Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: security assessments for cloud based vendors

From: "Baillio, Aaron" <abaillio () OU EDU>
Date: Tue, 19 Jul 2016 19:30:10 +0000
We started utilizing a service called BitSight which helps in this area.  They basically provide a security score 
similar to a FICO score on you and a selection of businesses that you choose (which you can always change).  The score 
comes with a breakout on how they are scored.  Many companies use it as a 3rd party assessment when selecting vendors 
but it also helps internally to see how your organization is doing.

It also provides a benchmark for the vertical to give you a sense of how well the company measures up in their 
industry.  It's pretty nifty and we've gotten some good use out of it.  Our leadership loves the score; it helps 
provide a status bar and when it moves up or down you can identify exactly what has changed in the environment that 
affected the score.

B. Aaron Baillio, Sec+, CEH, CISSP
University of Oklahoma, Information Technology
Managing Director, Security Operations and Architecture
O: 405-325-7948
C: 254-400-6404

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Colleen 
Keller
Sent: Tuesday, July 19, 2016 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security assessments for cloud based vendors

Hi Alex,

There are several items in the EDUCAUSE library that may be of use for you.

https://library.educause.edu/resources/2014/7/it-security-questionnaireit-standards-and-requirements-questionnaire
http://www.educause.edu/annual-conference/2015/cloud-service-procurement-and-contracting-lessons-internet2-net
https://spaces.internet2.edu/display/2014infosecurityguide/Cloud+Computing+Security

Please let me know if you have any questions, thank you.

Colleen Keller Electronic Resources Librarian


EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 303.939.0309 | main: 303.449.4430 | educause.edu<http://www.educause.edu/> | Twitter: @EDUCAUSEreview



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex 
Jalso
Sent: Monday, July 18, 2016 6:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] security assessments for cloud based vendors

Hello Everyone,

I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must 
provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance 
policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. 
 The successful vendor will then have to annually provide updated versions of these documents.  Do any of you have a 
similar process?  If so, would you be willing to share it?  Direct replies are welcome.  Thanks.

Alex

Alex Jalso, PMP, CISM
Chief Information Security Officer
West Virginia University
p: 304-293-4457

Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login 
credentials by email.  DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>
Previous By Date Next
Previous By Thread Next

Current thread: