Security Audit and Evaluation of E-disc

Vendor or Partner
Overview
The security audit tool provides organizations with an overview of the critical questions to ask when a
security
of an e-discovery vendor or partner, or when performing a self-analysis.
The evaluation allows the assessor to determine the level of risk the organization may be assuming by
partner and to make suggestions to improve security practices and enhance the service provided.

The team that compiled and commented on this survey included a cross-functional team of profession

Instructions
In each worksheet, complete only sections in green. For Notes, enter text. For all other sections in gr
dropdown menu.
For more detailed instructions, go to "How to Use"

Summary of Ranked Results (A) Raw

Rank
(B) Ave.
Weight w/in
Section
Follow hyperlinks to go the underlying sections.

A. General
B. Security & Risk ManagementRank scale: 10 = unacceptable; 6 = questionable, may want to ask furthe
Averages: 1.00
C. Asset Security Rank scale: 10 = unacceptab
Averages: 1.00
D. Communications & Network Security
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask furthe
Averages: 1.00
E. Identity & Access Management
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask furthe
Averages: 1.00
F. Security Operations Rank scale: 10 = unacceptable; 6 = questionable, may want to ask furthe
Averages: 1.00
G. Software Development Security
Overall Averages
(displayed only if ALL Sections B through F contain rankings)

Acknowledgements
Thanks to the team members who helped develop this survey and evaluation:

Julie Hackler, Account Executive, Avansic

Amy Sellars, Assistant General Counsel, Litigation Support Group, Walmart Legal
Andy Sokol, Director, CopyScan Technologies
Beth Downing, Chief Operating Officer, Avansic
David Thomas, Enterprise Business Development Manager
Dean Van Dyke, Vice President, iBridge Global Services
Deanna Fleener, Director of Managed Services, LDiscovery
Justin Hectus, Director of Information, Keesal, Young and Logan
Kit Bright, Sr. Coordinator Information Systems, Gibsons
Kris Kadlac, Paralegal, Richman Greer, PA
Lance Waston, Chief Information Officer, Avansic
Lilith Bat-Leah, Director of ESI Solutions, Bluestarcs
Michael Cammack, Chief Information Officer, Nightowl Discovery
Tom MacKenzie, Vice President of Data Privacy & Compliance, TCDI
Tom Gelbmann, Co-Founder, EDRM
George Socha, Co-Founder, EDRM, and Managing Director, BDO

Version 1.1
n of E-discovery

al questions to ask when assessing the data

zation may be assuming by engaging the vendor or

e the service provided.

nctional team of professionals (see Acknowledgement

For all other sections in green, select from

(C) Weighted (D) (E) Raw, (F) Double

Rank w/in Weight for Weighted Weighted
Section Each by Section [(C) * (D)]
[(A) * (B)] Section [(A) * (D)]

This section is not ranked

nable, may want to ask further questions; 4 = reasonable
1.00
Rank scale: 10 = unacceptable; 9 or below = reasonable
1.00
nable, may want to ask further questions; 4 = reasonable
1.00
nable, may want to ask further questions; 4 = reasonable
1.00
nable, may want to ask further questions; 4 = reasonable
1.00
This section is not ranked
Security Audit and Evaluation of E-discovery
Vendor
How to Useor Partner
• The Audit and Evaluation is comprised of seven sections:
A. General
B. Security & Risk Management
C. Asset Security
D. Communications & Network Security
E. Identity & Access Management
F. Security Operations
G. Software Development Security
• The Audit and Evaluation is color-coded:
Cells that are green: Enter information. For Notes, enter text. For all other light green cells, select from
dropdown
Cells menus.
that are light blue: These display the results of calculations performed based on information entered into
light green cells.
Some question numbers are light yellow For these, a score of 10 is considered unacceptable. The group
determined these questions to be stopping points, and that if a vendor or partner answered no, it should be an
indication to ask further questions or seek another partner.
Some question numbers are light pink. For these, 10 is considered unacceptable ONLY for health care but not for
other industries.
• Each section contains a series of questions to be completed.
• Each question contains a ranking. To select the ranking of your choosing, use the dropdown menu. Rankings range
from 10 (unacceptable) to 0 (optimal).

