Risk Assessments

 View Only
  • 1.  Large Business Organizations

    This message was posted by a user wishing to remain anonymous
    Posted 08-03-2021 03:49 PM
    This message was posted by a user wishing to remain anonymous

    Looking for ideas or innovative ways others have solved the issue on how to get large organizations, to name a few (AWS, Google, Microsoft, Etc) to complete your companies infosec review. 

    • While the listed example companies have a compliance page with all their security listed documents, do you still feel the need to vendor risk assess the organizations. If so, why? 
    • If you do not risk assess, do you apply a risk based methodology to the large organizations? 

    I ask this as a broad statement as we are looking to implement what we call 'Pre-defined vendor profiles' for our large impact vendors who also refuse to complete our infosec assessment. We plan on obtaining standard compliance docs, policies, etc that are part of the companies security package and set automated expiration dates next to each document collected so that we could request it again. Does anyone follow this practice or is it ideal to go down this route?


  • 2.  RE: Large Business Organizations

    Posted 08-10-2021 08:43 AM
    Hi! 

    I think you're off to a great start with the pre-defined profiles. When it comes to any organization that simply refuses to provide you information in the way you want to receive it, we have to find a way to compromise. Knowing what you can anticipate receiving from them and then asking for that same material again can save your program a lot of headache. The trick is determining whether or not you're comfortable with the level of detail and assurance they've provided. If we get in a rut with due diligence: document, communicate and report. Record the level of comfort you do or do not have, and make sure that any discrepancies or lack of evidence is understood by the decision makers of your organization - the decision being in this case (as with google, AWS, etc.) would be to accept the risk. But, you can have the comfort of having recorded your steps, and being aware of the exact risks that have been accepted, not just letting it go because we can't do anything about it. 

    Any other thoughts on this? Record and report the risks has always been my go-to... but does anyone have more feedback or tricks to receiving more detailed information from these organizations? 

    Nicole


  • 3.  RE: Large Business Organizations

    Posted 08-10-2021 10:42 AM

    Hi there,

    You can find security information on Google; it does take a bit of searching. Depending on the Google product you have, an internet search should get you what you need.

    To start, try this link https://workspace.google.com/learn-more/security/security-whitepaper/page-5.html

    I have had similar results using a web search for large companies, try searching "company name+ SOC"

    I would like to know if any other members have any other resources or suggestions.