improvement to better align the
policies, processes & controls to industry good practices. At this
stage, the measures to be taken by the management of the 3rd
party is to review and maintain the internal controls and / or
policies, processes

Control designed and implemented along with defined measurable

metrics & thresholds.
Control not working effectively either on design or effectiveness
level.
Control not working effectively on both design and effectiveness
level.
Process not applicable to vendor scope of service(s)

Question

Sub Domain

Strategy & Operating Model

Strategy & Operating Model

Policies, Standards & Architecture

Cyber Risk Culture & Behavior

Cyber Risk Management, Metrics & Reporting

Penetration Testing & Vulnerability Scanning

Security Event Monitoring

Secure Configuration Management

Patch & Vulnerability Management

Security Platform Administration And Operations

Information Security Controls

SDLC

Source Code

Security Testing

Network Security

Information Transfer
Information Transfer

Change Management Process

Change Notification

Change Notification of major changes

Change Notification

Change Management Process

Emergency Changes

Inventory of assets

Ownership of assets

Acceptable use of assets

Return of assets

Incident Reporting Requirements

Supplier Relationship

Incident & Crisis Readiness

Incident Response
Incident Reporting

Business Continuity Management & Recovery

Management
Management

Monitoring & Enforcement

Use, Retention & Disposal

Use, Retention & Disposal

Data Protection Bill

Safeguarding IP

Registration

Code of Conduct

Criminal Practices
HR Related Acts

Labour Issues

Anti-Corruption

Policy

Inspections

Inspections

Training

SLA/KPI
Human Resource Security

Human Resource Security

Quality Conduct

Supply Chain Risk Management

Supply Chain Risk Management

Supply Chain Risk Management

Supply Chain Risk Management

Supply Chain Risk Management

Geographical Risk

Adverse Media

Revenue Trend
Financial Health

Credit Rating

Legal cases/ Litigation

HR and employee fair practices compliance

 Control Classification

Do you have a dedicated information / cyber security Entity Level

team, responsible for information security governance
across the organization? Please provide organization
chart highlighting information security team.
Have you defined information security roles and Entity Level
responsibilities?

Do you have formally documented information / cyber Entity Level

security policy? If yes, please provide a copy.

Is your information / cyber security policy document Entity Level

approved by management? If yes, please specify date
of approval.

Does your senior leadership reviews implementation of Entity Level

information security across the organization? If Yes,
please support with necessary artefacts / MoM with
senior leadership.
Do you have an acceptable usage policy which is Entity Level
signed / agreed by all employees on annual basis?
Are all your policies and procedures reviewed once in a Entity Level
year?
Do you have a formally defined risk management Entity Level
program (incorporating cyber security)? If Yes, please
provide a copy of the process

Do you perform periodic risk assessments ? If Yes, Entity Level

please define the frequency and provide a copy of the
risk register

Is your environment ISO 27001: 2013 certified for the Entity Level
scope of the service being offered to Bank ? If Yes,
please provide the latest copy of the certification and
specify the scope of implementation.
Is your environment SOC 2 Type II attested or certified Entity Level
for the scope of the service being offered to Bank ? If
Yes, please provide the latest copy of the certificate /
report.
Is your environment PCI - DSS certified for the scope Entity Level
of the service being offered to Bank ? If Yes, please
provide the latest copy of the certificate.(Applicable
only if the third-party stores, processes or transmit card
data)

Is your environment CSA certified for the scope of the Entity Level
service being offered to Bank ? If Yes, please provide
the latest copy of the certificate.

Is the third party complying to industry practices for

cloud security?

Are all relevant cybersecurity requirements identified, Entity Level

documented and tracked?

Is there a Cybersecurity assessment conducted in last

one year? If Yes please share assessment report for
the same.

Are appropriate procedures implemented to ensure Entity Level

compliance related to intellectual property rights and
use of proprietary software products?
Have you identified all the Information Security Entity Level
requirements related to record management (Customer
Data, Employee Data, CCTV, Email, Logs of DBMS,
servers, network and security devices etc.)?

Have all Information security requirements related to Entity Level

data encryption / cryptography been identified and
complied?

Do you have a documented procedure for responding Entity Level

to requests for customer data from regulatory
authorities, courts and law enforcement authorities? If
‘Yes’, please provide related evidence

Do you routinely perform penetration tests against the Entity Level

infrastructure? If ‘Yes’, please provide a copy of the
latest pen test report and confirm the frequency of pen
tests being performed.
1. Is there a mechanism to correlate logs from Entity Level
identified systems?
2. Do you have mechanism to preserve these logs?
3. What is the retention period of these logs?

Are logs protected from alteration? Entity Level

Are the clocks of all relevant information processing Entity Level

systems within an organization or security domain
synchronized to a single reference time source?
Are network devices, servers and end user systems Entity Level
built according to a standard security configuration? If
answer to above question is Yes, is the standard image
hardened?

If answer to above question is Yes, is the standard Entity Level

image hardened?
1. Do you have a defined and established policy and Entity Level
process to identify and remediate technical
vulnerabilities within your IT environment? E.g.,
Vulnerability scanning, Penetration testing
2. Have you had a manual penetration test conducted
by accredited third party?
3. Does your organization currently perform
vulnerability scans?

Do you have a dedicated team who is responsible for Entity Level

managing security devices?
Have you implemented cyber security controls like Entity Level
1) WAF
2) DDoS
3)Firewall
4) IDS/IPS
5) Anti-virus
6) Ransomware controls
7) DLP
8) SIEM
9) Anti APT

What all zero trust tenants you have implemented in Entity Level
your architecture:
1) Resource segregation
2) End-to-end access visibility and audit
3) Least privilege access
4) Continuous authentication, authorization
5) Entity verification (e.g. user, device, infrastructure)
6) Centralized, granular access policy
1) Are external URL blocked? Entity Level
2) Do you allow use of external email and cloud
storage?

Software Development Life Cycle Entity Level

Is development environment segregated from
production environment?
Are proper access controls implemented to ensure
segregation.

Source Code: Is the source code own by client Entity Level

restricted to authorized people only?

Entity Level
Entity Level

Entity Level

Security Testing: Does the software changes go Entity Level

through secured security testing during software
development life cycle process and periodically

Test Data: Is test data use for software development Entity Level
tested carefully/protected & controlled (e.g.. Incase
production data is required for testing , the confidential
data must masked)
Network Security Entity Level

Network Security Entity Level

Security of network services Entity Level

Security of network services & monitoring Entity Level

Segregation in networks Entity Level

Segregation in wireless networks Entity Level

Information transfer policies and procedures Entity Level

Agreements on information transfer Entity Level

Electronic Messaging Control Information Entity Level
Confidentiality or nondisclosure agreements Entity Level

Controlling changes to organization, business Entity Level

processes and systems

Entity Level

Entity Level

Entity Level

Entity Level

Entity Level

Responsibility of Assets Entity Level

Entity Level

Entity Level

Entity Level

Measures taken and Processes followed for Entity Level

compliance to the CERT-In requirements
Information security policy for supplier Entity Level
relationships

Addressing security within supplier agreements Entity Level

Information and communication technology supply Entity Level

chain

Do you have a formal document for security incident Entity Level

management? If Yes, please provide a copy of it.
Is awareness training given to your employees to Entity Level
identify information security events?
Do you have a formal cyber crisis management plan? Entity Level

Does the incident management program include Entity Level

assignment of responsibility for preparing and
executing the plan?
1.Have you ever experienced a cybersecurity incident Entity Level
or data breach in last 3 years? This includes network,
systems, software, etc.
2. Has there been any cybersecurity incident/ data
breach impacting Bank in last one year.
3. Do you have a process to notify about any security
and privacy incident affecting Bank services within 2
hrs. of incident being identified or as per contractual
obligations with the ?

Please provide details if you have ever been subject to Entity Level
any enforcement actions, investigations or litigation
related to privacy or information security?
Measures taken and Processes followed for Entity Level
compliance to the incident reporting requirements.

1. Do you have a documented BCP and DR plan for Entity Level

each product or service that Bank will consume or is
dependent on? If Yes, please provide a copy of it.
2. Whether the has participated in BCP testing
conducted by organization providing services to the ?
3. BCP / DR plan / policy tested on regular intervals to
obtain desired uptime. If yes, please describe the
frequency.

1. Does the program include assignment of Entity Level

responsibility for preparing and executing the BCP
plan?
2. Is BCP/ DR site of third party is located within India.
3. Is BCP tested by shifting of activities/resources
between third parties locations?
4. Whether the has participated in BCP testing at third
parties end?
5. BCP / DR plan / policy tested on regular intervals to
obtain desired uptime. If yes, please describe the
frequency.
6. Documented DR plan addressing people, process &
systems related to Bank operations; Should be
communicated to employees

Is there a requirement to conduct a business impact Entity Level

analysis periodically? If yes, please describe the
frequency.
Is there a requirement to notify affected clients in the Entity Level
event of a disaster?

Do you have a failover site?. Please describe if that is Entity Level

Hot, Warm or Cold site.
Is there sufficient redundant capacity to ensure Entity Level
services are not impacted in multi-tenant environments
during peak usage?
If You store Bank data, are backup protected through Entity Level
turtle boxes during transit to offsite location?
If You store Bank data, are backup tapes stored at Entity Level
offsite location?
If You store Bank data Entity Level
- is backed up data tested on a regular basis?
- is data backup encrypted?

Entity Level
1. Is the Privacy notice published on your website and
available for external users.

