Pre-Contract: Types of Evidence to Collect Flashcards
Types of Evidence to Collect
-Penetration Test Results
-Independent attestation – Includes SOC 2 and Type II reports.
-Policies and procedures
-Proof of key controls to evidence effectiveness
-Vulnerability report/evidence of patching
-Continuous monitoring report
-Financials
-DR/BC plans and testing
-Employee counts – Includes key person dependency and any significant changes that have occurred.
-Network diagram – Includes cloud architecture and a data flow diagram.
-Background checks – Includes policies and samples of actual background checks.
-Employee access review
-Training – Includes broad scale (ex., phishing) and specific/targeted training (ex, developers).
-Model risk – Includes validation of models.
-Fraud
-Negative news
*Don’t take data you’re not going to do anything with. You might not need this from every vendor.
Penetration Test Results
-This can be difficult for you to get as this can show significant gaps in security.
-It’s okay if they’re not willing to share results to show that they’ve had a pen test.
-Third party completed pen test, data stamped showing they have results, but not the results
-We want to see that they did a pen test and had a pen test to show they closed the gaps
-Process to do pen test and close gaps of the pen test.
-Evaluate the scope of the pen test.
-E.g. if the pen test is on PHI and you don’t do anything with PHI then it’s irrelevant
-Are they completing pen tests on something that matters to you?
Independent Attestation
-Includes SOC2 and Type II reports
-Good for a year, usually being done annually
-FedRemMedium certification
-High trust certification
-Do NOT accept these in lou of a security assessment, they can supplement the security assessment
Policies and Procedures
Need to be careful about which ones you ask for
Proof of Key Controls to Evidence Effectiveness
E.g. Key control is MFA for privilege access, evidence would be MFA is enabled and process doc to show how it works
Vulnerability Report
Redacted document may be provided, looking for the fact that they do this and they fix things
Continuous Monitoring Report
Vendor security rating tools, We’ll get into the danger of the report in relation to the score and the evidence
Employee Counts
-Includes key person dependency and any significant changes that have occurred
-is there someone in the organization that does the majority of the work?
-E.g. We had someone that had a lot of undocumented knowledge.
-We want to know how many employees are in certain areas so you can ensure there is good coverage and separation of duties.
Network Diagram
-Includes cloud architecture and a data flow diagram
-Where does the data flow? L1 or L2?
Background Checks
-Includes policies and samples of actual background checks
-Are they doing them? How often?
-Sample of background check redact name so you can see that they are doing them
Training
Includes broad scale (ex. phishing) and specific/targeted training (ex/ developers)
Model Risk
-Includes validation of models
-If they’re producing a model, ask for validation of how they’re doing the modeling
Fraud
-Do they have a fraud program?
-What are they doing?
