Is this a new application, service, or tool, or a modification to an existing one?—Please choose an option—NewModification
Name of company offering application, service, or tool:
Provide all industry security related certifications the company holds (Ex. ISO27001 Certification, PCI DSS (with an AOC or SAQ).)
Application, service, or tool brand name:
Has an application security or vulnerability assessment been completed on this application, by a qualified 3rd party, in the last 12 months?—Please choose an option—YesNoN/A
If so, please provide a copy of the security or vulnerability report.
Are any known vulnerabilities in your application still unresolved?—Please choose an option—YesNoN/A
Did the application security assessment include SQL injection testing, buffer overflow vulnerability testing, cross-site scripting vulnerability testing and back-door access to the application or authentication by-pass "feature" testing?—Please choose an option—YesNoN/A
Do developers have access to the production network?—Please choose an option—YesNoN/A
If yes, please provide additional detail. How is the segregation of duties controlled?
Does the application log provide details on the activity and data accessed by the user and the date and time of the logon?—Please choose an option—YesNoN/A
Is a user assigned application privileges using role-based access controls? —Please choose an option—YesNoN/A
Are application functions segregated on to separate systems and networks based on function, role or sensitivity? (e.g. web and database servers should be on separate servers and network segments)—Please choose an option—YesNoN/A
Is access to program source code restricted?—Please choose an option—YesNoN/A
Are architectural diagrams with trust boundaries explicitly defined?—Please choose an option—YesNoN/A
Are system vulnerability scans performed at least quarterly?—Please choose an option—YesNoN/A
Provide an Application and Data Flow diagram. This document should identify which ports are open between the devices and the methods used to collect and transmit data from each system. The key elements being evaluated are where confidential information is located, how this information may be accessed, how data is protected during transmission and storage and to understand the administrative and general user authentication process. This information may be added to or included on the Architecture diagram.
Description of the application, service, or tool, what it will be used for, and the overall scope of use/implementation:
Is this a cloud-based application, service, or tool (in its entirety or fractional)?—Please choose an option—YesNo
If you've answered "Yes" to the above, please answer the following questions:
Will the service provider require access to the BCD environment?—Please choose an option—YesNo
What security measures does service provider posses or have implemented to demonstrate information/systems entrusted to them will be adequately protected?
How does Supplier handle and address security related events/incidents?
What controls are in place to detect security breaches?
Do you log transactions and network activity?—Please choose an option—YesNo
If Yes: How long do you maintain these audit logs?
Does Supplier complete technical security assessment of their service offering(s)?—Please choose an option—YesNo
If Yes: If Yes, please provide (Add attachment)
What services do you expose to the internet? (Examples: Web, Database, FTP, SSH, etc.)
What type of authentication mechanism(s) do you use?
Provide security certifications service provider has obtained to demonstrate adequate security controls are implemented to access, process, and store information (e.g. ISO, SOC, SSAE, PCI, etc.). (Add Attachment)
Scope of the application, service, or tool (Where will this application be used?)—Please choose an option—NASAEMEAUK/IEAPACGlobal
Describe the data to be collected, transmitted, processed, or stored.
Choose all data types that apply:Personal Data/PIIPayment/Credit Card DataBusiness DataNo DataOther
If "Other" was selected above, explain:
Is data being provided only limited to what is required for execution of services?—Please choose an option—YesNo
If No, explain:
Contractional Agreements planned or already in place (Ex. Partner Agreement, DRA)?—Please choose an option—YesNo
What kind of information is transferred, processed, or stored?
Will any third-party entity outside of the BCD Group access this data?—Please choose an option—YesNo
If Yes, explain:
Data type accessed from (Which regions the user originates from who may read, write, or change the information?)—Please choose an option—GloballyEEA(EU)NORAMLATAMAPAC
Are there any data feeds/data transfer into or out of this application, service, or tool?—Please choose an option—YesNoI don't know
If yes, please list them
Provide any additional information on the data feed/transfer and how it is being secured:
Where is the application, service, or tool hosted?—Please choose an option—EEA(EU)NORAMLATAMAPACOther
If "Other", please explain:
How will the application, service, or tool be accessed? Please describe how access is managed (E.g.: Via browser or locally installed application; Are credentials required, etc.)
Describe impact to BCD Travel if the service, application, or tool becomes unavailable.
Describe impact to BCD Travel if the service, application, or tool is compromised.