Educause Security Discussion mailing list archives
Re: security assessments for cloud based vendors
From: "Baillio, Aaron" <abaillio () OU EDU>
Date: Tue, 19 Jul 2016 20:57:07 +0000
Yes, that's 100% accurate. This will certainly not replace a good old questionnaire or even give you insight into how well they achieve NIST, ISO, (insert framework of choice here). It's more of a benchmark to see how they compare to other's in the industry and will give you an insight into some of the following: - Botnet infections from the institution/company - Spam - Malware servers (hosting malware) - Potentially exploited systems - SPF domains - DKIM records - TLS/SSL configuration and health - Open ports - Reported data breaches - file sharing - etc. While not a 1 for 1 to a risk framework, there are certainly some extrapolations that can be made. But, as in every security tool, look at your requirements and see what fits. This probably wouldn't pass muster for a HIPAA vendor audit but is probably sufficient to meet the spirit of the law on auditing 3rd party vendors. Aaron -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andy Hooper Sent: Tuesday, July 19, 2016 3:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security assessments for cloud based vendors Baillio, Aaron wrote on 19-Jul-16 15:30:
We started utilizing a service called BitSight which helps in this area.
From the public blurb on vendor ratings, BitSight appears to be using externally observable data only, not questionnaires or auditing to standards. Is that a fair perception? - Andy Hooper - Queen's University -
Current thread:
- security assessments for cloud based vendors Alex Jalso (Jul 18)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- Re: security assessments for cloud based vendors Velislav K Pavlov (Jul 19)
- Re: security assessments for cloud based vendors Jim Dillon (Jul 19)
- Re: security assessments for cloud based vendors Colleen Keller (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Rob Milman (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Andy Hooper (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- <Possible follow-ups>
- Re: security assessments for cloud based vendors Hudson, Edward (Jul 19)