Educause Security Discussion mailing list archives

Re: checklist for hosted services or applications

From: Brad Judy <win-hied () BRADJUDY COM>
Date: Tue, 17 Sep 2013 08:21:59 -0600

Our standard process is to request that the vendor provide one of the
following:

 

Third-party audited SSAE-16 SOC 2 report (that includes the application
vendor, not just their co-lo provider)

Third-party audited ISO 27002 report

Self-assessed Cloud Security Alliance controls matrix

(While we don't list it, I'd also be happy with an audited NIST 800-53
report as well, but I don't think many commercial providers use this
standard.)

 

Unfortunately, they often respond with the SSAE-16 SOC-1 from their co-lo
provider that just covers the physical security and environmental controls
for the server location(s).  So there is usually some back-and-forth to
clarify that we want information on the security controls employed by the
application provider and any other sub-contracted layers.  

 

In some cases they cannot provide any of the three (even the self-assess CSA
item) and then I pull out a list of security controls that I've worked with
for the past few years and request that it be inserted into the contract.
This usually leads to some negotiation around particular items that the
vendor wishes to edit or strike.  The resulting text is then added to the
contract.  

 

This is actually easier (IMO) for PCI related items where there is a
standard to point to and they must be on a list of vetted service providers.


 

Brad Judy

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Reboli
Sent: Friday, September 13, 2013 12:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] checklist for hosted services or applications

 

In this day in age we are doing more-and-more hosted application.  Does
anyone have a checklist that they do with questions for the hosting company
to ensure that the host company (performs security vulnerability studies,
encrypts data you provide them, is PCI compliant, etc..)?  

 

Thank you

m

 

Description: MU Arches

Mark Reboli

Network/Telcom Manager

Misericordia University

(570) 674-6753

Current thread:

checklist for hosted services or applications Mark Reboli (Sep 13)
- Re: checklist for hosted services or applications Harry Hoffman (Sep 13)
- Re: checklist for hosted services or applications Brad Judy (Sep 17)
  - Re: checklist for hosted services or applications David Grisham (Sep 17)