Educause Security Discussion mailing list archives
Re: security assessments for cloud based vendors
From: Rob Milman <rob.milman () SAIT CA>
Date: Tue, 19 Jul 2016 13:46:37 -0600
Thanks Aaron, I have a demo scheduled with BitSight in the next couple of weeks. I'm more than curious to know how much it will cost us to get this information. Do you happen to know if they provide discounts to budget conscious post-secondary institutions? [cid:image001.gif@01D1E1C3.F88EDE80] Rob Milman Security & Compliance Analyst Information Systems Southern Alberta Institute of Technology EH Crandell Building, GA 214 1301 - 16 Avenue NW, Calgary AB, T2M 0L4 (Office) 403.774.5401 (Cell) 403.606.3173 rob.milman () sait ca<mailto:rob.milman () sait ca> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Baillio, Aaron Sent: Tuesday, July 19, 2016 1:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] security assessments for cloud based vendors We started utilizing a service called BitSight which helps in this area. They basically provide a security score similar to a FICO score on you and a selection of businesses that you choose (which you can always change). The score comes with a breakout on how they are scored. Many companies use it as a 3rd party assessment when selecting vendors but it also helps internally to see how your organization is doing. It also provides a benchmark for the vertical to give you a sense of how well the company measures up in their industry. It's pretty nifty and we've gotten some good use out of it. Our leadership loves the score; it helps provide a status bar and when it moves up or down you can identify exactly what has changed in the environment that affected the score. B. Aaron Baillio, Sec+, CEH, CISSP University of Oklahoma, Information Technology Managing Director, Security Operations and Architecture O: 405-325-7948 C: 254-400-6404 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Colleen Keller Sent: Tuesday, July 19, 2016 11:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] security assessments for cloud based vendors Hi Alex, There are several items in the EDUCAUSE library that may be of use for you. https://library.educause.edu/resources/2014/7/it-security-questionnaireit-standards-and-requirements-questionnaire http://www.educause.edu/annual-conference/2015/cloud-service-procurement-and-contracting-lessons-internet2-net https://spaces.internet2.edu/display/2014infosecurityguide/Cloud+Computing+Security Please let me know if you have any questions, thank you. Colleen Keller Electronic Resources Librarian EDUCAUSE<http://www.educause.edu/> Uncommon Thinking for the Common Good direct: 303.939.0309 | main: 303.449.4430 | educause.edu<http://www.educause.edu/> | Twitter: @EDUCAUSEreview From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Jalso Sent: Monday, July 18, 2016 6:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] security assessments for cloud based vendors Hello Everyone, I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. The successful vendor will then have to annually provide updated versions of these documents. Do any of you have a similar process? If so, would you be willing to share it? Direct replies are welcome. Thanks. Alex Alex Jalso, PMP, CISM Chief Information Security Officer West Virginia University p: 304-293-4457 Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login credentials by email. DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>
Current thread:
- security assessments for cloud based vendors Alex Jalso (Jul 18)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- Re: security assessments for cloud based vendors Velislav K Pavlov (Jul 19)
- Re: security assessments for cloud based vendors Jim Dillon (Jul 19)
- Re: security assessments for cloud based vendors Colleen Keller (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Rob Milman (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Andy Hooper (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Baillio, Aaron (Jul 19)
- Re: security assessments for cloud based vendors Ruth Ginzberg (Jul 19)
- <Possible follow-ups>
- Re: security assessments for cloud based vendors Hudson, Edward (Jul 19)