requiring controls assurance from suppliers

[John Bullock <John.Bullock () DAL CA>]

I am wondering if any of you have experience requiring your service
providers to be certified?  In particular I am interested in SAS70 (US),
CICA5900 (Canada), or ISO 27001 certification.

I am concerned by the apparent lack of security controls I am seeing with
some providers -- especially some software firms.  It's true we need to be
ensuring adequate controls at our own institutions but we should still be
able to require controls assurance from our providers.

It seems, and it may only be perception, that we have more single-source
categories of software than some other sectors and this may be a factor
affecting our ability to obtain controls assurance.  It's common in sectors
such as banking, trucking, etc. to require independent assurance and to
still have several bidders to choose from.  And bidders themselves bear the
cost of the audit if they did not already have one.

Have any of you been able to get this from your service providers?  Any
advice or experience you could share would be welcome.

Cheers,

John Bullock
Information Security Manager
Dalhousie University
(902) 494-2790