• Each question with a numerical ranking also has a weighting option. If you want all answers in a section to have the
same weight, do not change the information in the "Weight" cell. If you determine that a certain criterion is especially
important, you can assign a "higher" weight, up to "2"; otherwise, the default weight of "1" is assigned. If you want the
answer to a specific question to be given less weight, choose an option of 0.75 or lower. Assuming a default weight of
"1" is consistently used throughout, an aggregate score of 288 or lower represents an acceptable test score (4
[acceptable] x 72 [number of weighted criteria]).
• The “General” section contains two questions that, if the answer is yes, generally covers all other questions in the
survey and no further investigation into the partner is necessary. If partners have the certifications listed, they have
had to meet standards that meet or exceed the questions in this survey.

© 2017 EDRM. Licensed under a Creative Commons Attribution 3.0 Unported License.
Security Audit and Evaluation of E-disc
Vendor or Partner
Rank scale: Yes / No Response
A.01. Does your company maintain any security or other specialized certifications
(ISO27001, PCA, or similar)? If so, please provide details on types and
certification dates and please provide a copy of your most recent report, audit,
A.02. or
Docertification.
you map your processes and procedures to standards (e.g. NIST, CIS,
HITRUST, ISO, etc.)? If so, please list which ones.

B. Security & Risk Management

Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reason
Averages:
B.01. Does your organization have documented Information Security Policies?
B.02. Is our (and our clients’) data segregated from other clients’ data on your
networks and computers during its life cycle on your servers (including but not
limited to: processing, review hosting, production, storage, and archiving)? If
B.03. so, describe
Do you have how.
a management process in the event of incidents or breaches?
Describe roles, responsibilites, and testing for incident response.
B.04. Does your organization have a policy for business continuity and disaster
recovery? If so, how often is policy renewed and updated?
B.05. Do you remain up to date with system and security patches? If so, please
describe, including frequency, analysis, testing, and approvals.
B.06. For any data stored on your system that contains HIPAA information, Protected
Health Information (PHI), Personally Identifiable Information (PII), or Payment
Card Industry (PCI) information, will it be maintained in a properly protected
environment? (encryption, monitoring, role-based restricted access, etc.) as
required by regulations? Describe all standards and systems currently in place
to provide protected environments.
B.07. Do you have a protocol for handling data that falls under the EU Data Protection
Directive? If so, please describe.
B.08. Do you have a client notification plan in the event of incidents or breaches? If
so, describe when the plan is put into action.
B.09. Does your organization maintain compliance with relevant security and privacy
regulations? Describe.
B.10. Is there a formally documented privacy policy? If yes, describe. If no, explain
B.11. reason.
Does your organization have a policy that addresses Information Classification
and asset handling?
B.12. If you are a cloud provider, are you registered on the Cloud Security Alliances’
STAR listing?
B.13. Does your organization have a formal process to assess the risk of service
providers? Describe the process and what area within your organization is
B.14. responsible.
Will you allow (upon notification) an inspection in order to ascertain compliance
with applicable law, information security requirements, and non-disclosure
B.15. agreements?
Have you created remediation plans to address deficiencies in your audits? If
so, please provide documentation to support.
B.16. Do you have the ability to track and manage the investigations of incidents? If
so, describe how you demonstrate you've investigated an incident.
B.17. Do your staff members have the ability to anonymously report an incident?

