Risk Assessments

Just a question?  When all documentation is received such as questionnaire , Soc 2 Type 2 reports, etc and you are ready to start your assessment- do you only look at those items that are relevant to the use case , or do you assess their security posture over all. Also do any of you use a template as a part of assessing the vendors so the process is repeatable each time?

Not sure this is responsive, but first thing we do is confirm that the environment identified as in scope for the SOC is same as what we will use with the SaaS.  Dead stop if not. We add a warranty in the contract that the services will be provided from only that environment. Then comes a review of the SOC exceptions and the management response. If it's ugly...time to shoot up a flare that this will not end well.  We also do a search for any publicly announced data breaches.  Some states like CA keep a list and there's some free sites too.  Haven't had a hit yet. 

Original Message:
Sent: 11-14-2019 12:00 PM
From: Brandi Royal
Subject: IT Vendor Risk Assessments

Just a question?  When all documentation is received such as questionnaire , Soc 2 Type 2 reports, etc and you are ready to start your assessment- do you only look at those items that are relevant to the use case , or do you assess their security posture over all. Also do any of you use a template as a part of assessing the vendors so the process is repeatable each time?

This was great as I totally understand what you meant, thank you so much for your response:) Great Information.
Original Message:
Sent: 11-14-2019 07:32 PM
From: Robert Pioli
Subject: IT Vendor Risk Assessments

Not sure this is responsive, but first thing we do is confirm that the environment identified as in scope for the SOC is same as what we will use with the SaaS.  Dead stop if not. We add a warranty in the contract that the services will be provided from only that environment. Then comes a review of the SOC exceptions and the management response. If it's ugly...time to shoot up a flare that this will not end well.  We also do a search for any publicly announced data breaches.  Some states like CA keep a list and there's some free sites too.  Haven't had a hit yet. 

Original Message:
Sent: 11-14-2019 12:00 PM
From: Brandi Royal
Subject: IT Vendor Risk Assessments

Just a question?  When all documentation is received such as questionnaire , Soc 2 Type 2 reports, etc and you are ready to start your assessment- do you only look at those items that are relevant to the use case , or do you assess their security posture over all. Also do any of you use a template as a part of assessing the vendors so the process is repeatable each time?

This message was posted by a user wishing to remain anonymous

We look at the whole scope of the vendor. We really look at the SOC report and evaluate the report. If there are any incidents we review with IT. We have a VM questionnaire that we use gives us direction on key points we should be reviewing.
Original Message:
Sent: 11-14-2019 12:00 PM
From: Brandi Royal
Subject: IT Vendor Risk Assessments

Just a question?  When all documentation is received such as questionnaire , Soc 2 Type 2 reports, etc and you are ready to start your assessment- do you only look at those items that are relevant to the use case , or do you assess their security posture over all. Also do any of you use a template as a part of assessing the vendors so the process is repeatable each time?

FYI another site for data breaches. Likely the population of actual breaches is some high multiple of the published ones. https://privacyrights.org/categories/data-breaches
Original Message:
Sent: 11-18-2019 02:30 PM
From: Anonymous Member
Subject: IT Vendor Risk Assessments

This message was posted by a user wishing to remain anonymous

We look at the whole scope of the vendor. We really look at the SOC report and evaluate the report. If there are any incidents we review with IT. We have a VM questionnaire that we use gives us direction on key points we should be reviewing.
Original Message:
Sent: 11-14-2019 12:00 PM
From: Brandi Royal
Subject: IT Vendor Risk Assessments

Just a question?  When all documentation is received such as questionnaire , Soc 2 Type 2 reports, etc and you are ready to start your assessment- do you only look at those items that are relevant to the use case , or do you assess their security posture over all. Also do any of you use a template as a part of assessing the vendors so the process is repeatable each time?