Note: The policy should cover the aspects of personal

data collection, storage including permissible data
types, retention, restriction of usage, destruction,
breach handling etc. Privacy controls applies to the
third parties e.g. LSP's and their associated DLA's.
1. Does the data privacy procedure elaborate and Entity Level
implement following requirements:
i. Prior & explicit consent to be obtained on the need
basis as and when the customer data are collected on
behalf of the and preserve in electronic form.
ii. Providing option to customers to grant, deny
consent on use, restrict, disclosure to third parties, data
retention.
iii. Disclosing the purpose of collecting 's customer
information
iv. Obtaining explicit consent for sharing 's customer
data with Third parties for rendering service to the 's
customer
v. Restriction on storage of 's customer PII data except
information required for carrying out operations such as
name, address, contact details of customer, should be
stored within India. Biometric data should not be stored
at all.
vi. Maintaining inventory of your third parties [e.g.,
Digital lending application] allowed to collect, store and
process personal information of the 's customer.
3. Are there any devices, equipment's and Digital
Lending application (software) used for rendering
lending services which will be used for collecting,
processing and storing 's customer information? If yes,
are these devices, equipment's and DLA's
conforms/complies to the standard and specifications
laid down by the RBI Guideline on Digital Lending?

1. Do you operate a process to identify and maintain Entity Level

awareness of relevant data privacy requirements and
any subsequent modification, e.g. HIPAA, EU GDPR,
CCPA,IT act 2000 as amended by 2008 and other
relevant data protection laws/regulations? If Yes,
please provide a brief description as to how this is
being undertaken.
2. Does your organization conduct assessments of its
data privacy practices?
3. Have you completed Privacy Impact Assessment of
the platform/application/solution you are using to
provide services to Bank ?
Do you have technical controls capable of enforcing Entity Level
customer sensitive data retention policies?

Please provide details/evidences of technical controls

you have in place to prevent secondary usage of
customer sensitive data you are processing on behalf
of ?

Is there a Data destruction/ disposal mechanism in Entity Level

place?
Process to ensure compliance with the provisions of Entity Level
the act

Do you have a policy and supporting procedure for Entity Level

safeguard of client Intellectual Property? If Yes, please
provide a copy of the policy document and procedure

Please confirm that you have valid Shops and Entity Level
Establishment Certificate or a service registration
certificate and complying with applicable laws such as
Service Tax etc.
Do you have a documented Code of Business Ethics Entity Level
and Conduct ("COBEC") / Anti-Bribery and Anti-
Corruption ("ABAC") policies for employees?

Is your organization or any of the owners directors/ Entity Level

shareholders/employees from your organization has
been the subject of any allegations, investigation,
conviction and/or other relevant criminal practices
relating to bribery or corruption in the last five years?
Are you complying with all applicable provisions of HR- Entity Level
related Acts and employment laws including, but not
limited to Contract Labor (Regulation & Abolition) Act,
Minimum Wages Act, Payment of Wages Act,
Maternity Benefits Act, Payment of Gratuity Act, Equal
Remuneration Act, Employee's Compensation Act,
Provident Fund, Professional tax, ESIC etc.?

In the last three years has your organization received Entity Level
any local/governmental citations or fines relating to
labor issues?
Who is accountable for overall oversight of Anti-Bribery Entity Level
and Anti-Corruption program within your
organization(e.g. Compliance Officer)?
Do you have written Environmental and/ or Health & Entity Level
Safety Policy?

Do you have a process to investigate accidents and Entity Level

incidents?
Have any environmental, health and safety inspections, Entity Level
citations, enforcement actions or notices of violations
been directed against you in the current financial year?

Do you provide safety training to the workforce and Entity Level

maintain documentation of the same?
Do you have a defined process of tracking and Entity Level
ensuring compliance to SLAs / KPIs agreed with
Bank ?
1. Do you have written information security policy or Entity Level
relevant document covering security controls pertaining
to Human Resource domain? e.g., BGV , NDA,
Disciplinary process, On-boarding and off-boarding,
security/Privacy training, access, revocation

2. Are the resources working on Bank projects are

employed on your organization payroll
3. Are the resources provided with necessary
Information security trainings, provide the supporting
evidences.

Do you conduct BGC of employees before deploying Entity Level

them on any project of Bank ?

Do you conduct QC of material before delivery and Entity Level

submit the report to Bank ?
Do you have documented & approved Organization Entity Level
level outsourcing risk management policy/framework to
govern your third parties you are dependent upon?

If yes, does the outsourcing policy/framework cover the

following risk domains but not limited to?
a. Information Security, Data privacy & Business
continuity
b. Cyber Security & Governance
c. Operational Risk (Financial solvency, Background
verification, Anti-bribery, Fraud, Blacklisting, Anti-
money laundering)
d. Legal & contractual risks
e. Regulatory & Compliance Risk
Do you monitor your third parties i.e. fourth parties in Entity Level
supply chain, if the third party organization or any of its
owner/promoter or key management personals
subjected to bribery / corruption / non-compliance /
anti-money laundering / fraud? Please share the
evidences of monitoring mechanism.

Do you perform risk assessments/audits of your third

parties in adherence with your outsourcing risk
management policy/framework? Please describe.