C. Asset Security
Rank scale: 10 = unacceptable; 9 or below = reasonable.
Averages:
C.01. Do you have physical security in place to protect information assets in offices
and other facilaties where information assets are stored or processed? If so,
C.02. please describe.
Is physical security present at all your data centers? If so, please describe.
C.03. Do you have policies or programs in place to support the ongoing management
of environmental controls (i.e. HVA, fire detection and suppression, UPS testing,
fuel/generator, etc.) for your offices and facilities? If so, please describe.
C.04. Do you protect data at rest using encryption? If so, please describe, including
information on each of the following: laptops, desktops, databases/applications,
back-ups, removable media, portable devices (i.e. phones/handheld/tablets)?
C.05. Does your company physically maintain its own data centers? Whether yes or
no, please provide details about who maintains them and where they are
geographically located.
D. Communications & Network Security
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reason
Averages:
D.01. Does your organization have encryption tools to protect confidential/personal
information that is in transit over public networks? If so, describe how these
D.02. tools areaused.
Is there physical or logical network and server segregation that exists
between client environments? If so, describe.
D.03. Do you have network security mechanisms in place (e.g., next-generation
firewalls, IDS/IPS, etc.)? If so, please describe.
D.04. Do you have monitoring (including log monitoring) regularly conducted on your
network(s)? If so, describe systems and procedures that are used to identify
data breaches or security risks.
D.05. Do you have an access control policy? If so, describe how it relates to access
approvals, role-based access, principle of least privilege, segregation of duties,
access reviews, and role changes or terminations.
D.06. Do you have password policies and management procedures? If so, please
D.07. describe.
Do you have policies and procedures for anti-malware in your corporate and
client environments? If so, please describe.
D.08. Do you have wireless policies and practices as they pertain to access to
corporate and client networks? If so, please describe.
D.09. If electronic PHI/SPI will be transmitted or exchanged, does your company
comply with standards such as those published in the NIST Special Publication
800-131A as it relates to encryption of data?
D.10. Do you perform third-party network penetration and vulnerability testing? If so,
please provide a summary of results from your last third-party test.
D.11. Do partners or subcontractors access network systems? If so, please describe
D.12. how.
Does your organization have the ability to support TLS for email encryption?
D.13. Is auditing enabled for all appropriate events (e.g., is a record of individuals
who log into the system maintained)? If so, describe how long audit logs are
D.14 archived.
For data transfer and storage (both within your company and externally), do
you use cryptographic algorithms for protecting authentication credentials,
remote access, data transmission, and data at rest? If so, please provide the
D.15. type
Does of algorithms.
your firewall have defense capabilities such as anti-malware and deep
packet inspection activated?
D.16 Does your firewall have Unified Threat Management (cloud-based aggregation
of threats and countermeasures?
D.17 Do you maintain technical security around your network and server
architecture? If so, please provide a high-level network and server diagram for a
D.18. standard client data
Do you control environment.
access by both end-users and privileged users? If so,
D.19. describe.
Is there a physical or logical network and server segregation that exists
between client environments and your corporate environment? If so, please
D.20. describe.
Do you use secure configuration standards for network and server
D.21. infrastructure?
Do you have patch-management policies and practices? If so, please describe.
D.22. Do you have change-management policies and practices? If so, please describe.
D.23. Do you have Data Loss Prevention policies (both written and technical) and
practices? If so, please describe.

E. Identity & Access Management

Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reason
Averages:
E.01. Are there protections in place for remote access connectivity, including
authentication mechanisms, encryption algorithms and key lengths, and
account management process? If so, please list.
E.02. Are all employees with access to network systems and data required to undergo
background checks prior to employment?
E.03. Does your organization ensure all staff, employees, and contractors are
screened prior to hiring? If so, please provide screening policies or procedures.
E.04. Are access controls in place that cover permissions, changes, and terminations?
E.05. Do you use two-factor authentication?
E.06. Are individual employees with access to data/networks required to sign
confidentiality and non-disclosure agreements? If so, please provide information
about how the provisions of these agreements are monitored and enforced.
E.07. Are all employees with access to network systems or data direct employees of
your company? If partners or subcontractors are involved, please provide their
E.08. names.
Do your systems/solution log user and administrator access to the data? If so,
please provide details and granularity.
E.09. Can these access logs be regularly exported?
E.10. Are options present for cryptographic negotiation (minimums and preferences)?
If so, please provide descriptions.

