Web Site Hosting Security Workprogram

This checklist consists of the most commen questions that financial institutions ask us when performing due diligence to evaluate us as their hosting provider. You may find this checklist as useful starting point to evaluating us or other hosting providers.

  Yes No N/A
1. Does the provider include a minimum bandwidth available for your site?
  a. Are support response times included?
  d. Does the provider perform monitoring (up time, response time, etc.) of the hosted site(s)?
    1. Are the monitoring reports available to you?
2. Does the provider have any of the following third party security reviews performed on their systems?
  a. SAS 70 Type I
  b. SAS 70 Type II
  c. External vulnerability testing
  d. External penetration testing
  e. Internal security testing
  f. Other types of testing
  g. Can any of these reports be provided for your review?
3. Does your hosting agreement include a "right to audit"?
4. Does the provider have 24/7 support available to you?
5. Are there any warranties, indemnity clauses or limitations on liability included in your hosting agreement?
6. Does the provider have policies and procedures that adequately address:      
  a. Incident reporting requirements and procedures
  b. Business continuity planning and disaster recovery
  c. Software and hardware patches/updates
  d. Controls over remote access and remote administration
  e. Logging, auditing and change control processes
7. Service Continuity
  a. Does the provider have a designated disaster recovery site? (If "Yes," specify Hot, Warm or Cold site.)
  b. Does the provider have redundant Internet access via more than one vendor?
  c. Does the provider have any automatic failover capabilities to alternate hosting sites?
8. Physical Security      
  a. Is all provider equipment protected by a UPS?
  b. Is all provider equipment protected by an alternate power source (generator)?
  c. Is all equipment behind locked doors with limited and controlled access?
  d. Is fire suppression equipment adequate?
  e. Are there cameras, alarms, etc. in place to monitor physical access?
  f. Are backups routinely performed and then stored at an off-site location?
  g. If tape backups are used, are they encrypted?
  h. Are adequate environmental controls in place?
9. Logical Access Controls      
  a. Is/are the hosted site(s) protected by firewall?
  b. Is/are the hosted site(s) protected by an IDS/IPS?
  c. Do modifications to hosted web pages generate security alerts?
  d. Is/are the hosted site(s) protected by antivirus software?
  e. Are password change and complexity requirements used?