This message was posted by a user wishing to remain anonymous
As part of our annual due diligence we ask for updated documents such as Information Security, Privacy, and applicable Compliance Policies (AML, PCI, NACHA, BSA, etc.), Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing)
Incident Response Policies with client notification protocols, Disaster Recovery/Business Continuity/Pandemic Plans, Disaster Recovery/Business Continuity Testing Results as this is not always discussed in the SOC report. I am finding it harder to collect these documents as the vendor does not want to share them and are confidential. Thoughts on how to get around this?