Educause Security Discussion mailing list archives
Re: checklist for hosted services or applications
From: David Grisham <Dgrisham () SALUD UNM EDU>
Date: Tue, 17 Sep 2013 09:14:40 -0600
This pretty much describes our procedure as well. Because we're in health care, if we do allow a self-assessment it is only good for one contract period and we put in that contract that they must provide a third-party independent self-assessment SSAE 16 or equivalent for renewal. Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657
Brad Judy <win-hied () BRADJUDY COM> 9/17/2013 8:21 AM >>>
Our standard process is to request that the vendor provide one of the following: Third-party audited SSAE-16 SOC 2 report (that includes the application vendor, not just their co-lo provider) Third-party audited ISO 27002 report Self-assessed Cloud Security Alliance controls matrix (While we don't list it, I'd also be happy with an audited NIST 800-53 report as well, but I don't think many commercial providers use this standard.) Unfortunately, they often respond with the SSAE-16 SOC-1 from their co-lo provider that just covers the physical security and environmental controls for the server location(s). So there is usually some back-and-forth to clarify that we want information on the security controls employed by the application provider and any other sub-contracted layers. In some cases they cannot provide any of the three (even the self-assess CSA item) and then I pull out a list of security controls that I've worked with for the past few years and request that it be inserted into the contract. This usually leads to some negotiation around particular items that the vendor wishes to edit or strike. The resulting text is then added to the contract. This is actually easier (IMO) for PCI related items where there is a standard to point to and they must be on a list of vetted service providers. Brad Judy From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Reboli Sent: Friday, September 13, 2013 12:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] checklist for hosted services or applications In this day in age we are doing more-and-more hosted application. Does anyone have a checklist that they do with questions for the hosting company to ensure that the host company (performs security vulnerability studies, encrypts data you provide them, is PCI compliant, etc..)? Thank you m Description: MU Arches Mark Reboli Network/Telcom Manager Misericordia University (570) 674-6753
Current thread:
- checklist for hosted services or applications Mark Reboli (Sep 13)
- Re: checklist for hosted services or applications Harry Hoffman (Sep 13)
- Re: checklist for hosted services or applications Brad Judy (Sep 17)
- Re: checklist for hosted services or applications David Grisham (Sep 17)