Information Security

Does anyone have template that they would like to share on Vetting SaaS vendors?

It might be difficult to develop a template to vet SaaS vendors, since this is such a broad category. However, I'll provide some best practices and recommendations that should help you get started in vetting SaaS vendors.

Best practices for assessing risk:

• Evaluate some general information such as the vendor's qualifications, service level agreements, billing, ease of use, and the SaaS interface.
• Ask the vendor relevant security questions about their standards, encryption practices, data migration process, and who will have access to your data.
• Also consider asking the vendor questions about the vendor's business continuity and disaster recovery plans and incident response management.
• And make sure you're aware of the type of support the vendor provides and how it handles changes and manages controls.

Best practices for due diligence:

• Start by collecting all of the foundational documents like business license, credit report, list of subcontractors and any negative news search findings.
• You should also review the vendor's audited financial statements, as well as any relevant insurance certificates and licenses or certifications.
• It's important to know how your SaaS vendors are managing their own third parties, so you should also collect and review their vendor management policy.
• One due diligence document that can really help in vetting a SaaS vendor is a Consensus Assessments Initiative Questionnaire (CAIQ). This is a questionnaire developed by Cloud Security Alliance and covers 16 categories of controls. Once you collect this from the vendor, have it reviewed by a qualified subject matter expert who can identify any gaps in the vendor's security controls.

These best practices and recommendations are just a starting point, and you'll want to make sure that you're asking questions and collecting documentation that is specific to the vendor's product.

I hope these best practices are helpful and I'd like to know how other members are vetting their SaaS vendors.

Does anyone have template that they would like to share on Vetting SaaS vendors?

Thank you for this insightful information Christine!

How would you recommend vetting for IaaS and PaaS supplier (only in terms of the Security Controls)?

Anyone in the community using any tools / checks for credibility in terms of a COTS application suppliers?

Thanx All!

It might be difficult to develop a template to vet SaaS vendors, since this is such a broad category. However, I'll provide some best practices and recommendations that should help you get started in vetting SaaS vendors.

Best practices for assessing risk:

• Evaluate some general information such as the vendor's qualifications, service level agreements, billing, ease of use, and the SaaS interface.
• Ask the vendor relevant security questions about their standards, encryption practices, data migration process, and who will have access to your data.
• Also consider asking the vendor questions about the vendor's business continuity and disaster recovery plans and incident response management.
• And make sure you're aware of the type of support the vendor provides and how it handles changes and manages controls.

Best practices for due diligence:

• Start by collecting all of the foundational documents like business license, credit report, list of subcontractors and any negative news search findings.
• You should also review the vendor's audited financial statements, as well as any relevant insurance certificates and licenses or certifications.
• It's important to know how your SaaS vendors are managing their own third parties, so you should also collect and review their vendor management policy.
• One due diligence document that can really help in vetting a SaaS vendor is a Consensus Assessments Initiative Questionnaire (CAIQ). This is a questionnaire developed by Cloud Security Alliance and covers 16 categories of controls. Once you collect this from the vendor, have it reviewed by a qualified subject matter expert who can identify any gaps in the vendor's security controls.

These best practices and recommendations are just a starting point, and you'll want to make sure that you're asking questions and collecting documentation that is specific to the vendor's product.

I hope these best practices are helpful and I'd like to know how other members are vetting their SaaS vendors.

Does anyone have template that they would like to share on Vetting SaaS vendors?

Does anyone have template that they would like to share on Vetting SaaS vendors?