CONFIDENTIAL — FOR AUTHORIZED USE ONLY  |  Checkwriters TPRM PROGRAM
Checkwriters Vendor Security Questionnaire
Version 2.0 NIST CSF 2.0 22 Sections · 65 Questions
0 of 65 answered
Navigation
  • —Vendor Info
  • 01Data Governance
  • 02Data Location
  • 03People & Access
  • 04Devices & Endpoints
  • 05Network Security
  • 06DNS & DDoS
  • 07Vulnerability Mgmt
  • 08Application Security
  • 09Monitoring & SOC
  • 10Your Vendor Risk
  • 11Incident Response
  • 12Business Continuity
  • 13Assessments & Audits
  • 14Compliance & Certs
  • 15Governance
  • 16Authentication
  • 17Access Control
  • 18Training
  • 19Data Security
  • 20Insurance
  • 21AI Governance
  • 22Change Notification
  • —Attestation
Answered 0 / 65

Completion Instructions

Complete all fields in the Vendor Information section below.

For each question, select Yes, No, or N/A.

Use the Evidence / Comments field to support your response — especially where explanation is requested.

Attach supporting documentation where referenced (SOC 2, pen test, BCP attestation, etc.).

An authorized representative must complete and submit the Attestation at the end.

Return to your designated Checkwriters contact securely.

Vendor Information

Required

1. Data Governance & Privacy

Q1–5
#  QuestionResponseEvidence / Comments
01. Does your organization collect, store, or transmit Personally Identifiable Information (PII) on behalf of Checkwriters or its members?
02. Do you limit PII collection to only the minimum data necessary to deliver contracted services (data minimization)?
03. Does your organization conduct Privacy Impact Assessments (PIAs) before deploying new systems or processes involving member data?
04. Do you have a formal data retention and disposal schedule? Are records disposed of per NIST SP 800-88 or equivalent standard?
05. Does your organization have a written privacy policy? Is it consistent with GLBA Regulation P requirements?

2. Data Location & Storage

Q6–9
#  QuestionResponseEvidence / Comments
06. Do you store Checkwriters-related data in an on-premises (self-hosted) environment?
07. Do you store Checkwriters-related data in a cloud environment? If yes, list provider(s) and regions in Comments.
08. What geographic locations (countries / regions) are used to store or process Checkwriters data? List all in Comments.
09. Is Checkwriters data logically or physically segregated from other clients' data in your environment?

3. People & Access Controls

Q10–14
#  QuestionResponseEvidence / Comments
10. Are pre-employment background checks performed on all employees with access to Checkwriters data or systems? Are the same requirements applied to contractors?
11. Is access to Checkwriters data and systems granted on the basis of least privilege and need-to-know?
12. Do users with access to Checkwriters data have unique individual accounts? Are shared or generic accounts prohibited?
13. Are access rights formally reviewed on a recurring basis (at minimum annually)? Are access rights revoked promptly upon termination or role change?
14. Can users access Checkwriters-related systems or data remotely? If yes, describe controls (VPN, MFA, device policy) in Comments.

4. Devices & Endpoint Security

Q15–19
#  QuestionResponseEvidence / Comments
15. What types of devices (workstations, laptops, mobile, BYOD) are used to collect, store, or transmit Checkwriters-related data? List in Comments.
16. Is Endpoint Detection and Response (EDR) or equivalent antimalware / anti-ransomware software installed on all devices that access Checkwriters data?
17. Do you maintain a current inventory of all devices connected to your networks and systems?
18. Is Mobile Device Management (MDM) enforced for mobile devices used to access Checkwriters-related systems or data?
19. Are removable media (USB drives, external drives) restricted or controlled on devices handling Checkwriters data?

5. Network Security

Q20–25
#  QuestionResponseEvidence / Comments
20. Do you deploy firewalls with deny-by-default rules at all network perimeters handling Checkwriters data? Are firewall rules reviewed periodically?
21. Do you require use of an approved VPN for remote access to systems handling Checkwriters data?
22. Is all Checkwriters data encrypted in transit using TLS 1.2 or higher? Is data encrypted at rest using AES-256 or equivalent?
23. Do you use TLS/SSL certificates and SSH to secure data exchanges? Are expired or self-signed certificates prohibited in production?
24. Is your network segmented to isolate systems handling Checkwriters data from general corporate or internet traffic?
25. Do you implement email authentication controls (DMARC, DKIM, SPF) to protect against email spoofing and phishing?

