Re: security assessments for cloud based vendors

[Colleen Keller <ckeller () EDUCAUSE EDU>]

Hi Alex,

There are several items in the EDUCAUSE library that may be of use for you.

https://library.educause.edu/resources/2014/7/it-security-questionnaireit-standards-and-requirements-questionnaire
http://www.educause.edu/annual-conference/2015/cloud-service-procurement-and-contracting-lessons-internet2-net
https://spaces.internet2.edu/display/2014infosecurityguide/Cloud+Computing+Security

Please let me know if you have any questions, thank you.

Colleen Keller Electronic Resources Librarian


EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 303.939.0309 | main: 303.449.4430 | educause.edu<http://www.educause.edu/> | Twitter: @EDUCAUSEreview



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex 
Jalso
Sent: Monday, July 18, 2016 6:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security assessments for cloud based vendors

Hello Everyone,

I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must 
provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance 
policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. 
 The successful vendor will then have to annually provide updated versions of these documents.  Do any of you have a 
similar process?  If so, would you be willing to share it?  Direct replies are welcome.  Thanks.

Alex

Alex Jalso, PMP, CISM
Chief Information Security Officer
West Virginia University
p: 304-293-4457

Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login 
credentials by email.  DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>