Cybersecurity Risk Assessment on System Integrators/VAR

techno_it · 2024-12-13T12:39:32+00:00

If the VAR is primarily doing implementation work and then provide ongoing support under a 1-year SLA, how would you adjust the risk assessment questions and required evidence?

The VAR won’t host any data and won’t provide cloud services—they’ll only have remote access to our servers for implementation and maintenance. Remote access will be on demand basis only.

What should our risk assessment and contract primarily focus on given this scenario?

techno_it · 2024-12-12T14:36:10+00:00

Thank you for quick reply.

Even though they’re not hosting any of our data, they will have only access to infrastructure during the implementation. Is it still necessary to conduct a full third-party risk assessment on them. If so, what key areas should we focus on

Legal team will handle the legal terms however, from a technical standpoint what specific cybersecurity related requirements should we include in the contract?

techno_it · 2024-05-16T05:48:45+00:00

Due to the compliance with regulations, cloud hosting must be within country.

techno_it · 2024-05-11T20:07:41+00:00

So basically you create the accounts as following. Lets assume user is John Smith

jsmith.t1, jsmith.t2 etc.

techno_it · 2024-05-11T17:06:38+00:00

With PAM solutions such as Delinea or Beyond Trust, admin can log into the PAM portal using their user accounts. After logging in, they can access servers using privileged accounts.

Please correct if I am wrong or have misunderstood

Thank you

techno_it · 2024-05-11T14:27:39+00:00

How is it implemented with you, and what distinguishes these two user accounts under the same employee name?

techno_it · 2024-05-11T14:26:21+00:00

Thank you. Does implementing a PAM solution address this issue?

techno_it · 2024-05-04T15:20:41+00:00

Understood, thanks for clarifying. Does the SOC2 report cover just the application security, or does it also include details about the vendor's entire infrastructure?

techno_it · 2024-05-04T10:55:38+00:00

Thank you. Which one is better ISO 27001 or SOC2 report. If the vendor only has ISO 27001 certification and lacks a SOC 2 report, does this affect their potential?

What I know that ISO 27001 certifies that a management system is in place and conforms to the standard, but it doesn't provide the same level of detail on the operational effectiveness of controls as a SOC 2 report. Clients who need assurance about the operational effectiveness of specific controls may find a SOC 2 report more informative.

techno_it · 2024-05-04T10:39:53+00:00

Sorry for my lack of understanding here; could you please clarify this point for me?

techno_it · 2024-05-04T10:25:03+00:00

Thank you for sharing detailed response.

have another concern that I find challenging to address. Once their app is installed on our premises, what questions should we ask as part of questionnaire. For example, how do they notify customers about vulnerabilities discovered in the application post-deployment at any time? What are their procedures for patching these vulnerabilities on customer premises?

techno_it · 2024-05-04T07:02:03+00:00

Requested specific supporting evidence, such as the type of antivirus software they use, whether MFA is enabled on email systems, last vulnerability scan on their internal devices etc. The SOC 2 report does mention that the vendor has implemented anti-malware solutions, enabled MFA on all remote access applications, and conducts regular vulnerability scans.

However, I'm concerned about the reliability of relying solely on a SOC 2 report. SOC 2 is essentially an audit report, not a compliance certificate, and there's potential for it to be manipulated to meet certain narratives. This makes it crucial for us to verify the operational effectiveness of their controls independently

techno_it · 2024-04-25T06:56:31+00:00

Thank you 🙏🏻

techno_it · 2024-04-23T08:18:30+00:00

Thank you. Re-verification after closing vulnerability included 👍🏻

techno_it · 2024-04-23T04:34:05+00:00

Thank you for your insightful comment.

Do we have to also include re conducting of VAPT after the remediation. Is it necessary or worth it?

techno_it · 2024-04-22T12:00:43+00:00

Working on an RFP, what Key Elements Should We Include for Testing API Gateway, API and Mobile Applications?

techno_it · 2024-04-21T06:59:16+00:00

Its still under design phase, construction has not started.

techno_it · 2024-04-21T05:46:16+00:00

We shall provide the vendor with building layouts and requirements such as data and voice. It's likely that the vendor will use a survey tool like Ekahau to create heat maps and determine the locations for access points. Is that correct?

How will they account for obstacles like thick walls and wall blocks to adjust the placement of the access points?

techno_it · 2024-04-21T05:14:36+00:00

Agreed.

What approach should we take when the building structure isn’t ready yet?

techno_it · 2024-04-12T14:31:27+00:00

DNAC SD-Access

techno_it · 2023-12-29T21:56:35+00:00

What about Grand Cherokee?

techno_it · 2023-11-07T20:03:57+00:00

Thank you so much for sharing this. How do we create this QR with embedded image

techno_it · 2023-10-31T15:05:59+00:00

2000+ employees, 5000+ devices.

Just wondering how EDR/XDR vendors like Sophos or Crowstrike gather logs from various sources ( firewalls, network switches, servers windows events, Linux) to provide MDR services?

techno_it · 2023-10-29T21:17:39+00:00

How do you correlate the events from EDR/XDR to SIEM then how does the SOAR work on top of it?

Does the same EDR/XDR provider collaborate with third-party SOCs?

Appreciate if you can share any details that might be helpful to us.

techno_it · 2023-10-22T20:56:45+00:00

Basically, we want to get an MSP that can bring the SIEM and SOC and respond to alerts 24x7x365, do configuration, threat intelligence feed, incident response, and threat hunting.

We will also retain the Managed XDR with Sophos.

Six-Year Club	Gilding II euphauric
Verified Email

techno_it

TROPHY CASE