Information Security

 View Only
  • 1.  On-premise based vendors

    Posted 09-18-2019 03:17 PM

    Recommended best practices for reviewing on-premise vs. Cloud vendors


    I'm looking for guidance/best practices for reviewing 'on-premise' vendors (and their solutions) where they have been deemed critical and high risk.

  • 2.  RE: On-premise based vendors

    Posted 09-19-2019 05:48 PM
    This will depend on the type of vendor and the services you're consuming from them, so this answer will be somewhat general. I'll assume in the context of this question that by "on-premise" you're asking about a vendor who's service you're hosting within your own environment versus a cloud service provider or at the vendor. If you're asking about a vendor hosting a service within a vendor owned data center versus a cloud service provider, let me know and I or a community member will address that. 

    For services you're hosting within your environment, on prem, many of the due diligence checks are now your own internal controls, but some remain. Much of the information security, resiliency, and continuity due diligence will be internally focused instead. What's left are controls around the software/service itself and what support the vendor provides. 

    Information Security Policy
    Software Change Management Policy
    Software Development Security Policy
    Background Checks on support and development
    Security and Privacy Training for support and development
    Business continuity for support and updates
    Financials for continuity

    How are others handling on-premise vendor due diligence? Have these vendors been more difficult to obtain the due diligence materials you're asking for?

  • 3.  RE: On-premise based vendors

    Posted 09-20-2019 11:52 AM

    Hi Aaron, thanks for the reply.

    Yes, I'm referring to an all on-premise in our environment.  We spool up our own servers and install their software on our machines, etc.

    You are validating my thoughts around the software/service vendor review. Question…. Is there an "on-premise' vendor questionnaire similar to the QAIQ for cloud vendors?

  • 4.  RE: On-premise based vendors

    Posted 09-20-2019 01:35 PM
    I am not familiar with one, private or publicly available scoped down to on prem vendor services. What we do for our analysis services is use the same template and scope out not applicable items. I'd like to hear from others if there is a better solution out there!

  • 5.  RE: On-premise based vendors

    Posted 11-17-2021 04:37 AM
    I am proposing a change to use a lighter version of our current questionnaire for on-prem as well.  Like Aaron, I wanted to focus on only those items we would continue to depend on the vendor for.  These vendors have been much more difficult to complete and return our questionnaire.  On the same token, I due understand and wanted to tailor our approach.  It is still a work in progress, but what I have today is:
    1. Do you have a Privacy Program
    2. Do you have an Information Security Policy
      1. Does it include encryption
      2. Access management
      3. Asset management
      4. Physical Security
      5. Vendor management
    1. Do you have record retention/data destruction policies
    2. Do you have a Business Continuity and Disaster Recovery Plan
      1. Is it tested annually
    3. Do your hiring policies include background checks?
    4. Do you have compliance policies in place and
      1. Does it include change management
      2. Software Development Security Policies

  • 6.  RE: On-premise based vendors

    This message was posted by a user wishing to remain anonymous
    Posted 11-17-2021 08:17 AM
    This message was posted by a user wishing to remain anonymous

    Hi, thanks for sharing your view on reviewing  on-premises 3rd party product/services.
    In my opinion the end user using these services, should have accountability in implementing  internal controls and have a internal secure release process, with continuous monitoring enabled on such 3rd party product & services.
    Also supplier must  provide assurance of key control areas the product is secured with, with ownership on supplier to release periodic updates and security patches of the product supplied.
    Commercial off-the-shelf software, are other segment, the end user has less visibility of security practices followed by COTS supplier.