Initial Third-Party Security Assessment

Sebastian_Z · ‎12-06-2022

Hi,

I am looking for some advice from your experience.

Scenario: Perform initial verification of a solution provider in terms of security.

Goal: Check publicly available information to determine if a solution provider may be considered as trustworthy. The idea is to do very high-level research!
Let's take hosting provider as example but it could be any SaaS/PaaS/IaaS.

My ideas:
-If they hold any security certification like ISO27001, PCI DSS

-if there were any outages/incidents recently - they got hacked, data leaked, service went down - simple google search with appropriate keywords. Usually there are some articles.

-domain check - Qualys SSL Grade, SSL Certificate

-if they are using load-balancing/DDoS provider

What would you check?

Steve-Wilme · ‎12-07-2022

It may make sense to look at schemes which can provide the assurance for you, such as, SOC 2 type 2, ISO 27001 certification, CSA STAR, PCI DSS AoC etc. and combine those with what the third party will commit to contractually. It is very time consuming to carry out supplier due diligence and part of the difficulty stems from the information asymmetry i.e. the supplier isn't going to want every customer asking 100s of questions each time they make a sale, so they are going to fall back on independent audit reports, in most instances, as the evidence they'll provide to you.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS