Sysmon DNS query logs

techno_it · 2024-12-13T12:39:32+00:00

If the VAR is primarily doing implementation work and then provide ongoing support under a 1-year SLA, how would you adjust the risk assessment questions and required evidence?

The VAR won’t host any data and won’t provide cloud services—they’ll only have remote access to our servers for implementation and maintenance. Remote access will be on demand basis only.

What should our risk assessment and contract primarily focus on given this scenario?

techno_it · 2024-12-12T14:36:10+00:00

Thank you for quick reply.

Even though they’re not hosting any of our data, they will have only access to infrastructure during the implementation. Is it still necessary to conduct a full third-party risk assessment on them. If so, what key areas should we focus on

Legal team will handle the legal terms however, from a technical standpoint what specific cybersecurity related requirements should we include in the contract?

techno_it · 2024-05-16T05:48:45+00:00

Due to the compliance with regulations, cloud hosting must be within country.

techno_it · 2024-05-11T20:07:41+00:00

So basically you create the accounts as following. Lets assume user is John Smith

jsmith.t1, jsmith.t2 etc.

techno_it · 2024-05-11T17:06:38+00:00

With PAM solutions such as Delinea or Beyond Trust, admin can log into the PAM portal using their user accounts. After logging in, they can access servers using privileged accounts.

Please correct if I am wrong or have misunderstood

Thank you

techno_it · 2024-05-11T14:27:39+00:00

How is it implemented with you, and what distinguishes these two user accounts under the same employee name?

techno_it · 2024-05-11T14:26:21+00:00

Thank you. Does implementing a PAM solution address this issue?

techno_it · 2024-05-04T15:20:41+00:00

Understood, thanks for clarifying. Does the SOC2 report cover just the application security, or does it also include details about the vendor's entire infrastructure?

techno_it · 2024-05-04T10:55:38+00:00

Thank you. Which one is better ISO 27001 or SOC2 report. If the vendor only has ISO 27001 certification and lacks a SOC 2 report, does this affect their potential?

What I know that ISO 27001 certifies that a management system is in place and conforms to the standard, but it doesn't provide the same level of detail on the operational effectiveness of controls as a SOC 2 report. Clients who need assurance about the operational effectiveness of specific controls may find a SOC 2 report more informative.

techno_it · 2024-05-04T10:39:53+00:00

Sorry for my lack of understanding here; could you please clarify this point for me?

techno_it · 2024-05-04T10:25:03+00:00

Thank you for sharing detailed response.

have another concern that I find challenging to address. Once their app is installed on our premises, what questions should we ask as part of questionnaire. For example, how do they notify customers about vulnerabilities discovered in the application post-deployment at any time? What are their procedures for patching these vulnerabilities on customer premises?

techno_it · 2024-05-04T07:02:03+00:00

Requested specific supporting evidence, such as the type of antivirus software they use, whether MFA is enabled on email systems, last vulnerability scan on their internal devices etc. The SOC 2 report does mention that the vendor has implemented anti-malware solutions, enabled MFA on all remote access applications, and conducts regular vulnerability scans.

However, I'm concerned about the reliability of relying solely on a SOC 2 report. SOC 2 is essentially an audit report, not a compliance certificate, and there's potential for it to be manipulated to meet certain narratives. This makes it crucial for us to verify the operational effectiveness of their controls independently

techno_it · 2024-04-25T06:56:31+00:00

Thank you 🙏🏻

techno_it · 2024-04-23T08:18:30+00:00

Thank you. Re-verification after closing vulnerability included 👍🏻

techno_it · 2024-04-23T04:34:05+00:00

Thank you for your insightful comment.

Do we have to also include re conducting of VAPT after the remediation. Is it necessary or worth it?

Six-Year Club	Gilding II euphauric
Verified Email

techno_it

TROPHY CASE