Due Diligence and Ongoing Monitoring

Expand all | Collapse all

vendors and cloud software assessment (AWS)

  • 1.  vendors and cloud software assessment (AWS)

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    I have a vendor hosting an application in the cloud and due to the "shared cloud responsibility", I'm wondering if requiring reports (i.e. output of trusted advisor, is IAM used?, cloudtrail etc) makes sense? Outside of the SOC2 made available for cloud vendors, what other due diligence would be required for cloud vendors holding PII data?


  • 2.  RE: vendors and cloud software assessment (AWS)

    Posted 3 days ago
    Yes, I'd request as much information as reasonably available. Certainly, all of the things like a reputation risk check, history of data breaches, articles of incorporation all come to mind - additionally, I'd request copies of their business continuity plan and evidence of sorts of penetration testing audits. I'd certainly welcome others' experience, particularly on the identity access front, but if they are holding your / your customers' PII, I'd do as much due diligence as reasonably possible.