6. DNS & DDoS Protection

Q26–27
#  QuestionResponseEvidence / Comments
26. Do you have controls in place to detect and mitigate Distributed Denial of Service (DDoS) attacks against systems serving Checkwriters?
27. Do you use DNS filtering or threat intelligence-based domain blocking to prevent access to known-malicious domains?

7. Vulnerability & Patch Management

Q28–32
#  QuestionResponseEvidence / Comments
28. Do you maintain a formal Vulnerability Management Program (beyond patch management) that monitors, prioritizes, and tracks all identified vulnerabilities? Can you provide a sample report or summary?
29. Do you apply security patches to systems, networks, and software on a risk-based schedule? Describe your patch SLAs (Critical / High / Medium) in Comments.
30. Do you track CISA Known Exploited Vulnerabilities (KEV) and prioritize remediation accordingly?
31. Do you have a documented process for remediating newly identified risks, including a remediation tracking mechanism?
32. Do you have a process to identify and retire end-of-life software, operating systems, and hardware before vendor support lapses?

8. Application Security

Q33–36
#  QuestionResponseEvidence / Comments
33. Do you follow a Secure Software Development Lifecycle (SSDLC) for custom applications?
34. Are web applications protected against OWASP Top 10 vulnerabilities including SQL injection and cross-site scripting (XSS)?
35. Is a Web Application Firewall (WAF) deployed for internet-facing applications that process Checkwriters data?
36. Are APIs secured with authentication, rate limiting, and input validation? Are API keys rotated on a defined schedule?

9. Security Monitoring & SOC

Q37–40
#  QuestionResponseEvidence / Comments
37. Do you continuously monitor your security controls and environment for cyber threats?
38. Do you operate or contract a 24/7 Security Operations Center (SOC) or Managed Detection and Response (MDR) service?
39. Do you maintain a Security Information and Event Management (SIEM) platform for log aggregation, correlation, and alerting?
40. What is your log retention period? Are logs protected against tampering or unauthorized deletion?

10. Your Vendor Risk Management (Fourth-Party)

Q41–44
#  QuestionResponseEvidence / Comments
41. Do you maintain a formal Vendor / Third-Party Risk Management (TPRM) program for your own suppliers?
42. Do your service agreements with sub-processors or fourth parties include security, breach notification, and data protection requirements?
43. Do you monitor the cybersecurity posture of your critical sub-processors? Describe your oversight process in Comments.
44. Do you maintain a current inventory of sub-processors that may handle Checkwriters data? Can you provide it upon request?

11. Incident Response

Q45–49
#  QuestionResponseEvidence / Comments
45. Do you maintain a formal, documented Incident Response Plan (IRP)?
46. Have you tested your IRP within the last 12 months (tabletop exercise, functional test, or simulation)? Can you provide attestation?
47. Do you have a defined notification process to alert Checkwriters within 24 hours of a confirmed or suspected security incident affecting Checkwriters data?
48. Have you experienced a cybersecurity breach or incident in the last three years? If yes, describe in Comments including root cause and remediation steps taken.
49. Does your organization conduct dark web monitoring or breach detection services to identify whether credentials or sensitive data have been compromised?

12. Business Continuity & Disaster Recovery

Q50–54
#  QuestionResponseEvidence / Comments
50. Do you maintain a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?
51. Do your BCP/DRP include cybersecurity scenarios such as ransomware, DDoS, and prolonged system outages?
52. Have you tested your BCP/DRP within the last 12 months? Can you provide attestation or evidence?
53. What are your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) commitments for services provided to Checkwriters? List in Comments.
54. Do you maintain geographically separate or cloud-hosted backup copies of critical data? Are backups tested for recoverability?

13. Assessments, Audits & Penetration Testing

Q55–58
#  QuestionResponseEvidence / Comments
55. Do you perform annual cybersecurity risk assessments or Business Impact Analyses (BIAs)?
56. Have you had an independent IT security audit or assessment within the last 12 months? Were any material findings identified? Summarize in Comments.
57. Have you undergone an independent penetration test within the last 12 months? Were any critical or high findings identified? Summarize in Comments.
58. Do you perform tabletop or functional incident response or disaster recovery exercises? How frequently?

14. Compliance & Certifications

Q59–61
#  QuestionResponseEvidence / Comments
59. List all governmental regulations related to data privacy and security that your organization complies with (e.g., GLBA, CCPA, GDPR, NCUA regulations). List in Comments.
60. Does your organization hold any current industry security certifications? (e.g., SOC 2 Type II, ISO 27001, PCI-DSS). List with expiry dates in Comments.
61. Do you have certifications or attestations indicating adherence to information security best practices relevant to financial services? Provide copies upon request.

