Читать книгу (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple - Страница 236

The increased use of cloud services and other external vendors to store, process, and transmit sensitive information leads organizations to a new focus on implementing security reviews and controls in their contracting and procurement processes. Security professionals should conduct reviews of the security controls put in place by vendors, both during the initial vendor selection and evaluation process and as part of ongoing vendor governance reviews.

These are some questions to cover during these vendor governance reviews:

 What types of sensitive information are stored, processed, or transmitted by the vendor?

 What controls are in place to protect the organization's information?

 How is your organization's information segregated from that of other clients?

 If encryption is relied on as a security control, what encryption algorithms and key lengths are used? How is key management handled?

 What types of security audits does the vendor perform, and what access does the client have to those audits?

 Does the vendor rely on any other third parties to store, process, or transmit data? How do the provisions of the contract related to security extend to those third parties?

 Where will data storage, processing, and transmission take place? If outside the home country of the client and/or vendor, what implications does that have?

 What is the vendor's incident response process, and when will clients be notified of a potential security breach?

 What provisions are in place to ensure the ongoing integrity and availability of client data?

This is just a brief listing of some of the concerns you may have. Tailor the scope of your security review to the specific concerns of your organization, the type of service provided by the vendor, and the information that will be shared with them.