Information Security

An alternative for that vendor is to request their policies - their information security policy, their Incident Response, etc. I realize these are not reviewed and tested by an audit firm, but it at least provides a record of what the vendor claims is ... More

I agree this is frustrating. We often see this from start-ups and smaller (perhaps local) companies. A SOC audit can be fairly expensive and very time-consuming, and a small company may not have those resources. Partnering with a cloud provider like AWS ... More

This message was posted by a user wishing to remain anonymous My institution sends SIG Lite questionnaires for vendors who can't or won't provide SOC 2 Type 2 reports. If they protest, we replace them with a vendor who is more compliant. More

This message was posted by a user wishing to remain anonymous I don't know if it is a red flag or not but it is concerning. The purpose of a SOC 2 is for a vendor to show how they manage security and related controls and unless they are Amazon, what ... More

This message was posted by a user wishing to remain anonymous Consider specifically requesting their information security policies, penetration test results and follow-up on any findings. Do you have the ability to send them a Standard Information ... More