Do you leverage any third-party in the supply chain for Entity Level
provisioning/rendering services to Bank ? If yes,

i. Have you obtained the written consent from Bank for

subcontracting complete or partial activities to your
third party[ies].
ii. Have you maintained the List of your third parties
involved in provisioning/rendering services to Bank .
iii. Have you performed due diligence/audit of your third
party[ies] within last 12 months in-line with your
Organization level outsourcing risk management
policy/framework?
Does your Agreement /Contract with your third parties Entity Level
involved in provisioning/rendering services to Bank
include following standard clauses at a minimum but
not limited to?
a. Information/Data security/Regulatory requirements
and applicable data security standards, privacy laws &
data localization requirements
b. Confidentiality
c. Incident & resolution management
d. Business Continuity
e. Right to audit & seek information from the service
provider.
i. About their third parties (in the supply chain) engaged
by former
ii. Authority of regulators to perform inspection of
service provider’s third parties
f. Insurance
g. Termination/Exit
h. Indemnity
i. Anti-bribery
j. Service level agreement
k. Clauses ensuring service provider is contractually
liable to monitor the performance and risk management
practices of its third parties.

Do you have a process in place to monitor the Entity Level

operational performance for the activities rendered by
the third parties involved in provisioning services to
Bank ? E.g., SLA’s, TAT’s etc.

Country / countries from which your organization will be Entity Level

providing services to Bank
(Enter text for country names)
Has there been any adverse media published against Entity Level
your organization in past 2 years (relating to Financial
Reporting, AML, Human Rights, Environmental Laws,
Others etc.)). If Yes, please describe

Is your Net Worth/ Revenue Trend is positive for last 3 Entity Level
financial years?
Financial health dipstick check Entity Level

Is Credit Rating given by Moody/S&P below moderate Entity Level

safety?
Are there any Legal cases/ Litigation on the company? Entity Level

Is the company compliant with respect to the HR and Entity Level

Employee fair practices) including salary payouts in
time) ?
 Testing Procedure for Controls Mandatory
Evidence

1. Determine whether the organization chart highlighting information security team is Yes
defined and implemented.
2. Check and obtain the Organization chart updated with the current structure.
1. Check if the information security role and responsibilities have been defined and part of Yes
the Information security policy document.
2. Obtain a copy of the segregation of duty matrix demonstrating the roles and
responsibilities
1. Enquire and observe if Information / Cyber Security policy document is available and Yes
Does the policy & procedure includes the below scope at minimum (Whichever
applicable):
1. Information Asset Management Yes
2. Data Privacy
3. Acceptable usage
4. User Lifecycle & Access Management
5. Human Resource Security
6. IT Operations Security
7. Cryptography
8. Network & Communication Security
9. Application Security
10. Password Management
11. Change Management
12. Security Incident Management
13. Key Management
14. BCP/DR
15. Backup management
16. Anti-Virus Management
17. Patch Management
18. Log Management
19. Physical & Environmental Security
20. Cloud Security
21. Risk Management
22. SDLC
23. Supplier Risk Management
2. Check if the policy is non-editable and published (published in the company's intranet
or any other means of publishing to employees)
3. Check if the selected security document was reviewed and approved as per the
defined frequency by the Management. (Date of last review and approval)
4. Check if the Information policy document was classified as per the classification
guideline.

1. Obtain MOM / or any supporting documentation that proves that the information Yes
security implementation was reviewed by the management.

1. Check if the acceptable usage policy around IT is defined and available. Yes
2. Check if the policies are non-editable and published
3. Check if the policies are reviewed and approved at least once in a year / as per the Yes
defined frequency.
1. Enquire, Obtain and check the risk management process . Yes
2. Check if the Risk treatment was performed for the identified risk.
3. Check if the Risk Assessment was conducted as per the defined frequency.
4. Obtain a copy of the last reviewed and approved Risk Assessment done. ( Check for
the approval email trail to authenticate the review and approval date.), if any exception
noted, provide a copy.
5. Obtain a copy of the process that clearly defines the exception process Yes

Obtain the ISO 27001:2013 certificate along with SOA and verify the validity, the location Yes
from where services are rendered and Scope of services provided are part of ISO
27001 :2013

Obtain the SOC 2 Type II certificate and check the validity, the location from where Yes
services are rendered and Scope of services provided are part of SOC 2 Type II
certificate

Obtain the PCI-DSS certificate along with AOC and check the validity, the location from Yes
where services are rendered and Scope of services provided are part of PCI-DSS
certificate

Obtain the assurance security compliance certificate (SOC 2 Type 2 ) for the CSP and Yes
validate, the location from where services are rendered and Scope of services provided
are part of security compliance certificate (SOC 2 Type 2 ) for the CSP

1. Documented process/tracker to ensure adherence to all cybersecurity requirements. Yes

2. Obtain a copy of Cybersecurity assessment report

1. Obtain and check if there are any documented procedures around implementation of Yes
the compliance related to intellectual property rights and use of proprietary software
products?

2. Obtain supporting artefacts demonstrating compliance.

1. Obtain confirmation from the third party that they are complying with required Yes
Information security requirements related to record management (Customer Data,
Employee Data, CCTV, Email, Logs of DBMS, servers, network and security devices
etc.). Please share the relevant procedure/policy document.

