Re: security assessments for cloud based vendors

[Rob Milman <rob.milman () SAIT CA>]

Thanks Aaron,

I have a demo scheduled with BitSight in the next couple of weeks. I'm more than curious to know how much it will cost 
us to get this information. Do you happen to know if they provide discounts to budget conscious post-secondary 
institutions?


[cid:image001.gif@01D1E1C3.F88EDE80]

Rob Milman
Security & Compliance Analyst
Information Systems

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 - 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401  (Cell) 403.606.3173
rob.milman () sait ca<mailto:rob.milman () sait ca>





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Baillio, 
Aaron
Sent: Tuesday, July 19, 2016 1:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security assessments for cloud based vendors

We started utilizing a service called BitSight which helps in this area.  They basically provide a security score 
similar to a FICO score on you and a selection of businesses that you choose (which you can always change).  The score 
comes with a breakout on how they are scored.  Many companies use it as a 3rd party assessment when selecting vendors 
but it also helps internally to see how your organization is doing.

It also provides a benchmark for the vertical to give you a sense of how well the company measures up in their 
industry.  It's pretty nifty and we've gotten some good use out of it.  Our leadership loves the score; it helps 
provide a status bar and when it moves up or down you can identify exactly what has changed in the environment that 
affected the score.

B. Aaron Baillio, Sec+, CEH, CISSP
University of Oklahoma, Information Technology
Managing Director, Security Operations and Architecture
O: 405-325-7948
C: 254-400-6404

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Colleen 
Keller
Sent: Tuesday, July 19, 2016 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] security assessments for cloud based vendors

Hi Alex,

There are several items in the EDUCAUSE library that may be of use for you.

https://library.educause.edu/resources/2014/7/it-security-questionnaireit-standards-and-requirements-questionnaire
http://www.educause.edu/annual-conference/2015/cloud-service-procurement-and-contracting-lessons-internet2-net
https://spaces.internet2.edu/display/2014infosecurityguide/Cloud+Computing+Security

Please let me know if you have any questions, thank you.

Colleen Keller Electronic Resources Librarian


EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 303.939.0309 | main: 303.449.4430 | educause.edu<http://www.educause.edu/> | Twitter: @EDUCAUSEreview



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex 
Jalso
Sent: Monday, July 18, 2016 6:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] security assessments for cloud based vendors

Hello Everyone,

I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must 
provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance 
policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. 
 The successful vendor will then have to annually provide updated versions of these documents.  Do any of you have a 
similar process?  If so, would you be willing to share it?  Direct replies are welcome.  Thanks.

Alex

Alex Jalso, PMP, CISM
Chief Information Security Officer
West Virginia University
p: 304-293-4457

Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login 
credentials by email.  DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>