Educause Security Discussion mailing list archives
requiring controls assurance from suppliers
From: John Bullock <John.Bullock () DAL CA>
Date: Mon, 18 Dec 2006 11:29:56 -0400
I am wondering if any of you have experience requiring your service providers to be certified? In particular I am interested in SAS70 (US), CICA5900 (Canada), or ISO 27001 certification. I am concerned by the apparent lack of security controls I am seeing with some providers -- especially some software firms. It's true we need to be ensuring adequate controls at our own institutions but we should still be able to require controls assurance from our providers. It seems, and it may only be perception, that we have more single-source categories of software than some other sectors and this may be a factor affecting our ability to obtain controls assurance. It's common in sectors such as banking, trucking, etc. to require independent assurance and to still have several bidders to choose from. And bidders themselves bear the cost of the audit if they did not already have one. Have any of you been able to get this from your service providers? Any advice or experience you could share would be welcome. Cheers, John Bullock Information Security Manager Dalhousie University (902) 494-2790
Current thread:
- requiring controls assurance from suppliers John Bullock (Dec 18)