cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CISSP-MR
Newcomer I

Vendor assessment as a SaaS company

I am preparing to start at a new company and I will need to handle Vendor assessment requirements like CAIQ and similar from customers.
Since all customer data is stored in AWS, can I use the AWS CAIQ as a reference to show that we meet the requirements ?
Is there anything I should be aware of that could be a pitfall ?
Where are more resources that can help me ?

Thanks !

5 Replies
tmekelburg1
Community Champion

It depends on the customer and their requirements. You can start out with the AWS CAIQ and AWS SOC reports and that would probably satisfy most of your customers' requirements. BUT It doesn't tell the customer about security practices inside of your company though. Hopefully, your new company has an internal security assessment that can be shared with customers with a signed NDA upon request.

AppDefects
Community Champion

Pitfalls? What can go wrong with Cloud security? I'm not a fan of paper assessments. I guess that is because I was always told not only to trust, but verify. What I use today are several Open Source tools to discover misconfigured assets, including an automated assessment of IAM roles. That is the ONLY way you can be sure you data is safe. Take the technical approach!

 

cloud.png

 

CISSP-MR
Newcomer I

Thanks for your input. I was thinking along similar lines.

Steve-Wilme
Advocate II

Some customers may ask you to discuss the architecture of what's been built using IaaS or PaaS components.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISSP-MR
Newcomer I

Good Point. I need to verify all the components of the architecture.