Security Questionnaire – Zinatt Technologies, Inc.

Individual Completing the Questionaire

Name

Title

Email Address

Phone

General Information

Company

Parent/Holding Company

Years Company in Business

Number of Employees

Number of Employees or subcontractors that will provide service to Zinatt Technologies, Inc.

Applications or Services provided to Zinatt Technologies, Inc.

Identify all Subcontractors that will Provide Service to Zinatt Technologies Inc.

Limits of Cyber Liability Insurance Coverage

USD

Key Company Resources

Security Officer

Name

Title

Email Address

Phone

Privacy Officer

Name

Title

Email Address

Phone

Compliance Officer

Name

Title

Phone

Email Address

Primary Data Breach Contact

Name

Title

Email Address

Phone

Secondary Data Breach Contact

Name

Title

Email Address

Phone

Zinatt Data

1) List all physical locations where you plan to access, use, or store Zinatt Data. (Remember Zinatt requires its data to remain in the continental United States)

2) Can a report be generated to identify each person by role who has access to Zinatt Data?

3) Will the services you provide require you to access, store, use, or transmit Zinatt Data?

4) List any subcontractors or third-party vendors that will have access to Zinatt data. Do you have Business Associate Agreements signed with all these entities?

5) Will you allow employees, subcontractors or third-party vendors to access, store or use Zinatt Data on mobile devices? If so, please describe how you protect the privacy and security of Zinatt Data on those mobile devices.

6) Will employees or contractors be allowed access to Zinatt Data remotely? Please provide information on how and when remote access would be available.

7) Will Zinatt data be stored on its own server or network segment?

8) Is all Zinatt data encrypted at rest and in transit?

9) What are the auditing capabilities of systems or applications that would contain, maintain, receive, or transmit Zinatt data?

10) What is the process for Zinatt to receive its data back and certify your organization’s destruction of the same, at the end of the agreement?

Policies

11) Does your organization have written Security & Privacy Policies?

12) Are these policies fully implemented?

13) How often are these policies reviewed?

14) Can Zinatt view these policies upon request?

15) Are policies based on Least Privilege or Minimum Necessary standards?

16) Is there a formal Sanctions policy for employees and other workforce members that do not comply with your privacy and security policies?

Does Your Organization have Current Policies Governing the Following Topics?

17) Compliance with HIPAA Security & Privacy / HITECH Requirements

18) Data Breaches

19) Document Retention & Destruction of all Paper & Electronic Media

20) Physical Security at all Organizational Facilities

21) Appropriate Use, Protection, & Disclosure of PHI, PII, & PCI

22) Subcontractor / Third-Party Vendor Compliance Requirements, Including Business Associate Agreements

23) Password Controls

24) Incident Response Plans

25) Use of Mobile Devices

26) Remote Access to Systems

27) Secure Software Development

28) Change Management

Risk Management

29) Do you perform an internal risk assessment? How frequently? If you do not perform a risk assessment, do you have another process that is used to identify threats and vulnerabilities to your systems? How frequently is it performed?

30) Does your organization have a vendor risk management program that includes guidelines for selecting and contracting with vendors, assessing the risks and exposures from using such vendors and reviewing these assessments? Please describe.

31) Have there been any major changes to your systems or technical environment in the last 12 months? If so, please describe.

32) Are any major efforts currently underway or planned that would have a meaningful impact on your current systems or technical environment that would impact your security posture? If so, please describe.

33) Has the company suffered a data loss or security breach within the last three years? If yes, please describe the loss or breach. Was this reported to the OCR?

34) Describe your change management process.

35) Describe your user termination process including how you ensure access to applications is removed.

36) Does your organization have a privacy and security awareness training program, that includes specific HIPAA training? If so, please describe the current program, including frequency.

Physical Security

37) Is the facility monitored 24 hours per day?

38) Is access to any physical hardware (servers, network equipment, etc.) locked?

39) Does the facility have badged security access and auditable access reports?

Technical Security

40) Are systems configured using a standard systems security hardening process?

41) Are all your organization’s workstations, desktops, laptops, servers, and mobile devices encrypted using full disk encryption?

42) Is a centrally managed antivirus / anti-malware program implemented at your organization? Which program? Are all signature files current within 24 hours?

43) Describe your regular patch management process, including responsibilities, scope, and tools used to manage the process. Are all computing assets current within 30 days with applicable security patches?

44) Are vulnerability assessments or penetration tests performed on internal and external networks and assets? If so, how often? Who performs such assessments? Are there any systems on which vulnerability assessments or penetration tests are not performed?

45) What monitoring systems are implemented to track information system activity?

46) Does your organization have intrusion detection and/or intrusion prevention systems implemented? If so, which programs have been deployed?

47) Are all user accounts completely unique and provisioned by role?

48) What are the requirements for your password policy?

Incident Response & Data Breaches

49) Do you have established, documented, and distributed security incident response and escalation procedures to ensure timely and effective handling of all situations, including potential data breaches?

50) Does your organization have a formal data backup plan that provides all the details on the confidential data backup process? Please describe.

51) Does your organization have a disaster recovery plan that provides the detailed procedures to restore each system and its respective data from a variety of technical disaster scenarios? Please describe.

52) Have you established and implemented a business continuity plan or emergency mode operations procedures to enable continuation or critical business processes for protection of the security of ePHI during a disaster scenario or while operating in emergency mode?

53) Have you documented and implemented procedures for periodic testing and revision of contingency plans?

I confirm that the information I am providing to Zinatt Technologies Inc is accurate.