Due to the complexity of the type of risk associated with the cloud service provider and the nature of the various classifications of data handled and stored by the provider, you should first ensure that you have policies, procedures, and standards approved by your board and sr. management and consistent with company strategy.
Although you inquiry is about information security, a good program should include a risk based approach to due diligence and be performed by subject matter experts and includes evaluation of legal, operational, financial, resiliency, reputational, and compliance risk at a minimum. Prior to having the SME perform the assessment, questionnaires should be sent and collected from the vendor along with and supporting documentation.
Original Message:
Sent: 09-11-2019 03:47 PM
From: Danielle Shanahan
Subject: Cloud Based Vendors
More and more vendors are converting to cloud-based strategies for providing services and/or storing confidential/sensitive data. Should there be a separate info sec questionnaire and due diligence requirements for these types of vendors? Any guidance would be appreciated.
Thank you!