Page 295 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 295
Contracting and Procurement
The increased use of cloud services and other external vendors to
store, process, and transmit sensitive information leads organizations
to a new focus on implementing security reviews and controls in their
contracting and procurement processes. Security professionals should
conduct reviews of the security controls put in place by vendors, both
during the initial vendor selection and evaluation process and as part
of ongoing vendor governance reviews.
These are some questions to cover during these vendor governance
reviews:
What types of sensitive information are stored, processed, or
transmitted by the vendor?
What controls are in place to protect the organization’s
information?
How is our organization’s information segregated from that of
other clients?
If encryption is relied on as a security control, what encryption
algorithms and key lengths are used? How is key management
handled?
What types of security audits does the vendor perform, and what
access does the client have to those audits?
Does the vendor rely on any other third parties to store, process, or
transmit data? How do the provisions of the contract related to
security extend to those third parties?
Where will data storage, processing, and transmission take place?
If outside the home country of the client and/or vendor, what
implications does that have?
What is the vendor’s incident response process, and when will
clients be notified of a potential security breach?
What provisions are in place to ensure the ongoing integrity and
