sunhux
asked on
Cloud compliance/certification reports that Security governance should request from service providers of Saas, IaaS, PaaS
I have vendors who host their services in MS Azure & AWS.
Q1:
As the IT Security governance/compliance person, so under what circumstances
should I request that the vendors show me that the cloud's penetration/Vulnerability
scan, ISO27017/8, SOC2 reports are still valid & patchings/AV are up-to-date?
Regardless of whether the services offered to my organization is SaaS, IaaS, PaaS ?
Q2:
Does the ISO or SOC2 or which reports would have covered (ie certified) the
cloud service provider have patchings/Antivirus up-to-date, penetration/VA
findings remediated?
Q3:
if the vendors ask me to just refer to the reports available for Azure below:
https://servicetrust.microsoft.com/Documents/ComplianceReports
https://azure.microsoft.com/en-us/blog/microsoft-azure-leads-the-industry-in-iso-certifications/
is that sufficient or I should still insist on the actual penetration/VA scan
reports & SOC2 reports (which I guess is for more sensitive SaaS services
like payroll & credit card systems)??
Q4:
For less-sensitive systems (that don't contain PII) like transportation
tracking & asset management systems which reports suffice?
Q1:
As the IT Security governance/compliance person, so under what circumstances
should I request that the vendors show me that the cloud's penetration/Vulnerability
scan, ISO27017/8, SOC2 reports are still valid & patchings/AV are up-to-date?
Regardless of whether the services offered to my organization is SaaS, IaaS, PaaS ?
Q2:
Does the ISO or SOC2 or which reports would have covered (ie certified) the
cloud service provider have patchings/Antivirus up-to-date, penetration/VA
findings remediated?
Q3:
if the vendors ask me to just refer to the reports available for Azure below:
https://servicetrust.microsoft.com/Documents/ComplianceReports
https://azure.microsoft.com/en-us/blog/microsoft-azure-leads-the-industry-in-iso-certifications/
is that sufficient or I should still insist on the actual penetration/VA scan
reports & SOC2 reports (which I guess is for more sensitive SaaS services
like payroll & credit card systems)??
Q4:
For less-sensitive systems (that don't contain PII) like transportation
tracking & asset management systems which reports suffice?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We use mostly SaaS and there's one particular service where we host
our stowage tracking service in the vendor's DB in the cloud (a DB that
is shared among various customers & customers' data logically
segregated) & we run this vendor's on our corporate mobile phones
(IOS & Android)
our stowage tracking service in the vendor's DB in the cloud (a DB that
is shared among various customers & customers' data logically
segregated) & we run this vendor's on our corporate mobile phones
(IOS & Android)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
reports (do specify if it's Vul scan report or penetration, SOC2
or those reports listed in the above links) to be requested from
the vendors?