Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Cloud Based Vendors

    Posted 09-11-2019 03:48 PM
    ​More and more vendors are converting to cloud-based strategies for providing services and/or storing confidential/sensitive data. Should there be a separate info sec questionnaire and due diligence requirements for these types of vendors? Any guidance would be appreciated.

    Thank you!


  • 2.  RE: Cloud Based Vendors

    Posted 09-11-2019 05:19 PM
    The CAIQ (Consensus Assessments Initiative Questionnaire) by the CSA (Cloud Security Alliance) is meant just for this purpose. The type of cloud service being used will dictate the scope of controls you will be responsible for versus the cloud services provider. For example, you have to rely far more on the vendor's control environment for Software-as-a-Service (SaaS) providers compared to an Infrastructure-as-a-Service (IaaS) provider. The rest of your due diligence process will still apply and SOC 2 reports will be valuable for cloud service providers as well.


  • 3.  RE: Cloud Based Vendors

    Posted 09-11-2019 05:21 PM
    Yes, there definitely should be different due diligence - in fact, we typically see clients using several different types of due diligence requests (e.g., one for general service providers, one for their core processor, one for marketing companies, one for data storage companies, one for title agents / attorneys, etc etc - definitely not a one size fits all) - you may not have as many variations of an information security questionnaire but certainly you're going to want to ask questions more specific to that type of service than you are of, let's say, your attorneys.... hope that helps and certainly welcome input from others in the community as to what works well for them.


  • 4.  RE: Cloud Based Vendors

    Posted 10-23-2019 08:50 AM

    Due to the complexity of the type of risk associated with the cloud service provider and the nature of the various classifications of data handled and stored by the provider, you should first ensure that you have policies, procedures, and standards approved by your board and sr. management and consistent with company strategy.

    Although you inquiry is about information security, a good program should include a risk based approach to due diligence and be performed by subject matter experts and includes evaluation of legal, operational, financial, resiliency, reputational, and compliance risk at a minimum. Prior to having the SME perform the assessment, questionnaires should be sent and collected from the vendor along with and supporting documentation.