Educause Security Discussion mailing list archives
Re: security assessments for cloud based vendors
From: Velislav K Pavlov <VelislavPavlov () FERRIS EDU>
Date: Tue, 19 Jul 2016 13:43:53 +0000
Alex we use CSA's CCM/CAIQ Registry. I share some of Ruth's observations with respect to the maturity of vendor's cloud security controls and lack of widespread adoption of CSA's security practices. Most of the vendors are clueless as to what we are asking for and we have to spend a lot of time educating them. If I can help my organization or another client in a similar situation, the time spent in awareness and education of the vendor is worth it. When we review vendors who already had CCM/CAIQ completed, their risk assessment went quicker and smoother. If the cloud vendors have the CCM/CAIQ already prepared, the next client won't have to ask for the information. In my experience, the biggest struggle is with the small mom & pop businesses. In addition to the CSA CCM/CAIQ, we work with the vendor on data flow and data classification. If the vendor can't provide completed CCM/CAIQ, on occasion it may be acceptable to provide SAAE16 SOC 2 Type 2 report and proof of continues vulnerability lifecycle management (including discovery, prioritization, assessment, report, remediation, and verification of the remediation). If the vendor can't provide the vulnerability lifecycle management proof, we typically ask to do our own assessment. At this point, we typically have to sign NDA, receive permission to scan, and agree on Rules of Engagement. Note that for HIPAA we make sure to ask for BAA once we agree to do business. Some vendors can refuse to do business with us because of the risk assessment and they can't or chose not to complete it. On occasion, the organization's leadership (VP or C-level) may decide to accept the identified risks. In this case, we ask for the completion of risk acceptance form spelling out why, who, what, where, for how long, and listing what IT security has done to exercise due care and diligence. We use qualitative and quantitative justification for the evaluated risk to exemplify why we recommend the risk to be accepted, not accepted, and/or remediated before we do business. Note that my team makes a recommendation, but the organization's leadership makes the decision. If there is interest, I can share our internal risk assessment identification, scoring, and justification process. Email me privately. I know that some colleagues in the private sector already push their cloud vendors to improve their security controls and address any identified vulnerabilities before doing business. We, in higher ed, have an opportunity to unite and set similar expectations for the cloud vendors we deal with. In the end, asking the vendor for evidence of security controls to protect our data can benefit the requester, the vendor along with any future or existing client. It can be a win-win situation. Thank you for sharing. Vel Pavlov | IT Security Coordinator M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, Security+, CNA, MPCS, ITILv3F, A+ Big Rapids, MI 49307 Phone (231)-591-5613 VelPavlov () ferris edu [cid:image001.png@01D1E19D.C8D0B090] Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn't you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this message by mistake, please immediately notify VelPavlov () ferris edu and delete this message and any attachments. Thank you. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ruth Ginzberg Sent: Tuesday, July 19, 2016 7:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security assessments for cloud based vendors Are you specifically thinking of the CSA STAR registry, or some other similar framework? I think it's a great idea to push cloud vendors toward more widespread adoption of these kinds of best practices.
From a practical contracting point of view - I'm not sure the market is collectively quite there yet.
If you look at the CSA Registry, there seems to be more widespread adoption overseas than in the USA, of the higher levels of attainment such 3rd party certification. You can always try it and see what happens. The worst thing that could happen is that you wouldn't get any responses to your bid solicitation. I don't think vendors will adopt these relatively expensive practices in response to one or two customers' demands. I think they will adopt them when so many customers require it that the vendor needs to do it to stay in business. I would be extremely interested to know what success you have in requiring vendors to purchase cyber liability insurance. My experience is that cloud vendors do not accept this kind of risk-shifting (or even if they do sign contracts appearing to accept it, they don't have the assets to cover the costs they've apparently agreed to cover in the event of major breach that affects many, most, or all of their customers). Ruth Ginzberg Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 Sent from Surface tablet by Mail for Windows 10 -- please ignore unwanted spelling corrections From: Alex Jalso<mailto:ACJalso () MAIL WVU EDU> Sent: Monday, July 18, 2016 7:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] security assessments for cloud based vendors Hello Everyone, I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. The successful vendor will then have to annually provide updated versions of these documents. Do any of you have a similar process? If so, would you be willing to share it? Direct replies are welcome. Thanks. Alex Alex Jalso, PMP, CISM Chief Information Security Officer West Virginia University p: 304-293-4457 Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login credentials by email. DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>
Current thread:
- security assessments for cloud based vendors Alex Jalso (Jul 18)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- Re: security assessments for cloud based vendors Velislav K Pavlov (Jul 19)
- Re: security assessments for cloud based vendors Jim Dillon (Jul 19)
- Re: security assessments for cloud based vendors Colleen Keller (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Rob Milman (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Andy Hooper (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- <Possible follow-ups>
- Re: security assessments for cloud based vendors Hudson, Edward (Jul 19)