Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Cyber Governance of a Cloud SaaS

a leading 1-ERP cloud provider (one of those 3 like SAP, Oracle, MS)
has replied to us that they can't share the hardenings that they have
in place for their OS;  neither would they sign on the hardening
checklist as well as share the penetration test report.

What's typically the way from a customer's Cyber Governance that
we can do?  Ask for SOC2 report or which report which would have
certified that they have performed the required (CIS) hardening &
penetration testings?

Or we can still demand to sight the hardening settings & pentest
reports?  We are using their SaaS
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

Have come across a few cases that auditors wanted to
do a site visit to the CSP.  Is it reasonable that we put in
our contract with CSP that in the event auditors requested,
the CSP or the SaaS provider has to allow the auditors to
interview them, sight their docs (pentest, hardenings, VA
& their change process).

noticed these are being mentioned in Spore's Cyber
Code of Practice that owners of a CII must impose on
their IT providers (not SaaS specifically but turnkey,
apps vendors)
Avatar of sunhux

ASKER

From the SaaS vendor (who also operates as CSP):
"we employ a standardized system hardening practices across xxx Cloud devices: however we can't share this due
 to security/confidentiality reasons. This includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging."

Have also come across a vendor that hosts services for banks who
declined to show auditors who go onsite to view their pentest report,
citing confidentiality/security reasons
Avatar of sunhux

ASKER

Btw when can we use OSPAR (Outsourced Service
Provider ...  Report) as proxy of actually viewing or
sighting  which artefacts (VA or pentest or ?)?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial