Educause Security Discussion mailing list archives
Re: security assessments for cloud based vendors
From: Jim Dillon <jim.dillon () CU EDU>
Date: Tue, 19 Jul 2016 15:46:43 +0000
Alex, While I'm aware that we've asked for some of these items, a full evaluation (audit) of our practice is yet to be pursued. I've reviewed cloud provider's through their SOC2 as attested by a third party reviewer. Apart from contracting a right to have a third party assessment, this is a method that may at least provide some insight into the vendor's relative maturity. The more interesting and growing problem is how do you require this of their subcontractors, and their subcontractor's subcontractor, and so on, and so on (anyone old enough to remember the shampoo commercials?) The expanding cloud environment makes the assessment prohibitive, and usual security by inspection methods somewhat ineffective. How do you inspect what you can't find in whatever sub - sub cloud it may be traveling through? So no answers for you other than an appeal to be sure you take into account some assertion on the vendor's part that they hold their subcontractors to like standards and that they will provide/facilitate third party attestation for their subs. You may have thought this through but not seeing it in your list I felt compelled to call it out. The IT security industry will need some new frameworks and approaches before all this settles as many of our more static assumptions simply won't (don't?) apply. Best regards, Jim _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon Director of IT Audit Services, CU Internal Audit 303-735-7028 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Jalso Sent: Monday, July 18, 2016 6:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security assessments for cloud based vendors Hello Everyone, I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. The successful vendor will then have to annually provide updated versions of these documents. Do any of you have a similar process? If so, would you be willing to share it? Direct replies are welcome. Thanks. Alex Alex Jalso, PMP, CISM Chief Information Security Officer West Virginia University p: 304-293-4457 Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login credentials by email. DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>
Current thread:
- security assessments for cloud based vendors Alex Jalso (Jul 18)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- Re: security assessments for cloud based vendors Velislav K Pavlov (Jul 19)
- Re: security assessments for cloud based vendors Jim Dillon (Jul 19)
- Re: security assessments for cloud based vendors Colleen Keller (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Rob Milman (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Andy Hooper (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- <Possible follow-ups>
- Re: security assessments for cloud based vendors Hudson, Edward (Jul 19)