15. Cybersecurity Governance

Q62–65
#  QuestionResponseEvidence / Comments
62. Does your organization have a designated cybersecurity leader (CISO or equivalent) and a documented governance structure overseeing information security strategy and risk management?
63. Do you maintain a GRC platform, Plan of Action & Milestones (POA&M), or equivalent risk tracking mechanism? Describe in Comments.
64. Does your Board of Directors or equivalent governing body receive regular cybersecurity risk reporting?
65. Do you maintain a written Information Security Policy? Has it been reviewed within the last 12 months?

16. Authentication & Password Security

Q63–65
#  QuestionResponseEvidence / Comments
66. Do you enforce a formal password policy? Describe minimum requirements (length, complexity, rotation) in Comments.
67. Is Multi-Factor Authentication (MFA) required for all accounts with access to Checkwriters-related systems? Is MFA enforced for privileged accounts and remote access?
68. Are privileged accounts managed through a Privileged Access Management (PAM) solution or equivalent controls?

17. Access Control

#  QuestionResponseEvidence / Comments
69. Do you grant access based on the principle of least privilege and need-to-know?
70. Are access reviews conducted on a recurring basis (at minimum annually for all accounts; quarterly for privileged accounts)?
71. Is access revoked promptly (same-day for involuntary terminations) upon employee or contractor departure or role change?

18. Security Awareness & Training

#  QuestionResponseEvidence / Comments
72. Do you require all employees with access to Checkwriters data to complete annual cybersecurity awareness training?
73. Do you conduct phishing simulation exercises? How frequently? Are results tracked and used to improve training?
74. Are employees who handle sensitive data provided with role-specific training on data handling, privacy, and security requirements?

19. Data Security & Breach History

#  QuestionResponseEvidence / Comments
75. If your organization has experienced a cybersecurity compromise in the last three years, describe the nature of the incident in Comments.
76. What specific remediation steps were taken following any past compromise to prevent recurrence? List in Comments.
77. Do you monitor for leaked credentials or Checkwriters-related data exposure through dark web monitoring or threat intelligence services?

20. Insurance

#  QuestionResponseEvidence / Comments
78. Does your organization carry general liability insurance? Provide carrier name and coverage amount in Comments.
79. Does your organization carry a dedicated cyber liability insurance policy? Provide carrier, coverage amount, and whether first-party and third-party coverage are included in Comments.

21. Artificial Intelligence (AI) Governance

#  QuestionResponseEvidence / Comments
80. Does your organization use AI or machine learning systems that process, analyze, or generate outputs from Checkwriters or member data?
81. What access controls and authentication mechanisms govern access to AI-related services or APIs handling Checkwriters data?
82. How is Checkwriters or member data processed, stored, protected, and retained in AI-related interactions? Is member data used to train AI models?
83. Do you have a written policy governing third-party AI model integrations and associated security reviews?
84. Who owns AI governance within your organization? Is there a cross-functional AI governance committee or designated responsible party?
85. Does your organization maintain an AI governance framework aligned to recognized standards (NIST AI RMF, ISO/IEC 42001, OECD AI Principles, or equivalent)?
86. Are your AI systems assessed for compliance with applicable regulations (e.g., GLBA, state privacy laws, EU AI Act if applicable)?

22. Material Change Notification

#  QuestionResponseEvidence / Comments
87. Do you agree to notify Checkwriters promptly — and in no event later than 24 hours — of any confirmed or suspected security incident affecting Checkwriters or member data?
88. Do you agree to notify Checkwriters of any material changes to your security posture, organizational structure, ownership, sub-processor relationships, or regulatory compliance status that may affect your responses to this questionnaire?
89. Do you agree to cooperate with Checkwriters and its designated auditors in any security assessment or regulatory examination related to services provided?

Vendor Attestation & Signature

By signing below, the authorized representative of the vendor organization attests that the information provided in this questionnaire is accurate and complete to the best of their knowledge, and that the vendor organization will promptly notify Checkwriters of any material changes to the information provided.
  • The information provided in this questionnaire is true, accurate, and complete to the best of my knowledge.
  • I am authorized to provide this information on behalf of my organization.
  • My organization will notify Checkwriters within 24 hours of any confirmed or suspected incident affecting Checkwriters data.
  • My organization will notify Checkwriters of material changes to this questionnaire's responses within 30 days of such change.
Checkwriters — Third-Party Risk Management Program
Return completed form securely to your designated Checkwriters contact. Version 2.0 · March 2026.
0

Modern Solutions. Secure Foundations. Smarter Growth.

(800) 881-5694

Copyright © 2026 Reactforce, LLC - All Rights Reserved

Privacy Policy