This message was posted by a user wishing to remain anonymous
Looking for ideas or innovative ways others have solved the issue on how to get large organizations, to name a few (AWS, Google, Microsoft, Etc) to complete your companies infosec review.
- While the listed example companies have a compliance page with all their security listed documents, do you still feel the need to vendor risk assess the organizations. If so, why?
- If you do not risk assess, do you apply a risk based methodology to the large organizations?
I ask this as a broad statement as we are looking to implement what we call 'Pre-defined vendor profiles' for our large impact vendors who also refuse to complete our infosec assessment. We plan on obtaining standard compliance docs, policies, etc that are part of the companies security package and set automated expiration dates next to each document collected so that we could request it again. Does anyone follow this practice or is it ideal to go down this route?