2. For third parties with no existing relationship with Bank - Obtain confirmation from the
third party that will comply to all the Information security requirements related to record
management (Customer Data, Employee Data, CCTV, Email, Logs of DBMS, servers,
network and security devices etc.) will be documented and tracked in the contractual
agreement

1. Obtain confirmation from the third party that they are complying with the Information Yes
security requirements related to data encryption / cryptography. Please share the relevant
procedure/policy document.

2. For third parties with no existing relationship with Bank - Obtain confirmation from the
third party that all the relevant Information security requirements related to data
encryption / cryptography will be documented and tracked in the contractual agreement.
1. Obtain the documented procedure for responding to requests for customer data from Yes
regulatory authorities, courts and law enforcement authorities.
2. Enquire and obtain sample request received for customer data from regulatory
authorities, courts and law enforcement authorities in last one year.

1. Enquire and obtain the policy on the penetration testing and check the defined Yes
frequency
2. Recent report of the VAPT carried out as per the set frequency along with the current
status of identified gaps
1. Does the organization have an operational SIEM tool? Yes
2. Enquire about the systems from where the logs are captured
3. Enquire about how the logs are preserved. Logs should not be on same host from
where it is collected.
4. Is the backup of these logs taken. If yes at what frequency and where the backup logs
are stored.
5. Enquire about the retention period of the logs.

1. Enquire and obtain list of professional access having to logs. Yes

2. Is there an access review mechanism in place and access review performed on
periodic basis.

1. Enquire and obtain the screen shot of the Network Time Protocol configuration of the Yes
clock synchronization at the server level

1. Check if the third-party has a standard image for building servers, network devices and Yes
end user systems
2. Obtain a copy of Hardening document for systems
3. Patch management tracker of patches installed on servers and EUS
4. Sample VAPT report of network devices and servers

Check if hardening guidelines have been followed for building the standard image. Yes
1. Enquire and observe if policy to identify and remediate technical vulnerabilities is in Yes
place.
2. Check if the policy is non-editable and published (published in the company's intranet
or any other means of publishing to employees)
3. Check if the document was reviewed and approved as per the defined frequency by
the Management. (Date of last review and approval)
4. Enquire and obtain following details: `
- name of the external party that performed penetration test
- when was the last penetration test conducted
- Are there any open vulnerabilities. If Yes, have they all been remediated
- SLA timeline for the closure of low, medium, high and critical vulnerabilities? (Example:
30 days for low, 15 days for medium, 3 days for high and 1 day for critical)
- when they are planning to conduct next penetration test (Expected Date)
5. Enquire and obtain following details: `
- name of the tool used to perform vulnerability scan
- when was the last vulnerability scan conducted
- Are there any open vulnerabilities. If Yes, have they all been remediated
- SLA timeline for the closure of low, medium, high and critical vulnerabilities? (Example:
30 days for low, 15 days for medium, 3 days for high and 1 day for critical)
- when they are planning to conduct next vulnerability scan

No testing procedure needed. Straight forward question No

1. Screenshot of Antivirus/ anti malware software implemented on your system with No

timestamp
2. Evidence for DLP implemented in the organization with timestamp

Check for following: Yes

1. Enquire that dedicated resource deployed for providing service to or shared resources
will be utilized for providing service.
2. Documentation on Administrative Privilege. Check what admin can do and users
cannot do.
3. Documentation of access control policy. (Creation of new user account policy &
granting of access rights)
4. Review the relevant policy. Check for periodic review of user access right for last 12
months
5. Removal of user account & termination of access rights
6. Documentation on Access Rights. Check if the end user have local admin rights.
1. Enquire and obtain list of blacklisted URL and also check firewall rules and internet Yes
gateway
2. Check Email usage policy
3. Check Cloud Security Policy
Check if there is a defined SDLC practice or any methodology followed as an approach Yes
towards the software development lifecycle process.

Check the contract for the ownership of the source code. Yes

Check who has access to the source code Yes

Check where the source code is stored on the server Yes

Check if latest version of the source code is maintained Yes

Check for evidences that show security issues are identified in the security testing phase Yes
of software development.
Check for the acceptance criteria for security issues identified.

Check for the policy for copying production data in the test environment. Yes

Whether the network policy is adequately implemented/managed and controlled, to Yes

protect from threats, and to maintain security for the systems and applications using the
network, including the information in transit.
Whether controls were implemented to ensure the security of the information in networks, Yes
and the protection of the connected services from threats, such as unauthorized access.

Whether security features, service levels, and management requirements, of all network Yes
services, are identified and included in any network services agreement.
Whether the ability of the network service provider, to manage agreed services in a Yes
secure way, is determined and regularly monitored, and the right to audit is agreed upon.

Whether the network (where business partners and/ or third parties need access to the Yes
information system) is segregated using perimeter security mechanisms such as firewalls.

