Partner Assessment

Your name:

Your email

Is this a new application, service, or tool, or a modification to an existing one?

Name of company offering application, service, or tool:

Company website:

Provide all industry security related certifications the company holds (Ex. ISO27001 Certification, PCI DSS (with an AOC or SAQ).)

Application, service, or tool brand name:

Has an application security or vulnerability assessment been completed on this application, by a qualified 3rd party, in the last 12 months?

If so, please provide a copy of the security or vulnerability report.

Are any known vulnerabilities in your application still unresolved?

Did the application security assessment include SQL injection testing, buffer overflow vulnerability testing, cross-site scripting vulnerability testing and back-door access to the application or authentication by-pass "feature" testing?

Do developers have access to the production network?

Does the application log provide details on the activity and data accessed by the user and the date and time of the logon?

Is a user assigned application privileges using role-based access controls?

Are application functions segregated on to separate systems and networks based on function, role or sensitivity? (e.g. web and database servers should be on separate servers and network segments)

Is access to program source code restricted?

Are architectural diagrams with trust boundaries explicitly defined?

Are system vulnerability scans performed at least quarterly?

Provide an Application and Data Flow diagram. This document should identify which ports are open between the devices and the methods used to collect and transmit data from each system. The key elements being evaluated are where confidential information is located, how this information may be accessed, how data is protected during transmission and storage and to understand the authentication process. This information may be added to or included on the Architecture diagram.

Description of the application, service, or tool, what it will be used for, and the overall scope of use/implementation:

Is this a cloud-based application, service, or tool (in its entirety or fractional)?

Scope of the application, service, or tool (Where will this application be used?)

Describe the data to be collected, transmitted, processed, or stored.

If "Other" was selected above, explain:

Is data being provided only limited to what is required for execution of services?

If No, explain:

Contractional Agreements planned or already in place (Ex. Partner Agreement, DRA)?

If No, explain:

What kind of information is transferred, processed, or stored?

Will any third-party entity outside of the BCD Group access this data?

If Yes, explain:

Data type accessed from (Which regions the user originates from who may read, write, or change the information?)

Are there any data feeds/data transfer into or out of this application, service, or tool?

If yes, please list them

Provide any additional information on the data feed/transfer and how it is being secured:

Where is the application, service, or tool hosted?

If "Other", please explain:

How will the application, service, or tool be accessed? Please describe how access is managed (E.g.: Via browser or locally installed application; Are credentials required, etc.)

Describe impact to BCD Travel if the service, application, or tool becomes unavailable.

Describe impact to BCD Travel if the service, application, or tool is compromised.