I too agree with Dave and the other post, however I will offer some additional insight (if you will indulge me with a little story telling).
My personal information was first stolen in 1985. Some IT guy left back-up tapes in the back seat of his car while stopping for a bite to eat. Two years later, someone stole my medical information by walking in and stealing a server right out of the rack. Since then, my information has been compromised no less than 14 times - but now, all digitally. My point simply being, today, most places have awesome physical security standards - and the likelihood of that happening is small compared to a electronic attack. Thus, any on-site assessment for Physical Security might not be needed.
So, what I do for all my mission critical vendors is to monitor their external facing assets - the assets that are visible to everyone, including the bad guys - DAILY. This form of Information Security assessments with my vendors has helped me provide much needed visibility into the cyber hygiene of companies dealing with/holding/ or transmitting our company data. IMHO, that is where the threat lies, the vulnerabilities exist, and my best opportunity to identify and mitigate shortfalls with third parties -- in a more timely fashion.
Feel free to email direct if interested on how I accomplish this.
------------------------------
Doug
------------------------------
Original Message:
Sent: 11-18-2024 11:11 AM
From: Anonymous Member
Subject: On-Site vs On-line Remote Information Security Assessments
This message was posted by a user wishing to remain anonymous
Because the question is a bit ambiguous, will answer in two parts.
1) On site inspection of information security at data centers: If the question is asking about physical security at data centers, agree with Dave. Was able to one of those in a thirty year career involving vendor management, and only because of the deep relationship with the vendor. The SIG didn't exist back then and SSAE (predecessor to SOC) reports didn't fully cover information security either. In today's environment, I can't imagine any vendor allowing it - except in the main cases of 1) deeper pockets by the requester (big client exception); 2) deep relationship between your entity and the vendor or 3) lack of SIG by vendor.
2) On site inspection of information security at business offices: General observations at building entrance, entrance to the vendor's office spaces and observations as you travel around the office spaces likely will be sufficient. (Looking for key cards, clear desks, locked computers etc.) In the near paperless environment of the 21st century, there's not a lot to observe.
Finally, you could consider:
a) SLA's
b) Contractual clauses covering the items that concern your firm
c) Required annual certifications regarding a & b.
Hope this is helpful.
Original Message:
Sent: 11-18-2024 08:43 AM
From: Dave Howe
Subject: On-Site vs On-line Remote Information Security Assessments
I can't say I've ever done an on site security assessment, nor spoke to anyone who has.
This may be in part due to the relative size of the companies I have done this for, and it may also be due to geography - there aren't many datasites that are local to where I have lived or worked. The third strike would be that I suspect not many larger companies are welcoming to people poking around at the physical security of their businesses.
So, I will then point out that many SOC reports cover physical inspections, and those inspections are done by trained pros, which in turn provides a consistency that is simply not there with random customers doing inspections. If you have auditors that are asking when you've done on site inspections, or it's part of your policies, and you have the budget and time to do it, then congrats. Hopefully whoever you send has training and clearance to determine best practices and that the company is following their policies.
Sorry if that sounds short. On site is just one of those things that I don't consider because the ROI is so low, if it even exists.
Original Message:
Sent: 11-15-2024 10:23 AM
From: Anonymous Member
Subject: On-Site vs On-line Remote Information Security Assessments
This message was posted by a user wishing to remain anonymous
Hi all, please can anyone share their criteria for when to carry out on-site vs on-line remote information security assessments of their third party suppliers, and for remote assessments how they assess physical security controls.