Re: security assessments for cloud based vendors

["Baillio, Aaron" <abaillio () OU EDU>]

Yes, that's 100% accurate.  This will certainly not replace a good old questionnaire or even give you insight into how 
well they achieve NIST, ISO, (insert framework of choice here).  

It's more of a benchmark to see how they compare to other's in the industry and will give you an insight into some of 
the following:
- Botnet infections from the institution/company
- Spam 
- Malware servers (hosting malware)
- Potentially exploited systems
- SPF domains
- DKIM records
- TLS/SSL configuration and health
- Open ports
- Reported data breaches
- file sharing
- etc.

While not a 1 for 1 to a risk framework, there are certainly some extrapolations that can be made.  But, as in every 
security tool, look at your requirements and see what fits.  This probably wouldn't pass muster for a HIPAA vendor 
audit but is probably sufficient to meet the spirit of the law on auditing 3rd party vendors.

Aaron

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andy 
Hooper
Sent: Tuesday, July 19, 2016 3:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security assessments for cloud based vendors

Baillio, Aaron wrote on 19-Jul-16 15:30:
> We started utilizing a service called BitSight which helps in this
> area.

 From the public blurb on vendor ratings, BitSight appears to be using 
externally observable data only, not questionnaires or auditing to 
standards. Is that a fair perception?

- Andy Hooper - Queen's University -