Business Continuity Questions

Form R.5

Vendor Risk Questionnaire

Vendor Name: ______

Business Continuity Questions:

1. Do you have Business Continuity or Disaster Recovery Plans in place to recover your critical business functions and systems?
   
2. What are the Recovery Time Objectives for the critical business functions and systems that would support Customer?
   
3. Date of the last Business Impact Analysis performed?
   
4. Which of the following 'exercises' does your company conduct?
   
5. Business continuity
6. Disaster recovery
7. Both
8. Neither
   
9. How frequently are Business Continuity Plan (“BCP”) exercises conducted?
   
10. How frequently are Disaster Recovery (“DR”) exercises conducted?
    
11. Date of last BCP exercise?
    
12. Date of last DR exercise?
    
13. Are data backups performed and stored in a protected offsite location?
    
14. Are criminal data bases checked before hiring employees that have access to Customer information?
    
15. What are the adjudication rules for vetting employees?

Privacy Questions:

1. Does your organization collect, store, use, transfer, access and/or secure any of the following items? Please check all that apply.
   

(a) First and last name or first initial and last name

(b) Home or physical address, which includes at least a street name and city name?

(c) E-mail address

(d) Telephone number

(e) Social Security number

(f) Credit and/or debit card number, including number with expiration date

(g) Bank account number

(h) Financial account information

(i) Date of birth

(j) Driver’s license number

(k) Credit Score

(l) Customer loan number

(m) Lender loan number

(n) Health information

(o) Employment information

(p) Other personally identifiable information

(q) None of the above

1. Who in your organization is responsible for Privacy? (Provide name and title.)
   
2. Do you have a written Privacy Policy?
   

a. If so, include a list of the privacy policies that apply (e.g., internal Privacy Policy or external privacy policy that applies to your customers or visitors to your Website.)

b. If yes to previous question, please provide a copy of each policy listed above.

1. Are there procedures in place to implement the Privacy policies?

1. Do you have formal Privacy training?
   
2. Are policies or procedures in place to ensure that access to personally identifiable information is provided on a need-to-know basis?
   
3. When 'using' personally identifiable information are there polices or procedures in place to ensure that personally identifiable information is handled appropriately.
   
4. Is personally identifiable information in transit protected by encryption?
   
5. Do you or any of your subcontractors process, take, transmit or share personally identifiable information outside of the United States?
   
6. Do you have policies or procedures relating to processing, taking, transmitting or sharing personally identifiable information outside of the United States?
   
7. Are locked cabinets readily available for storing paper documents containing personally identifiable information?
   
8. Are shredders readily available or do you contract with companies that provide confidential shredding services, for destroying paper documents containing personally identifiable information?
   

13. a. Does your company allow employees to store personally identifiable
information on laptop computers?

b. Does your company allow employees to remove laptops from the premises?

c. Does your company have policies and procedures in place regarding

safeguards to prevent unauthorized access to, loss of, or theft of laptops?

14.  Are employees, contractors and third parties prohibited from putting personally identifiable information on personal email accounts?

15.  Will your company use Third Party Service Providers who will handle Personally Identifiable Information relating to your services provided to Customer?

16.  Are third parties required to have policies or procedures in place regarding handling, protecting, and processing personally identifiable information that are consistent with your organization’s privacy requirements?

17.  Is a third party’s privacy program reviewed prior to establishing a business relationship with them?

18.  Are third parties regularly reviewed to ensure compliance with privacy requirements?

19.  Is your privacy program regularly reviewed by a third party?

a. If yes to previous question, provide the name of the third party and a copy of the most recent report.

20.  Does your company have a current privacy-specific certification?

1. If yes to previous question, provide the name of the certification or certifying party.
   

21.  In the past 12 months has your organization been involved in any regulatory or legal findings that are publicly available regarding privacy or data security?

22.  In the past 12 months has your organization sent any data breach notices to consumers or third parties?

a.  If you answered yes to question 22 above, please provide sample letter(s).

23.  Is any of the work performed or will any of the work to be performed for Customer be performed offshore?

24.  Will any of the activities performed involve a help desk or call center?

If yes, to previous question ONLY, please answer the following questions.

a.  Are policies and procedures in place to ensure that personally identifiable

information is handled appropriately throughout the lifecycle of help desk/call center activities?

b. Do you utilize a call center?

c. Is the call center located outside of the United States

d. Do you have procedures in place to comply with Do-Not-Call and CAN SPAM laws?

e. Does your employee/contractor training address Do-Not-Call and CAN SPAM requirements?

f. Describe your call-list scrubbing capabilities as related to federal and state laws.

g. Are there Privacy policies, procedures and training for call center reps?

h. Do you have procedures and training for Gramm-Leach-Bliley Act (GLB) opt-out provisions?

i. Please attach (in zipped file) any additional relevant documentation to support this section.

25.  Does your company support the Transport Layer Security (TLS) protocol to send and receive e-mail securely over the Internet? (Yes/No)

26.  If yes, to question 25 above, please provide a technical contact for Customer to work with to establish a TLS relationship. (Provide name, e-mail and phone information.)

