So, we do the same for solutions that are in a cloud environment, but do you ask for the same documents if it's going to be a software that is maintained on your institution's servers?
Original Message:
Sent: 04-13-2021 02:32 PM
From: Kate Wakefield
Subject: Review of On-Premise Products
The supporting documents which we request of outside / SaaS application vendors include:
- SOC 2 Type II (complete report)
- ISO 27001 certification, or other third party certifications
- Information Security Org Chart
- Information Security Policies
- Risk Management Program evidence
- Code of Conduct / Ethics program
- Employee Background Check Policy
- Incident Response Policy
- Vulnerability Management / Patch Process
- Physical Security Policy
- Software Development Lifecycle
- Change Management Process
- Third Party Vendor Management Process
- Annual Network Penetration Test
- Application Penetration Test
Original Message:
Sent: 4/13/2021 1:15:00 PM
From: Summer Dobbins
Subject: Review of On-Premise Products
What type of reviews are your institutions conducting for systems and softwares that are hosted on-premise? Our reviews are conducted by our Information Security group and reviews are returned to us (Vendor Management). We're curious what a review looks like that's not a hosted solution. What documents are reviewed? Any help is greatly appreciated! Thanks!