2025.1
This template provides a standardised approach for responding to client security questionnaires and vendor assessments. Use this template to ensure consistent, comprehensive responses that align with Niche Studio’s security policies and procedures.
Response guidelines¶
1. Always Include These Elements¶
- Policy Reference: Cite specific policy documents where applicable
- Technical Details: Provide specific technical implementation details
- Compliance Status: Clearly state compliance with relevant standards
- Evidence: Reference supporting documentation, certifications, or procedures
- Contact Information: Include relevant contact details for follow-up
2. Standard Response Format¶
Question: [Client's specific question]
Answer: [Yes/No/Partial with explanation]
Details: [Technical implementation details]
Policy Reference: [Specific policy document]
Evidence: [Supporting documentation or procedures]
Contact: [Relevant team member for follow-up]
Common response categories¶
Access Management¶
Standard Response Elements:
- Multi-factor authentication implementation
- Role-based access control (RBAC)
- Regular access reviews and audits
- Background check procedures
- Access provisioning and deprovisioning
Policy References:
- Access Control Policy
- HR Security Procedures
- User Access Management Procedures
Security Monitoring and Incident Response¶
Standard Response Elements:
- SIEM platform (Wazuh) implementation
- 24/7 monitoring and alerting
- Incident response procedures
- Breach notification compliance (Australian NDB scheme)
- Regular security assessments
Policy References:
- System Audit Policy
- Incident Response Policy
- Breach Investigation and Notification Policy
Data Protection and Privacy¶
Standard Response Elements:
- Australian Privacy Act 1988 compliance
- Data encryption (AES-256) at rest and in transit
- Data residency (Australian servers)
- Privacy impact assessments
- Data subject rights management
Policy References:
- Privacy and Consent Policy
- Data Management Policy
- Data Protection Procedures
Infrastructure Security¶
Standard Response Elements:
- Cloud-based infrastructure (Binary Lane, DigitalOcean)
- Automated security patching
- Network security controls (Cloudflare, fail2ban)
- Server hardening (CIS Benchmarks)
- Automated deployment and configuration management
Policy References:
- System Configuration Management
- Network Security Policy
- Change Management Procedures
Business Continuity and Disaster Recovery¶
Standard Response Elements:
- RPO: 24 hours maximum data loss
- RTO: 4 hours for critical systems
- Geographically separate backup locations
- Quarterly disaster recovery testing
- Business continuity planning
Policy References:
- Business Continuity and Disaster Recovery Policy
- Data Backup and Recovery Procedures
Compliance and Certifications¶
Current Status:
- Australian Privacy Act 1988 compliance
- Preparing for ISO 27001 certification
- SOC 2 Type 2 preparation
- PCI DSS SAQ A compliance (for payment processing)
Policy References:
- Compliance Management Policy
- Risk Management Policy
Vendor-specific information¶
Hosting Providers¶
- Primary: Binary Lane (NextDC Brisbane, Australia)
- Secondary: DigitalOcean
- Backups: Wasabi (Sydney, Australia)
- CDN: Cloudflare
Security Tools and Services¶
- SIEM/XDR: Wazuh
- Network Protection: Cloudflare, fail2ban
- Configuration Management: Ansible (Trellis)
- Monitoring: Continuous monitoring with real-time alerting
- Backup: Automated daily backups with encryption
Service Level Commitments¶
- Uptime: 99.9% availability
- Response Times:
- Critical (Site down, purchases blocked, data loss): Within 4 hours
- Major (Issues impacting revenue or key functionality): Within 1 day
- Minor (Small fixes, cosmetic/admin issues): Within 2 days
- Enquiry (General questions, new features, quotes): Within 3 days
- Business Hours: 9 AM – 5 PM AEST, Mon–Fri (excluding public holidays)
- After-hours Support: May be charged at double time or deferred to business hours
- Guarantee: If we miss a response deadline, you get 2 free support hours
- Maintenance: Monthly/Quarterly/Annual packages available
- Reporting: Regular security and performance reports
Supporting Documentation¶
Available Upon Request¶
- Security Policy Framework
- Incident Response Procedures
- Business Continuity Plans
- Privacy Policy and Terms of Trade
- Service Level Agreements
- Insurance Certificates
- Third-party Assessment Reports
Contact Information¶
- Security Officer: Mikael Wedemeyer (mikael@team.nichestud.io)
- Privacy Officer: Mikael Wedemeyer (mikael@team.nichestud.io)
- Technical Contact: Michael Armstrong (michael@team.nichestud.io)
- General Inquiries: niche@team.nichestud.io
Response Checklist¶
Before submitting any vendor response:
- [ ] All questions answered completely
- [ ] Policy references included where applicable
- [ ] Technical details are accurate and current
- [ ] Compliance status clearly stated
- [ ] Supporting documentation identified
- [ ] Contact information provided
- [ ] Response reviewed by security team
- [ ] Client-specific requirements addressed
Notes¶
- Always tailor responses to the specific client’s requirements
- Highlight relevant certifications and compliance achievements
- Provide specific examples of security implementations
- Include relevant case studies or success stories where appropriate
- Ensure all technical details are current and accurate
- Follow up on any outstanding items promptly
This template should be updated regularly to reflect changes in Niche Studio’s security posture, policies, and procedures.