Our organisation is moving a number of applications and subsequent databases to cloud/SaaS based systems – therefore our data (often PII) is hosted on external infrastructure that we don’t manage. I presume we don’t have any rights to audit their infrastructure for security issues, but our IT section seem to be of the view that they have no real responsibilities for verifying the security of the hosting providers infrastructure, yet were it to be compromised it would be our data exposed. Ultimately they are doing nothing in this area:
What should the organisation be doing in terms of verifying the security of the hosting providers network infrastructure? If anything? They've never seen any sort of vulnerability assessment report of the servers hosting their data so have no idea if such work is undertaken.
What are the risks in essentially doing/monitoring nothing in this area? Should this be a contractual issue, i.e. the requirement for the hosting provider to conduct vulnerability assessment on server hosting our data?