Whether consideration is made to the segregation of wireless networks from internal and Yes
private networks.
Whether formal transfer policies, procedures, and controls are in place to protect the Yes
transfer of information through the use of all types of communication facilities.
Whether agreements address the secure transfer of business information between the Yes
organization and external parties.
Whether Information involved in electronic messaging are appropriately protected. Yes
Whether requirements for confidentiality or non-disclosure agreements reflecting the Yes
organization’s needs for the protection of information are identified, regularly reviewed,
and documented.
Does the vendor's change management/change control process include some of the Yes
following:
• Request, review and approval of proposed changes
• Review for potential security impact
• Security approval
• Review for potential operational impact
• Approval from client (when applicable)
• Documentation of changes
• Pre-implementation testing
• Post-implementation testing
• Rollback procedures

Has the vendor documented detailed procedure for identifying changes to be notified to Yes
the client, sending an approval request & communication process?
Are the major changes affecting the risk profile of the provider environment notified to the Yes
client?
Is there an established Point of Contact for notifying these changes and ensuring Yes
documentation?
Does the vendor provider have a management approved change management process Yes
for activities of the client and related assets?
Has the service provider/vendor documented a process for handling emergency changes Yes
in client operations to ensure that these types of changes are carried out in a controlled &
timely manner?
Check whether all assets are identified and an inventory or register is maintained with all Yes
the important assets.
Check whether each asset identified has an owner, a defined and agreed-upon security Yes
classification, and access restrictions that are periodically reviewed.
Whether regulations for acceptable use of information and assets associated with an Yes
information processing facility were identified, documented, and implemented.
Check whether there is a process in place that ensures all employees, contractors and Yes
third party users surrender all of the organization’s assets in their possession upon
termination of their employment, contract, or agreement.
Check if there is a formal Incident reporting Process Yes

Verify that the vendor shares the required status reports, updates on progress in Yes
resolving any incident until it has been fully mitigated periodically.
Verify that a single point of contact has been identified to engage with respect of security Yes
incidents, and the name, title, email and phone numbers are formally communicated.

Are all information systems in sync with the NTP server - (NPL,NIC) ? Yes
Whether information is maintained on KYC and records of financial transactions for a Yes
period of 5 years.
Whether cyber incidents as per CERT-In are reported within 6 hours of noticing such Yes
incidents or being brought to notice about such incidents.
Whether action is taken and information/assistance in specified time is provided towards Yes
cyber security mitigation.
Whether a Point of contact is designated.
Whether logs are enabled for 180 days and maintained in the Indian jurisdiction. Yes
Whether records are maintained for a period of 5 years or longer as mandated by the law. Yes

Whether Information security requirements for mitigating the risks associated with Yes
supplier’s access to the organization’s assets are agreed with the supplier and
documented.
Whether all relevant information security requirements are established and agreed with Yes
each supplier that may access, process, store, communicate, or provide IT infrastructure
components for, the organization’s information.
Whether agreements with suppliers include requirements to address the information Yes
security risks associated with information and communications technology services and
product supply chain.
1. Enquire and obtain a copy of the approved security incident management policy / Yes
procedures
2. Assess if the mechanism for identifying, classifying and management of information Yes
security events are defined.
3. Enquire and assess if all the information security weakness are being reported.
1. Enquire and obtain the approved Cyber crisis Management Plan Yes
2. Enquire and obtain a copy of the cyber insurance certificate and check the validity

1. Enquire and obtain a copy of the incident management / problem management policies Yes
/ procedures.
2. Assess if the roles and responsibilities for preparing and executing the plan was
documented. Yes
3. Also assess if the process around notifying Bank within 2 hrs. of incident identification.
4. Enquire and obtain the information security/ cybersecurity incident tracker
5. Does the incident tracker capture details of cybersecurity incident/ data breach
impacting Bank in last one year.
6. For a sample information security incident reported, is the notification process being
followed.
7. Review the incident management procedure and see if reference to problem
management procedure is given and how does a incident relate to problem. If Not, then
highlight this as concern.
8. If third-party has been subject to any investigation or enforcement by a law
enforcement body. This is not evaluated.
9. Incidents reported in the last quarter including closure as per SLA and RCA

Yes
Check Incident reporting Process Yes
Check if there is a formal procedure for reporting incidents
Verify that the vendor shares the required status reports, updates on progress in
resolving any incident until it has been fully mitigated periodically.
Verify that a single point of contact has been identified to engage with respect of security
incidents, and the name, title, email and phone numbers are formally communicated.