F. Security Operations
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reason
Averages:
F.01. Are new hires required to sign any agreements relating to information
security/information protection upon hire?
F.02. Is there a security-training awareness program? If so, are all employees with
network access required to participate at least annually?
F.03. Do you have a change control/review process for software and patch updates? If
so, please describe.
F.04. Does your company outsource any of its systems, services, or infrastructure
outside of the US? If so, please provide the locations and percentage of the
work performed outside of the US, as well as a description of how the
outsourced systems, services, employees, or infrastructure are vetted.
F.05. Does your organization include security/information protection language within
contracts of service providers who receive or process confidential/personal
F.06. information?
Is application development performed in-house?
F.07. Does a third party host or manage your software?
F.08. Does the application support Active Directory/LDAP integrations?
F.09. Does the application support SSO with SAML v.2.0?
F.10. If third party hosts your application can they provide audit report of security
and network penetration tests and methodology used for secure development?
F.11. Do you perform an annual risk assessment?
F.12. Do you perform quarterly network penetration and vulnerability testing? If so,
provide a summary of your last two quarterly tests.
F.13. Do you have policies and practices regarding remediation of vulnerabilities
identified in your vulnerability and penetration testing? If so, please provide.
F.14 Do you commission third party SOC 2 audits? If so, please describe how often
and provide your most recent SOC 2 audit report.
F.15. Are you required or compelled to comply with federal laws or regulations (e.g.,
HIPAA, PCI, Gramm-Leach Bliley) in the course of delivering services to your
clients? If so, please list.

G. Software Development Security

Rank scale: Yes / No Response
G.01. Do you perform code reviews of internally developed software?
G.02. (Applicable if yes to the above question) Describe your software Development
Lifecycle processes (SDLC) and how security controls are incorporated in the
SDLC.

H. Aggregate Score
n of E-discovery
ResponseWeightWeighted RankNotes
N/A N/A

N/A N/A

Rank WeightWeighted RankNotes

1.00 N/A
1.00
1.00

1.00

1.00

1.00

1.00

1.00

1.00

1.00

1.00
1.00

1.00

1.00

1.00

1.00
 1.00

1.00

Rank WeightWeighted RankNotes

1.00 N/A
1.00

1.00
1.00

1.00

1.00

Rank WeightWeighted RankNotes

1.00 N/A
1.00

1.00

1.00

1.00

1.00

1.00
1.00

1.00

1.00

1.00

1.00
1.00
 1.00

1.00

1.00

1.00

1.00

1.00
1.00

1.00
1.00
1.00
1.00

Rank WeightWeighted RankNotes

1.00 N/A
1.00

1.00

1.00

1.00
1.00
1.00

1.00

1.00

1.00
1.00

Rank WeightWeighted RankNotes

1.00 N/A
 1.00

1.00

1.00

1.00

1.00

1.00
1.00
1.00
1.00
1.00

1.00
1.00

1.00

1.00

1.00

ResponseWeightWeighted RankNotes
N/A N/A
N/A N/A N/A

0.00
Security Audit and Evaluation of E-discovery Vendo
A. General
Rank scale: Yes / No
Select Rank from pulldown menu

Q.
A.01. Does your company maintain any security or other specialized certifications (ISO27001, PCA, or similar)? If
so, please provide details on types and certification dates and please provide a copy of your most recent
report, audit, or certification.
A.02. Do you map your processes and procedures to standards (e.g. NIST, CIS, HITRUST, ISO, etc.)? If so, please
list which ones.
overy Vendor or Partner

ResponQ.
A.01.

A.02.
Vendor or Partner

Notes
Security Audit and Evaluation of E-discovery Vendor or Partner
B. Security & Risk Management
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reasonable. Select Rank from pulldown menu.
Weight: Default = 1.00. Can select different weights from pulldown menu.

