Are SOC2 / ISO 2700x / HITRUST Attestations Enough for PaaS / SaaS Providers

 The short answer is, not alone.  Attestations outside of penetration testing reports, or the ability for an org (that desires to provision said provider's services) to run a vulnerability scan, are not acceptable.

As an individual who has provided internal security assessments, as well as many external, the scope of attestation much too often is extremely limited in scope.  Therefore, these reviews do not provide an adequate benchmark of security &/or privacy compliance or posture.

So, kick the proverbial tires; while not requiring an expensive onsite audit....

     

Your Third-Party Security Review Process is a Mess

Regardless of the control framework and / or process you utilize, most third-party review processes are poorly designed & inefficient.

On top of that, most orgs ask their vendors to maintain a level of security that said orgs cant follow themselves.

Amidst the Equifax breach, orgs will look to insert more vigor into their third-party review process, though few if any continuously monitor the security of their business ecosystem.

Instead of spending cycles completing matrices / spreadsheets, firms should invest in the following:

• A vulnerability scan / penetration test (of limited scope) before any legal documents are executed.
• An agreed upon remediation plan should be agreed upon too.
• A continuous monitoring / assessment agreement to ensure governance during the course of the contractual agreement.
• Recurring audits / spot checks on the security governance established / expected.