Educause Security Discussion mailing list archives
Re: security assessments for cloud based vendors
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Tue, 19 Jul 2016 11:25:14 +0000
Are you specifically thinking of the CSA STAR registry, or some other similar framework? I think it’s a great idea to push cloud vendors toward more widespread adoption of these kinds of best practices.
From a practical contracting point of view – I’m not sure the market is collectively quite there yet.
If you look at the CSA Registry, there seems to be more widespread adoption overseas than in the USA, of the higher levels of attainment such 3rd party certification. You can always try it and see what happens. The worst thing that could happen is that you wouldn’t get any responses to your bid solicitation. I don’t think vendors will adopt these relatively expensive practices in response to one or two customers’ demands. I think they will adopt them when so many customers require it that the vendor needs to do it to stay in business. I would be extremely interested to know what success you have in requiring vendors to purchase cyber liability insurance. My experience is that cloud vendors do not accept this kind of risk-shifting (or even if they do sign contracts appearing to accept it, they don’t have the assets to cover the costs they’ve apparently agreed to cover in the event of major breach that affects many, most, or all of their customers). Ruth Ginzberg Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 Sent from Surface tablet by Mail for Windows 10 -- please ignore unwanted spelling corrections From: Alex Jalso<mailto:ACJalso () MAIL WVU EDU> Sent: Monday, July 18, 2016 7:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] security assessments for cloud based vendors Hello Everyone, I’m working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. The successful vendor will then have to annually provide updated versions of these documents. Do any of you have a similar process? If so, would you be willing to share it? Direct replies are welcome. Thanks. Alex Alex Jalso, PMP, CISM Chief Information Security Officer West Virginia University p: 304-293-4457 Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login credentials by email. DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>
Current thread:
- security assessments for cloud based vendors Alex Jalso (Jul 18)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- Re: security assessments for cloud based vendors Velislav K Pavlov (Jul 19)
- Re: security assessments for cloud based vendors Jim Dillon (Jul 19)
- Re: security assessments for cloud based vendors Colleen Keller (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Rob Milman (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Andy Hooper (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- <Possible follow-ups>
- Re: security assessments for cloud based vendors Hudson, Edward (Jul 19)