Q. RankWeighWeighted RQ. Notes

Averages: 1.00
B.01. Does your organization have documented Information Security Policies? 1.00 B.01.
B.02. Is our (and our clients’) data segregated from other clients’ data on your networks and 1.00 B.02.
computers during its life cycle on your servers (including but not limited to: processing,
review hosting, production, storage, and archiving)? If so, describe how.
B.03. Do you have a management process in the event of incidents or breaches? Describe roles, 1.00 B.03.
responsibilites, and testing for incident response.
B.04. Does your organization have a policy for business continuity and disaster recovery? If so, 1.00 B.04.
how often is policy renewed and updated?
B.05. Do you remain up to date with system and security patches? If so, please describe, 1.00 B.05.
including frequency, analysis, testing, and approvals.
B.06. For any data stored on your system that contains HIPAA information, Protected Health 1.00 B.06.
Information (PHI), Personally Identifiable Information (PII), or Payment Card Industry (PCI)
information, will it be maintained in a properly protected environment? (encryption,
monitoring, role-based restricted access, etc.) as required by regulations? Describe all
standards and systems currently in place to provide protected environments.
B.07. Do you have a protocol for handling data that falls under the EU Data Protection Directive? 1.00 B.07.
If so, please describe.
B.08. Do you have a client notification plan in the event of incidents or breaches? If so, describe 1.00 B.08.
when the plan is put into action.
B.09. Does your organization maintain compliance with relevant security and privacy 1.00 B.09.
B.10. regulations? Describe.
Is there a formally documented privacy policy? If yes, describe. If no, explain reason. 1.00 B.10.
B.11. Does your organization have a policy that addresses Information Classification and asset 1.00 B.11.
B.12. handling?
If you are a cloud provider, are you registered on the Cloud Security Alliances’ STAR listing? 1.00 B.12.
B.13. Does your organization have a formal process to assess the risk of service providers? 1.00 B.13.
Describe the process and what area within your organization is responsible.
B.14. Will you allow (upon notification) an inspection in order to ascertain compliance with 1.00 B.14.
applicable law, information security requirements, and non-disclosure agreements?
B.15. Have you created remediation plans to address deficiencies in your audits? If so, please 1.00 B.15.
provide documentation to support.
B.16. Do you have the ability to track and manage the investigations of incidents? If so, describe 1.00 B.16.
how you demonstrate you've investigated an incident.
B.17. Do your staff members have the ability to anonymously report an incident? 1.00 B.17.
0.00
Security Audit and Evaluation of E-discovery Vendo
C. Asset Security
Rank scale: 10 = unacceptable; 9 or below = reasonable. Select Rank from pulldown menu.
Weight: Default = 1.00. Can select different weights from pulldown menu.

Q. Rank
Weigh
Averages: 1.00
C.01. Do you have physical security in place to protect information assets in offices and other 1.00
facilaties where information assets are stored or processed? If so, please describe.
C.02. Is physical security present at all your data centers? If so, please describe. 1.00
C.03. Do you have policies or programs in place to support the ongoing management of 1.00
environmental controls (i.e. HVA, fire detection and suppression, UPS testing,
fuel/generator, etc.) for your offices and facilities? If so, please describe.
C.04. Do you protect data at rest using encryption? If so, please describe, including information 1.00
on each of the following: laptops, desktops, databases/applications, back-ups, removable
media, portable devices (i.e. phones/handheld/tablets)?
C.05. Does your company physically maintain its own data centers? Whether yes or no, please 1.00
provide details about who maintains them and where they are geographically located.
overy Vendor or Partner

Weighted RQ.
C.01.

C.02.
C.03.

C.04.

C.05.

0.00
dor or Partner

Notes
Security Audit and Evaluation of E-discovery Vendo
D. Communications & Network Security
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reasonable. Select Rank from pulldown menu.
Weight: Default = 1.00. Can select different weights from pulldown menu.

