Avatar of sunhux
sunhux
 asked on

Cyber Governance of a Cloud SaaS

a leading 1-ERP cloud provider (one of those 3 like SAP, Oracle, MS)
has replied to us that they can't share the hardenings that they have
in place for their OS;  neither would they sign on the hardening
checklist as well as share the penetration test report.

What's typically the way from a customer's Cyber Governance that
we can do?  Ask for SOC2 report or which report which would have
certified that they have performed the required (CIS) hardening &
penetration testings?

Or we can still demand to sight the hardening settings & pentest
reports?  We are using their SaaS
Cloud ComputingCyber SecuritySecurity

Avatar of undefined
Last Comment
madunix

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
sunhux

ASKER
Have come across a few cases that auditors wanted to
do a site visit to the CSP.  Is it reasonable that we put in
our contract with CSP that in the event auditors requested,
the CSP or the SaaS provider has to allow the auditors to
interview them, sight their docs (pentest, hardenings, VA
& their change process).

noticed these are being mentioned in Spore's Cyber
Code of Practice that owners of a CII must impose on
their IT providers (not SaaS specifically but turnkey,
apps vendors)
sunhux

ASKER
From the SaaS vendor (who also operates as CSP):
"we employ a standardized system hardening practices across xxx Cloud devices: however we can't share this due
 to security/confidentiality reasons. This includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging."

Have also come across a vendor that hosts services for banks who
declined to show auditors who go onsite to view their pentest report,
citing confidentiality/security reasons
sunhux

ASKER
Btw when can we use OSPAR (Outsourced Service
Provider ...  Report) as proxy of actually viewing or
sighting  which artefacts (VA or pentest or ?)?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
madunix

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.