1. Enquire and obtain a copy of updated and approved Business Continuity Plan Yes
capturing:
a. Name and signature of the Approver
b. Last review date
c. Version history detailing change description

2. Assess whether business continuity plan has been reviewed and approved by the
Management and Client (where applicable)
3. Enquire and obtain if the Plan has been tested in the defined frequency
4. Obtain the last drill report with documented learnings from the test
5. Obtain supporting documents around implementation of the test learnings

1. Enquire and obtain an approved BCP document Yes

2. Obtain and assess if the roles and responsibilities are defined in the BCP document
3. Enquire and obtain if the Plan has been tested in the defined frequency
4. Obtain a test report with documented learnings from the test
5. Obtain supporting documents around implementation of the test learnings

1. Enquire and assess if BIA is part of the approved Business Continuity Plan Yes
2. Enquire and check Business impact analysis was carried out as per the defined
frequency
3. Obtain a copy of the last business impact analysis done
4. Check whether there is testing done by transferring the load of 2/3 third-parties on one
third party?
1. Enquire and obtain if the need to notify clients in the event of a disaster is contractually Yes
obligated. If 'Yes':
- obtain such notifications shared in the last one year

Check if there is a fail over site strategy mentioned in the BCP document. If yes, validate Yes
if the site is Hot, Warm or Cold site.
Had the third-party built in sufficient redundancies to ensure continuity of services. Yes

Self explanatory No

Self explanatory No

1. Check for the frequency of data back up / Business Continuity testing within the Yes
security policy
2. Check for the Test report of the recent test done /in the last one year for the backed up
data
Check if the organization has a documented policy covering all important aspects Yes
including but not limited to personal data collection, storage including permissible data
types, retention, restriction of usage, destruction, breach handling etc.

Check if the privacy policy has been published on your website and your associated third
parties providing DLA's website.

Check if the third party e.g. LSP's website has a redirection link to Bank 's site disclosing
about the 's privacy policy, LSP's, customer care details & loan products for borrowers
1. Check for data privacy procedures of the organization whether following requirements Yes
are captured and implemented:
i. Prior and explicit consent to be obtained in case of customer data collection
ii. Providing option to customer to grant, deny consent on use, restrict, disclosure to third
parties, data retention
iii. Disclosing the purpose of data collation of 's customer details
iv. Obtaining explicit consent for sharing 's customer data with Third parties.
v. Restriction on storage of 's customer PII data except information required for carrying
out operations
vi. Provide the inventory of your third parties [e.g., Digital lending application] allowed to
collect, store and process personal information of the 's customer.

Or

2. Privacy assessment/compliance report conducted by Independent auditor to get

assurance on data privacy implemented at design level.

AND

3. Check whether the devices, equipment's and Digital Lending application (software)
used for rendering lending services conforms/complies to the standard and specifications
laid down by the RBI Guideline on Digital Lending

4. Evidences/screenshots for each point demonstrating the effectiveness of controls.

Describe and confirm if the third party organization has a mechanism in place to identify Yes
and maintain awareness of relevant data privacy requirements and perform privacy
assessments at pre-defined periodicity. provide a brief description as to how this is being
undertaken and copy of data privacy assessment performed within third party
organization.

Alternatively, obtain Assurance Security Compliance Certificate ISO 27701:2019

Check if organization maintains list of:

1- Data privacy regulations they are subject to
2- List/repository of data privacy controls
3- Compliance report against data privacy controls
4- Privacy Impact Assessments conducted in last 1 year
5 - Inventory of fourth parties capturing 's customer sensitive data
Describe and confirm if the third party organization has sufficient technical controls in Yes
place which provide assurance on the customer sensitive data retention and timely
deletion of customer sensitive data records once the retention period is over. provide the
policy/procedure stating the technical controls in place.

Alternatively, obtain Assurance Security Compliance Certificate ISO 27701:2019

Check the practice being followed or tools being used to 1) Prevent Secondary usage of
customer sensitive data 2) Deletion of the customer sensitive data once data retention
period is over. Check sample entries.

Check the business justification document of customer sensitive data elements stored by
third party they are processing on behalf of .

Check how data destruction is being practiced by checking a sample entry. Yes

Check if any measures or controls are in place in readiness for the bill Yes
Data at rest encryption for databases and backups
Data classification and protection procedures
Data retention policy and procedure
Contact information of Data Protection Officer
Check for Data Protection Impact Assessment and Periodic audit

1. Enquire and observe if policy and supporting procedure document for safeguarding of Yes
client Intellectual Property is available;
2. Check if the policy is non-editable and published (published in the company's intranet
or any other means of publishing to employees)
3. Check if the document was reviewed and approved as per the defined frequency by
the Management. (Date of last review and approval)
4. Check whether the Intellectual Property related clause covered in the Contract or not

1)Evidence for employer registration Yes

2)Shops and Establishment Certificate or a service registration certificate

1. Signed COBEC and ABAC policy document Yes

2. Evidence for Code of Conduct acknowledged by 5 sample employees

Internet search for news / feed on directors / shareholders/employees having been No

subject of any allegations, investigation, conviction and/or other relevant criminal
practices relating to bribery or corruption in the last five years.
1)Documented process to ensure adherence to all the applicable laws and regulations Yes
2)Salary register or declaration on letter head confirming compliance with Minimum
Wages Act.
3)Records of Challans for ESIC and PF filings as per regulatory guidelines for last 3
months
4)Challans for PT filed for last 3 months

Internet search & enquiry for news / feed for any local/government citations or fines No
relating to labor issues that the third-party has received in the last 3 years

Check for the designated spoc and the name of the spoc No

Documented Environmental and/ or Health & Safety Policy Yes

Check if the organization has an incident/accident resolution mechanism in place Yes