Q. Rank
Weigh
Averages: 1.00
D.01. Does your organization have encryption tools to protect confidential/personal information 1.00
that is in transit over public networks? If so, describe how these tools are used.
D.02. Is there a physical or logical network and server segregation that exists between client 1.00
environments? If so, describe.
D.03. Do you have network security mechanisms in place (e.g., next-generation firewalls, 1.00
IDS/IPS, etc.)? If so, please describe.
D.04. Do you have monitoring (including log monitoring) regularly conducted on your 1.00
network(s)? If so, describe systems and procedures that are used to identify data breaches
D.05. or
Dosecurity
you have risks.
an access control policy? If so, describe how it relates to access approvals, 1.00
role-based access, principle of least privilege, segregation of duties, access reviews, and
role changes or terminations.
D.06. Do you have password policies and management procedures? If so, please describe. 1.00
D.07. Do you have policies and procedures for anti-malware in your corporate and client 1.00
environments? If so, please describe.
D.08. Do you have wireless policies and practices as they pertain to access to corporate and 1.00
client networks? If so, please describe.
D.09. If electronic PHI/SPI will be transmitted or exchanged, does your company comply with 1.00
standards such as those published in the NIST Special Publication 800-131A as it relates to
D.10. encryption of data?
Do you perform third-party network penetration and vulnerability testing? If so, please 1.00
provide a summary of results from your last third-party test.
D.11. Do partners or subcontractors access network systems? If so, please describe how. 1.00
D.12. Does your organization have the ability to support TLS for email encryption? 1.00
D.13. Is auditing enabled for all appropriate events (e.g., is a record of individuals who log into 1.00
the system maintained)? If so, describe how long audit logs are archived.
D.14 For data transfer and storage (both within your company and externally), do you use 1.00
cryptographic algorithms for protecting authentication credentials, remote access, data
transmission, and data at rest? If so, please provide the type of algorithms.
D.15. Does your firewall have defense capabilities such as anti-malware and deep packet 1.00
inspection activated?
D.16 Does your firewall have Unified Threat Management (cloud-based aggregation of threats 1.00
and countermeasures?
D.17 Do you maintain technical security around your network and server architecture? If so, 1.00
please provide a high-level network and server diagram for a standard client environment.
D.18. Do you control data access by both end-users and privileged users? If so, describe. 1.00
D.19. Is there a physical or logical network and server segregation that exists between client 1.00
environments and your corporate environment? If so, please describe.
D.20. Do you use secure configuration standards for network and server infrastructure? 1.00
D.21. Do you have patch-management policies and practices? If so, please describe. 1.00
D.22. Do you have change-management policies and practices? If so, please describe. 1.00
D.23. Do you have Data Loss Prevention policies (both written and technical) and practices? If 1.00
so, please describe.
overy Vendor or Partner

from pulldown menu.

Weighted RQ.
D.01.

D.02.

D.03.

D.04.

D.05.

D.06.
D.07.

D.08.

D.09.

D.10.

D.11.
D.12.
D.13.
 D.14

D.15.

D.16

D.17

D.18.
D.19.

D.20.
D.21.
D.22.
D.23.

0.00
dor or Partner

Notes
Security Audit and Evaluation of E-discovery Vendo
E. Identity & Access Management
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reasonable. Select Rank from pulldown menu.
Weight: Default = 1.00. Can select different weights from pulldown menu.

