Information Security

 View Only
  • 1.  Review of On-Premise Products

    Posted 04-13-2021 01:15 PM
    What type of reviews are your institutions conducting for systems and softwares that are hosted on-premise? Our reviews are conducted by our Information Security group and reviews are returned to us (Vendor Management). We're curious what a review looks like that's not a hosted solution. What documents are reviewed? Any help is greatly appreciated! Thanks!

  • 2.  RE: Review of On-Premise Products

    Posted 04-13-2021 02:44 PM

    The supporting documents which we request of outside / SaaS application vendors include:


    1. SOC 2 Type II (complete report)
    2. ISO 27001 certification, or other third party certifications
    3. Information Security Org Chart
    4. Information Security Policies 
    5. Risk Management Program evidence
    6. Code of Conduct / Ethics program
    7. Employee Background Check Policy
    8. Incident Response Policy
    9. Vulnerability Management / Patch Process
    10. Physical Security Policy
    11. Software Development Lifecycle
    12. Change Management Process
    13. Third Party Vendor Management Process
    14. Annual Network Penetration Test
    15. Application Penetration Test


  • 3.  RE: Review of On-Premise Products

    Posted 04-13-2021 02:48 PM
    So, we do the same for solutions that are in a cloud environment, but do you ask for the same documents if it's going to be a software that is maintained on your institution's servers?​