Fraud Questions:

1.  With regardto any prior or ongoing relationship between any employee or Board member of your company and Customer, please choose from the options below that which most accurately describes the relationship:

1. A personal relationship exists between your employee or board member and a Customer employee or board member. Please identify the individual(s) from your company and from Customer.
   
2. An ongoing professional relationship exists between your employee or board member and a Customer employee or board member that arose out of a prior professional engagement.Please identify the individuals from your company and from Customer.
   
3. Not applicable, there are no preexisting professional or personal relationships between any of the employees or Board members of the two Companies.
   

2.  Does your company conduct background investigations of its employees to determine whether any have been convicted of a felony, or, of a misdemeanor crime that involved dishonest behavior?

3.  Have any of your employees been terminated from a contracting position due to alleged misconduct involving theft or other dishonest behavior? If yes, please indicate: a) Number and nature of incidents in the past 3 years, b) Number of employee(s) terminated (caused by incidents) in the past 3 years, c) Whether there was any collusion involving more than one employee in the incidents, d)Whether any terminated employee held a management position

4.  Does your company perform credit checks of employees who have access to financial systems, wires, money transfers, financial transactions or who are otherwise in a position of authority or control over your company’s financial billings and receipts?

5.  With regard to an Anti-Fraud policy, please choose from the following that which best describes your Company:

1. Your Company has a written Anti-Fraud Policy or Fraud Risk Management Policy, andpersonnel dedicated to enforcement of that Policy. Please provide a copy of your policy.
   
2. Your Company has a written Anti-Fraud Policy or Fraud Risk Management Policy but does not havepersonnel dedicated to enforcement of that Policy. Please provide a copy of your policy.
   
3. Your Company does not have a written Anti-Fraud Policy or Fraud Risk Management Policy but has other written policies that address fraud issues andpersonnel responsible for oversight of fraud risk. Please provide a copy of the applicable policy or policies and identify the section(s) addressing fraud risks.
   
4. Your Company does not have a written Anti-Fraud Policy or Fraud Risk Management Policynor other written policies that address fraud issuesbut does havepersonnel responsible for oversight of fraud risk.
   
5. Your Company does not have any writtenpolicies addressinganti-fraud issues or any personnel responsible for oversight of fraud risk.
   

6.  Do you conduct business activities in other countries? Is so, please state each country in which you transact business.

7.  Do you have controls in place to ensure compliance with the Bank Secrecy Act? If not, please indicate whether the Bank Secrecy Act applies to your company.

8.  Is your company in compliance with OFAC requirements?

Technology:

1.  Please provide a contact (name, phone number and email address) for Information Security related questions. This person will be sent a questionnaire.

2.  Please provide an outline of your Security Awareness Training.

3.  Please provide a copy of your NDA and/or Confidential Information - Data Protection Policy

4.  Do you conduct 3rd party certification reviews that attest to the soundness of your security program?

5.  Please provide a copy of your last 3rd party certification review (SSAE 16, Cybertrust, etc.) that attests to the soundness of your security program, if performed. NOTE: Scope of3rd party certification or review should include all processes, systemsand facilities that will support work performed on behalf of Customer. If work performed on behalf of Customer will be executed via processes, systems, or in facilities, that have not undergone 3rd party certification or review, please provide an explanation.

6.  If not already covered in the scope of your 3rd party certification review (SSAE !6, CyberTrust, etc.), please provide your most recent independent (3rd party) external network penetration testing report.

7.  Do you have formal Change Management/Configuration Management Policy and Procedures? If so, please provide a copy.

Insurance:

1. At what level do you maintain General Liability insurance covering liability to others for bodily injury, property damage, and personal and advertising injury? Note: The total limit entered per occurrence should also include Umbrella Liability limits (assuming the Umbrella extends the line of coverage shown).
   
2. At what level do you maintain Commercial Auto Liability insurance covering liability written on an any auto basis? Note: the total limit entered per occurrence should also include Umbrella Liability limits (assuming the Umbrella extends the line of coverage shown).
   
3. Do you maintain Workers Compensation Insurance as required by statute in the State in which the employees are located?
   
4. At what level do you maintain Professional Liability insurance covering liability to third parties for your errors and omissions?
   
5. At what level do you maintain Cyber Technology Liability insurance covering liability to third parties for your errors and omissions?
   
6. If you do not maintain any of the above insurance lines, please advise why insurance is not purchased. Note: If High Deductible/SIR selected then the level will need to be evidenced on a Certificate of Insurance

a) Company's exposure does not warrant need for insurance/Fully self insured

b) High Deductible/Self Insured Retention

1. Where applicable, do your insurance policies allow additional insured's to be added?
   
2. Do your policies provide a minimum of 30 days notice in the event of cancellation or material change?
   
3. Do you plan to utilize subcontractors (excluding 1099 contract labor) to perform work for Customer?
   
4. Do have minimum insurance requirements for your subcontractors and do you request to be added as Additional Insured on their policies?
   
5. Where applicable, do your policies permit you to waive subrogation rights?
   
6. If yes to previous question, are you agreeable to waive your subrogation rights against Customer?
   
7. If your policies DO NOT permit you to waive subrogation rights, are you agreeable to indemnify Customer for subrogation by your insurer(s)?
   
8. Do you understand that any insurance maintained does not limit your indemnification obligations under the contract?

1