Q. Rank
Weigh
Averages: 1.00
E.01. Are there protections in place for remote access connectivity, including authentication 1.00
mechanisms, encryption algorithms and key lengths, and account management process? If
E.02. so,
Are please list.
all employees with access to network systems and data required to undergo 1.00
background checks prior to employment?
E.03. Does your organization ensure all staff, employees, and contractors are screened prior to 1.00
hiring? If so, please provide screening policies or procedures.
E.04. Are access controls in place that cover permissions, changes, and terminations? 1.00
E.05. Do you use two-factor authentication? 1.00
E.06. Are individual employees with access to data/networks required to sign confidentiality and 1.00
non-disclosure agreements? If so, please provide information about how the provisions of
these agreements are monitored and enforced.
E.07. Are all employees with access to network systems or data direct employees of your 1.00
company? If partners or subcontractors are involved, please provide their names.
E.08. Do your systems/solution log user and administrator access to the data? If so, please 1.00
provide details and granularity.
E.09. Can these access logs be regularly exported? 1.00
E.10. Are options present for cryptographic negotiation (minimums and preferences)? If so, 1.00
please provide descriptions.
overy Vendor or Partner

from pulldown menu.

Weighted RQ.
E.01.

E.02.

E.03.

E.04.
E.05.
E.06.

E.07.

E.08.

E.09.
E.10.

0.00
dor or Partner

Notes
Security Audit and Evaluation of E-discovery Vendo
F. Security Operations
Rank scale: 10 = unacceptable; 6 = questionable, may want to ask further questions; 4 = reasonable. Select Rank from pulldown menu.
Weight: Default = 1.00. Can select different weights from pulldown menu.

Q. Rank
Weigh
Averages: 1.00
F.01. Are new hires required to sign any agreements relating to information security/information 1.00
protection upon hire?
F.02. Is there a security-training awareness program? If so, are all employees with network 1.00
access required to participate at least annually?
F.03. Do you have a change control/review process for software and patch updates? If so, please 1.00
describe.
F.04. Does your company outsource any of its systems, services, or infrastructure outside of the 1.00
US? If so, please provide the locations and percentage of the work performed outside of
the US, as well as a description of how the outsourced systems, services, employees, or
F.05. infrastructure are vetted.
Does your organization include security/information protection language within contracts 1.00
of service providers who receive or process confidential/personal information?
F.06. Is application development performed in-house? 1.00
F.07. Does a third party host or manage your software? 1.00
F.08. Does the application support Active Directory/LDAP integrations? 1.00
F.09. Does the application support SSO with SAML v.2.0? 1.00
F.10. If third party hosts your application can they provide audit report of security and network 1.00
penetration tests and methodology used for secure development?
F.11. Do you perform an annual risk assessment? 1.00
F.12. Do you perform quarterly network penetration and vulnerability testing? If so, provide a 1.00
summary of your last two quarterly tests.
F.13. Do you have policies and practices regarding remediation of vulnerabilities identified in 1.00
your vulnerability and penetration testing? If so, please provide.
F.14 Do you commission third party SOC 2 audits? If so, please describe how often and provide 1.00
your most recent SOC 2 audit report.
F.15. Are you required or compelled to comply with federal laws or regulations (e.g., HIPAA, PCI, 1.00
Gramm-Leach Bliley) in the course of delivering services to your clients? If so, please list.
overy Vendor or Partner

from pulldown menu.

Weighted RQ.
F.01.

F.02.

F.03.

F.04.

F.05.

F.06.
F.07.
F.08.
F.09.
F.10.

F.11.
F.12.

F.13.

F.14
 F.15.

0.00
dor or Partner

Notes
Security Audit and Evaluation of E-discovery Vendo
G. Software Development Security
Rank scale: Yes / No
Select Rank from pulldown menu

Q.
G.01. Do you perform code reviews of internally developed software?
G.02. (Applicable if yes to the above question) Describe your software Development Lifecycle processes (SDLC)
and how security controls are incorporated in the SDLC.

© 2017 EDRM. Licensed under a Creative Commons Attribution 3.0 Unported License.
overy Vendor or Partner

ResponQ.
G.01.
G.02.
Vendor or Partner

Notes
G.01.
G.02.
Rank 1 Rank 2 Weight
Yes 10 0.00
No 9 0.25
8 0.50
7 0.75
6 1.00
5 1.25
4 1.50
3 1.75
2 2.00
1

© 2017 EDRM. Licensed under a Creative Commons Attribution 3.0 Unported License.