Re: security assessments for cloud based vendors

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

Alex we use CSA's CCM/CAIQ Registry. I share some of Ruth's observations with respect to the maturity of vendor's cloud 
security controls and lack of widespread adoption of CSA's security practices. Most of the vendors are clueless as to 
what we are asking for and we have to spend a lot of time educating them.  If I can help my organization or another 
client in a similar situation, the time spent in awareness and education of the vendor is worth it. When we review 
vendors who already had CCM/CAIQ completed, their risk assessment went quicker and smoother. If the cloud vendors have 
the CCM/CAIQ already prepared, the next client won't have to ask for the information. In my experience, the biggest 
struggle is with the small mom & pop businesses.

In addition to the CSA CCM/CAIQ, we work with the vendor on data flow and data classification. If the vendor can't 
provide completed CCM/CAIQ, on occasion it may be acceptable to provide SAAE16 SOC 2 Type 2 report and proof of 
continues vulnerability lifecycle management (including discovery, prioritization, assessment, report, remediation, and 
verification of the remediation). If the vendor can't provide the vulnerability lifecycle management proof, we 
typically ask to do our own assessment. At this point, we typically have to sign NDA, receive permission to scan, and 
agree on Rules of Engagement. Note that for HIPAA we make sure to ask for BAA once we agree to do business.

Some vendors can refuse to do business with us because of the risk assessment and they can't or chose not to complete 
it. On occasion, the organization's leadership (VP or C-level) may decide to accept the identified risks. In this case, 
we ask for the completion of risk acceptance form spelling out why, who, what, where, for how long, and listing what IT 
security has done to exercise due care and diligence. We use qualitative and quantitative justification for the 
evaluated risk to exemplify why we recommend the risk to be accepted, not accepted, and/or remediated before we do 
business. Note that my team makes a recommendation, but the organization's leadership makes the decision. If there is 
interest, I can share our internal risk assessment identification, scoring, and justification process. Email me 
privately.

I know that some colleagues in the private sector already push their cloud vendors to improve their security controls 
and address any identified vulnerabilities before doing business. We, in higher ed, have an opportunity to unite and 
set similar expectations for the cloud vendors we deal with. In the end, asking the vendor for evidence of security 
controls to protect our data can benefit the requester, the vendor along with any future or existing client. It can be 
a win-win situation. Thank you for sharing.

Vel Pavlov | IT Security Coordinator
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,
Security+, CNA, MPCS, ITILv3F, A+
Big Rapids, MI 49307
Phone (231)-591-5613
VelPavlov () ferris edu
[cid:image001.png@01D1E19D.C8D0B090]

Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn't 
you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this 
message by mistake, please immediately notify VelPavlov () ferris edu and delete this message and any attachments. 
Thank you.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ruth 
Ginzberg
Sent: Tuesday, July 19, 2016 7:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] security assessments for cloud based vendors

Are you specifically thinking of the CSA STAR registry, or some other similar framework?

I think it's a great idea to push cloud vendors toward more widespread adoption of these kinds of best practices.

> From a practical contracting point of view - I'm not sure the market is collectively quite there yet.

If you look at the CSA Registry, there seems to be more widespread adoption overseas than in the USA, of the higher 
levels of attainment such 3rd party certification.

You can always try it and see what happens.  The worst thing that could happen is that you wouldn't get any responses 
to your bid solicitation.

I don't think vendors will adopt these relatively expensive practices in response to one or two customers' demands.  I 
think they will adopt them when so many customers require it that the vendor needs to do it to stay in business.

I would be extremely interested to know what success you have in requiring vendors to purchase cyber liability 
insurance.  My experience is that cloud vendors do not accept this kind of risk-shifting (or even if they do sign 
contracts appearing to accept it, they don't have the assets to cover the costs they've apparently agreed to cover in 
the event of major breach that affects many, most, or all of their customers).


Ruth Ginzberg
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

Sent from Surface tablet by Mail for Windows 10 -- please ignore unwanted spelling corrections

From: Alex Jalso<mailto:ACJalso () MAIL WVU EDU>
Sent: Monday, July 18, 2016 7:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] security assessments for cloud based vendors

Hello Everyone,

I'm working to implement a security assessment procedure where cloud based vendors who are bidding on a contract must 
provide a current 3rd party security assessment; its current privacy policy / statement; its cyber liability insurance 
policy binder; and if credit cards will be processed a current Attestation of Compliance as part of its bid submission. 
 The successful vendor will then have to annually provide updated versions of these documents.  Do any of you have a 
similar process?  If so, would you be willing to share it?  Direct replies are welcome.  Thanks.

Alex

Alex Jalso, PMP, CISM
Chief Information Security Officer
West Virginia University
p: 304-293-4457

Information Technology Services will NEVER ask for your Social Security number, credit card number or WVU login 
credentials by email.  DefendYourData.wvu.edu<http://defendyourdata.wvu.edu/>