A vendor actually provided me with detailed instructions for how to access AWS documentation (SOC reports, PCI certification, etc). It worked great for me and I was able to pull allot of documentation I needed. The instructions are below
CREATE ACCOUNTSTEP 1 Go to
www.aws.amazon.com and click the Create an AWS Account button
in the top right.
STEP 2 Complete the Create an AWS Account form and click the Continue button.
Note: email address should NOT be associated with an account on Amazon.com.
STEP 3 Complete the Contact Information form and click the Create Account and
Continue button.
STEP 4 Rather than completing the Payment Information form, navigate to
www.aws.amazon.com and hover over the My Account menu and click on
the AWS Management Console option.
SIGN INSTEP 1 Enter your username and click the Next button. (Root user)
STEP 2 Enter your password and click the Sign In button.
REQUEST REPORTSTEP 1 In the AWS Management Console search 'Artifact' or 'Compliance Reports' in
the AWS services box.
STEP 2 Find the report you're looking for by scrolling through the results list. Once you find
the report, click the Get this Artifact button.
STEP 3 If Approval required dialog box appears, click the Open a request for access to this report link
------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------
Original Message:
Sent: 11-10-2021 03:32 PM
From: Ashley Balletto
Subject: Microsoft Due Diligence
Hi Stephanie. We use a different vendor management program but since Microsoft is one of our Critical Vendors, we have our vendor program perform enhanced due diligence reviews for us.
Microsoft is one of those vendors that won't release their documentation to a 3rd party therefore the banks vendor owner had to reach out to them to obtain the information which was downloaded from their portal.
Below is what we request from all of our Critical Vendors:
- Latest SOC report (SOC 2 is preferred) or equivalent third-party audit for applicable products.
- Gap/Bridge Letter(s) for the SOC reports
- Information Security, Privacy, and applicable Compliance Policies (AML, PCI, NACHA, BSA, etc.)
- Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing)
- Incident Response Policies with client notification protocols
- Disaster Recovery/Business Continuity/Pandemic Plans
- Disaster Recovery/Business Continuity Testing Results
- Current Certificate of Insurance (e.g. General Liability, E&O, Cyber)
- Latest Annual Financial Statement with period end date of 2020 or 2021 (audited financial statements, including two comparative years of results, with notes preferred)
Original Message:
Sent: 11-10-2021 12:50 PM
From: Stephanie Bowersox
Subject: Microsoft Due Diligence
Hello,
I was curious how others handle Microsoft as a vendor. Outside of the SOCs provided on their website does anyone reach out to them further to collect more documents like for example any sort of cyber security documents? Trying to figure out how far to push things or if we just work with what they initially provide online.
Has anyone had Venminder itself reach out to Microsoft to collect documents and complete a review?
Thanks!