No evidence required. No

Check records of safety training provided to the employees Yes

1. Check if there is a process of tracking the progress of an ongoing project- milestones Yes
achieved, adherence to the agreed SLAs/KPIs etc.
2. Document defining SLA/KPI with Bank
3. MIS maintained and shared with Bank
1. Provide a copy of approved information security policy or any relevant document Yes
covering the Human resource security controls.
2. Employee master for staff deployed for Bank .
3. HR records for employees onboarded on vendor's payroll.
(BGV Report, Employment Contract & NDA with clause declaration employment terms
and confidentiality requirements)
4. Information Security Awareness Training module, attendance, test results etc.
5. Check for Exit Process in HR Policy, sample employees exit checklist/procedure,
access revocation records, any communication/notification to and submission of assets
allocated
6. MIS maintained and shared with Bank

Documented checklist for BGV checks conducted Yes

- Evidence for BGV conducted for all the dedicated resources deployed for providing
service to Bank
- Sample evidence of BGV conducted for minimum 3 resources wherever there are no
committed resources for providing service to Bank
- Evidences of Reference check, Academic & professional qualification, identity check,etc

Check if there is a process in place to check the quality of the product or service before Yes
delivering the same to Bank
Obtain the copy of documented & approved Organization level outsourcing risk Yes
management policy/framework and check if it covers the following risk domains;
a. Information Security, Data privacy & Business continuity
b. Cyber Security & Governance
c. Operational Risk (Financial solvency, Background verification, Anti-bribery, Fraud,
Blacklisting, Anti-money laundering)
d. Legal & contractual risks
e. Regulatory & Compliance Risk
Check if the organization has a mechanism & process in place for monitoring their third Yes
parties i.e. fourth parties in the supply chain subjected to bribery / corruption / non-
compliance / anti-money laundering / fraud related matters.

Third party organization to confirm if it performs risk assessment/audits on their third

parties i.e. fourth parties in supply chain.

Obtain the description on scope of Third Party Risk Assessments/audit,

pre-onboarding/periodic, methodology, frequency & exception/deviation management
process followed.

Third party organization to confirm if it has involved any third-party[ies] for Yes
provisioning/rendering services to Bank .

Obtain & validate the following evidences:

i. Written consent from Bank for subcontracting complete or partial activities across all
the active service agreement between Bank and third party.
ii. List of third parties involved in provisioning/rendering services to Bank covering
amount of / portion of activity sub-contracted, across all the active service agreement
between Bank and third party along portion of activity
iii. Due diligence/audit report performed by third party of their third party[ies] within last 12
months in-line with Organization level outsourcing risk management policy/framework.
Obtain copy of agreement signed between third party and their third party i.e. fourth party Yes
in supply chain and check the validity of the agreement and existence of listed standard
clauses:

a. Information/Data security/Regulatory requirements and applicable data security

standards, privacy laws & data localization requirements
b. Confidentiality
c. Incident & resolution management
d. Business Continuity
e. Right to audit & seek information from the service provider.
i. About their third parties (in the supply chain) engaged by former
ii. Authority of regulators to perform inspection of service provider’s third parties
f. Insurance
g. Termination/Exit
h. Indemnity
i. Anti-bribery
j. Service level agreement
k. Clauses ensuring service provider is contractually liable to monitor the performance
and risk management practices of its third parties.

Obtain the description of mechanism implemented by third party organization to ensure Yes
that operational performance of activities are in adherence with agreed level of SLA and
TAT for all the activities undertaken by third party organization across all the active
service agreements with Bank .

Obtain copy of operational performance / SLA reports for last two months.

In case of multiple countries, please enter the lowest rank among the countries No
mentioned, from the latest Corruption Perception Index (CPI) tab.
Source: https://www.transparency.org/
No evidence required. No

1. Financial statements for last 3 years Yes

or
2. Declaration from appointed Charted Accounted Firm providing assurance duly signed
by third-party management
a. Dipstick financial statement* review such as ratios, trends, etc. Yes
b. Credit score of the third-party vendor to identify their credit worthiness
c. Check if appearing as Willful Defaulter in any regulatory databases
d. Public domain search on the vendor and their KMPs (largely to assess any concerns
around solvency, financial liabilities/ penalties/ fines that can impair operations etc.)
e. Compliance with regulatory requirement such as GST, annual returns, etc.

1. Credit Rating accredited by financial institutions No

a. Litigations filed with Supreme court, high courts, and district courts (to the extent Yes
available)
b. Income tax disputes or litigations with CESTAT, NCLT, ITAT, SEBI
c. Cases filed with CBI and other enforcement agencies for the vendors and their KMPs
d. Cases against vendor on consumer forum

a. Number of employees enrolling PF Yes

b. Any pending cases lodged against employers with regards to PF
c. HR practices followed by the vendor
 Third-party

Evidence (please
Response Comments attach where
applicable)
Vendor Compliance Result Vendor Compliance Comments
Observation Risk Recommendation