New SaaS vendors of all flavors seem to pop up every single day, don’t they? This is great news for business and function owners, but can be a scary reality for security teams. You wouldn’t hire a new employee before checking their references, would you? So why would you blindly bring on a new vendor?
Putting together a vendor security & resilience audit (fancy sounding, I know) is easier than you might think. And if done correctly, it will help you make the right vendor decisions while keeping the business secure and business owners onboard.
Some Basic Rules of Engagement
- It’s about securing the cloud and business, but don’t prevent people from getting their jobs done.
- Invest in security awareness training. Enlist the business up front to avoid unnecessary tension.
- Work hand-in-hand with legal and purchasing teams to enforce the process before a vendor is paid.
- Don’t forget to peek at the security of all integration points between a vendor and their connected services/vendors.
- Ask lots of questions, then use the data to determine risk levels.
- And most importantly: if the risk exceeds the business value, be willing to say “no”.
Start With These Questions
- Does your company have a corporate security policy?
- Does your company have a dedicated security team? If so, roughly how many people are on it?
- Is there a formal procedure for reporting a suspected security violation?
- Are your systems subjected to penetration testing? Is testing performed by internal personnel or outsourced? When was the last penetration test? What were the results?
- Does your organization scan and/or test for vulnerabilities in your service / application, and if so, how quickly are any identified vulnerabilities remediated? Please provide as much detail in your answer as possible.
- Approximately, how often do you upgrade your application? Will these upgrades impact my use of the application, and if so what time of day and for how long will I be affected?
- How and when will you notify me about any scheduled maintenance? How can I contact you to get more information about unscheduled or extended downtime?
- If the application or service is intended to run on the Force.com platform, has a Salesforce AppExchance Security Review been completed, and what were the results?
- Do you offer API access? Are there any extra charges to access API? What form do the APIs take?
- Can you verify that *all* API unit calls are both 1) authenticated (by managed key or OAuth) and 2) encrypted (by 128-bit or greater encryption)?
- What are your terms when it comes to ownership of data? How about any metadata I generate while using the application?
- How do you secure access to your data facilities where customer data will be stored?
- Is data deleted completely when deleted from the application?
- Do you support SAML 2.0 for user authentication?
- Does your organization utilize the OWASP Testing Guide and/or OWASP Code Review Guide to effectively find vulnerabilities in your service / application (with the intent of remediating identified vulnerabilities)? Please provide as much detail in your answer as possible.
- Can your service organization provide its most recent Service Organization Control (SOC) 1 and/or 2 Reports, related to design and effectiveness of financial reporting controls? If so, please forward.
- How do you comply with PCI DSS 3.0/HIPAA/Sarbanes-Oxley regulations? Please provide documentation.
- What level of technical support is included in your standard license agreement?
- In the event of an interruption of your service, what is your process for notifying customer operations of the circumstances of the interruption or outage and the expected recovery time
- Do you have a documented process for how system, application and data backups are performed?
- What is your backup & recovery SLA? What are the actual results/metrics vs. the SLA for the last 12 months?
- Is backup media containing confidential information encrypted and stored in a locked container during transport? Please describe encryption method.
- Is there a disaster recovery strategy in place? How frequently is it tested?
This is just the beginning. Use this template (warning, it includes over 60 questions you can pick from!) to design your own assessment program.
…Or, Read Our FREE Buyer’s Guide to Cloud Cybersecurity
In our free buyer’s guide to Cloud Cybersecurity, we help you:
- Gain an understanding of cloud cybersecurity fundamentals
- Arm yourself with selection criteria to help guide research
- Snag over 50 security-savvy questions to ask cloud cybersecurity vendors