Due Diligence and Ongoing Monitoring

 View Only
  • 1.  vendors and cloud software assessment (AWS)

    This message was posted by a user wishing to remain anonymous
    Posted 05-20-2020 10:29 AM
    This message was posted by a user wishing to remain anonymous

    I have a vendor hosting an application in the cloud and due to the "shared cloud responsibility", I'm wondering if requiring reports (i.e. output of trusted advisor, is IAM used?, cloudtrail etc) makes sense? Outside of the SOC2 made available for cloud vendors, what other due diligence would be required for cloud vendors holding PII data?


  • 2.  RE: vendors and cloud software assessment (AWS)

    Posted 05-27-2020 10:29 AM
    Yes, I'd request as much information as reasonably available. Certainly, all of the things like a reputation risk check, history of data breaches, articles of incorporation all come to mind - additionally, I'd request copies of their business continuity plan and evidence of sorts of penetration testing audits. I'd certainly welcome others' experience, particularly on the identity access front, but if they are holding your / your customers' PII, I'd do as much due diligence as reasonably possible.


  • 3.  RE: vendors and cloud software assessment (AWS)

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2020 12:10 PM
    This message was posted by a user wishing to remain anonymous

    I would be interested in hearing from others if they have been successful in obtaining other security documentation from 4th Party Vendor cloud providers (AWS​, Microsoft Azure, etc.) other than SOC reports? Is this something that we can obtain without difficulty? Just looking for some guidance.


  • 4.  RE: vendors and cloud software assessment (AWS)

    Posted 06-03-2020 08:27 AM
    This is how you can get compliance documentation on AWS:

    AWS (AWS Artifact) offers a number of documents for downloading. Different documents require different permissions, which are controlled by a combination of IAM policies and whitelisting.

    The Getting Started tutorial can be found on the AWS website using the following URL: Getting Started with AWS Artifact
    This tutorial shows you how to set up permissions and download reports by completing the following steps:
    1. Step 1: Create an Admin Group and Add an IAM User 2. Step 2: Create an IAM Policy 3. Step 3: Create IAM Users 4. Step 4: Download a Document


  • 5.  RE: vendors and cloud software assessment (AWS)

    Posted 06-03-2020 10:56 AM
    ​Thank you Cecile!


  • 6.  RE: vendors and cloud software assessment (AWS)

    Posted 06-03-2020 12:15 PM
    Thanks for the information.​