Risk Management for Vendor Ecosystem

Many orgs focus too long on assessing the risk before deciding to onboard a vendor.

Multiple control frameworks (COBIT, ISF, ISO, NIST, HITRUST) include hundreds of questions that are often redundant.

Furthermore, these assessments couple the vendor governance witht the actual solution.  Hence, orgs spending weeks on evaluating each vendor.

The solution here is a laser-focused framework that includes a base for the vendor, along with specific questions for the solution.  I would also advocate for a vulnerability scan of the solution by the specific org doing the assessment. 

Are SOC2 / ISO 2700x / HITRUST Attestations Enough for PaaS / SaaS Providers

 The short answer is, not alone.  Attestations outside of penetration testing reports, or the ability for an org (that desires to provision said provider's services) to run a vulnerability scan, are not acceptable.

As an individual who has provided internal security assessments, as well as many external, the scope of attestation much too often is extremely limited in scope.  Therefore, these reviews do not provide an adequate benchmark of security &/or privacy compliance or posture.

So, kick the proverbial tires; while not requiring an expensive onsite audit....

     

Best Control Framework for HIPAA / HITECH Audits / Reviews

While many are adamant about using NIST SP 800-53a Rev 4~ for HIPAA / HITECH there is precedent for using alternatives.

Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.

The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.