Infrastructure security is a pillar of cybersecurity that focuses on protecting critical systems, hardware, and software assets from physical and cyber threats.
Both cyber threats and physical threats can cause significant damage to an organization’s infrastructure security. Common cyber threats that aim to exploit an organization’s network infrastructure include phishing attempts, ransomware, malware, distributed denial of service (DDoS) exploits, firewall attacks, and Internet of Things (IoT) attacks. Physical threats include natural disasters, utility disruptions, and vandalism.
Organizations that partner with third-party vendors and maintain extensive supply chains must assess the strength of their internal infrastructure security programs and evaluate their vendors’ security practices. The best way to determine the infrastructure security of third-party vendors is by developing a detailed infrastructure security questionnaire.
Keep reading to discover what questions to ask your vendors, and download our FREE PDF Infrastructure Security Questionnaire Template to help build out your organization’s vendor questionnaire.
Learn more about UpGuard’s complete Vendor Risk Management solution>
Benefits of Infrastructure Security
Organizations rely on technology, operating systems, and data assets to maintain operations and business continuity. Developing a robust infrastructure security program helps an organization prevent cyber attacks, data breaches, and other disruptions that could cause significant harm to its reputation or profitability.
The main benefits of infrastructure security are:
- Advanced Data Protection
- Robust Continuity Assurance
- Protections for Intellectual Property (IP)
- Protections for Proprietary Data
Questions To Ask Vendors Regarding Infrastructure & Network Security
When creating an infrastructure security questionnaire, it’s important to consider asking vendors questions that cover each of the following categories:
- Data Encryption
- Access Controls
- Incident Response
- Business Continuity
- Network Security
- Physical Security
- Security Audits & Certifications
- Vendor Risk Management
- Data Backups & Recovery
- Security Training & Awareness
- Compliance & Regulations
- Security Incident Reporting
- Cybersecurity Insurance
Here are a few questions in each category that your organization can use to build out its infrastructure security questionnaire.
Data Encryption
1. How does your organization encrypt sensitive data or information during transmission?
- [Open text field for vendor response and comments]
2. How does your organization encrypt sensitive information or data at rest?
- [Open text field for vendor response and comments]
3. What industry-standard protocols does your organization follow for data encryption?
- [Open text field for vendor response and comments]
Access Controls
1. Does your organization have protocols in place to manage user access to critical systems and data?
- Yes
- No
- [Open text field for vendor comments]
2. If yes, explain your user access management system
- [Open text field for vendor response and comments]
3. If no, explain why your organization has not yet implemented user access controls.
- [Open text field for vendor response and comments]
4. Please describe your organization’s account authentication and authorization process.
- [Open text field for vendor response and comments]
Incident Response
1. Does your organization currently have an incident response plan in place?
- Yes
- No
- [Open text field for vendor comments]
2. If yes, please describe this incident response plan and how your organization has handled security breaches in the past.
- [Open text field for vendor response and comments]
3. If no, please explain if your organization is currently designing an incident response plan or why it has not pursued such a plan.
- [Open text field for vendor response and comments]
4. Does your organization have a dedicated security team?
- Yes
- No
- [Open text field for vendor comments]
5. How does your organization detect security incidents?
- [Open text field for vendor response and comments]
6. How quickly does your organization respond to security incidents?
- [Open text field for vendor response and comments]
Business Continuity
1. Does your organization currently have a business continuity plan in place?
- Yes
- No
- [Open text field for vendor comments]
2. If yes, please describe this business continuity plan and how your organization has handled security breaches in the past.
- [Open text field for vendor response and comments]
3. If no, please explain if your organization is designing a business continuity plan or why it has yet to pursue it.
- [Open text field for vendor response and comments]
Network Security
1. What security controls does your organization have in place to protect your network infrastructure from unauthorized access?
