https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43553#M325 <P>Thanks for your input. I was thinking along similar lines.</P> Thu, 25 Feb 2021 07:33:16 GMT CISSP-MR 2021-02-25T07:33:16Z https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43540#M322 <P>I am preparing to start at a new company and I will need to handle Vendor assessment requirements like CAIQ and similar from customers.<BR />Since all customer data is stored in AWS, can I use the AWS CAIQ as a reference to show that we meet the requirements ?<BR />Is there anything I should be aware of that could be a pitfall ?<BR />Where are more resources that can help me ?</P><P>Thanks !</P> Wed, 24 Feb 2021 19:22:29 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43540#M322 CISSP-MR 2021-02-24T19:22:29Z https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43543#M323 <P>It depends on the customer and their requirements. You can start out with the <STRONG>AWS CAIQ</STRONG> and <STRONG>AWS SOC</STRONG> reports and that would probably satisfy most of your customers' requirements. <STRONG>BUT</STRONG> It doesn't tell the customer about security practices inside of your company though. Hopefully, your new company has an internal security assessment that can be shared with customers with a signed NDA upon request.</P> Wed, 24 Feb 2021 20:21:26 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43543#M323 tmekelburg1 2021-02-24T20:21:26Z https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43546#M324 <P>Pitfalls? What can go wrong with Cloud security? I'm not a fan of paper assessments. I guess that is because I was always told not only to <STRONG>trust, but verify</STRONG>. What I use today are several <A href="https://github.com/toniblyx/my-arsenal-of-aws-security-tools" target="_blank" rel="noopener">Open Source tools</A> to discover misconfigured assets, including an automated assessment of IAM roles. That is the <STRONG>ONLY</STRONG> way you can be sure you data is safe. Take the technical approach!</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cloud.png" style="width: 275px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/5267iC5A3EC483FC8FE02/image-size/medium?v=v2&amp;px=400" role="button" title="cloud.png" alt="cloud.png" /></span></P><P>&nbsp;</P> Thu, 25 Feb 2021 01:35:36 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43546#M324 AppDefects 2021-02-25T01:35:36Z https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43553#M325 <P>Thanks for your input. I was thinking along similar lines.</P> Thu, 25 Feb 2021 07:33:16 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43553#M325 CISSP-MR 2021-02-25T07:33:16Z https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43557#M326 <P>Some customers may ask you to discuss the architecture of what's been built using IaaS or PaaS components.</P><P>&nbsp;</P> Thu, 25 Feb 2021 14:41:45 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43557#M326 Steve-Wilme 2021-02-25T14:41:45Z https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43568#M329 <P>Good Point. I need to verify all the components of the architecture.</P> Fri, 26 Feb 2021 08:15:15 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Vendor-assessment-as-a-SaaS-company/m-p/43568#M329 CISSP-MR 2021-02-26T08:15:15Z