- [Open text field for vendor response and comments]
2. How does your organization protect its networks and data from unauthorized access?
- [Open text field for vendor response and comments]
3. How does your organization detect unauthorized access?
- [Open text field for vendor response and comments]
4. What remediation process does your organization follow when it detects a network intrusion?
- [Open text field for vendor response and comments]
Physical Security
1. How does your organization protect its physical data centers or critical infrastructure from unauthorized access?
- [Open text field for vendor response and comments]
2. What security policies does your organization have in place to manage user validation and access to physical data centers?
- [Open text field for vendor response and comments]
Security Audits and Certifications
1. How often does your security team conduct security assessments to evaluate internal security standards and manage cybersecurity risk?
- Every year
- Every quarter
- As needed
- Other (please explain below)
- [Open text field for vendor comments]
2. How often does your security team conduct self-assessments to evaluate how it manages risk inherited from third-party service providers?
- Every year
- Every quarter
- As needed
- Other (please explain below)
- [Open text field for vendor comments]
3. Does your organization conduct penetration testing or other preventative tests regularly?
- [Open text field for vendor response and comments]
4. Has your organization completed relevant certifications (ISO 27001 or comparable framework)?
- Yes (please list below)
- No
- [Open text field for vendor comments]
Vendor Risk Management
1. How does your organization assess the security practices of your third-party vendors?
- [Open text field for vendor response and comments]
2. Does your organization send risk assessment questionnaires to vendors regularly?
- [Open text field for vendor response and comments]
2. What security requirements does your organization impose upon its vendors?
- [Open text field for vendor response and comments]
Data Backups & Recovery
1. How often does your organization perform data backups or cloud security recovery maintenance?
- [Open text field for vendor response and comments]
Security Training & Awareness
1. How does your organization train employees and key stakeholders on the importance of cybersecurity best practices?
- [Open text field for vendor response and comments]
2. What security program does your organization have in place to promote a culture of healthy cyber hygiene?
- [Open text field for vendor response and comments]
Compliance & Regulations
1. How does your organization ensure continued compliance with industry data protection and privacy regulations (GDPR, HIPAA, etc.)?
- [Open text field for vendor response and comments]
2. How does your organization handle new compliance standards when they arise?
- [Open text field for vendor response and comments]
Security Incident Reporting
1. How does your organization document security incidents when they occur?
- [Open text field for vendor response and comments]
2. How does your organization communicate security incidents to relevant customers?
- [Open text field for vendor response and comments]
Cybersecurity Insurance
1. Does your organization hold a cyber insurance policy?
- Yes
- No
- [Open text field for vendor comments]
2. If yes, what does your organization’s policy cover?
- [Open text field for vendor response and comments]
3. If no, will your organization pursue a cyber insurance policy in the future?
- Yes
- No
- [Open text field for vendor comments]
Streamline Infrastructure Security Questionnaires With UpGuard
UpGuard is an all-in-one SaaS cybersecurity solution that grants users access to a comprehensive questionnaire library that includes an infrastructure security vendor questionnaire and other security questionnaires that meet industry standards for data security and physical security. Organizations looking to improve their vendor due diligence protocols and develop robust Third-Party Risk Management programs can use UpGuard’s library of questionnaires to identify and mitigate information security risks throughout the third-party vendor lifecycle.
In addition to its comprehensive library of security questionnaires, UpGuard Vendor Risk also provides organizations access to several other powerful Cyber Vendor Risk Management tools.
Notable features and use cases of UpGuard Vendor Risk include:
- Vendor Security Ratings: Instantly understand your vendor’s security posture
- Vendor Risk Assessments: Automate your risk assessments and reduce the time it takes to assess new and existing vendors
- Vendor Tiering: Classify vendors based on their level of inherent cyber risk and your organization’s unique risk tolerance
- Compliance Reporting: Map vendor details against common compliance frameworks (National Institute of Standards and Technology NIST, ISO 27001, PCI, etc.) and other initiatives
- Vendor Data Leak Detection: Prevent data leakage due to third-party breaches, phishing attempts, ransomware, endpoint vulnerabilities, and other cyber threats
- 24/7 Continuous Vendor Monitoring: Receive real-time updates when your vendor’s security ratings change
- Third-party integrations: Configure UpGuard within your existing security tools and web applications
