Governance & Compliance: Checklist for Vendor Evaluation and Key Learning Do's and Dont's

'Development of enterprise level Information Security Policies, Procedures and Standards' was an initiative to ensure we have an enterprise wide policy, procedures and standards for ensuring smooth Governance & Compliance of Information Security practices. The standards based on industry benchmark such as CIS, NSA, NIST helps an enterprise to configure, implement, manage and monitor the robust Infrastructure and best security practices through business approved policies and procedures. Through this project, we are coming up with policies, procedures and technical control standards that enable streamlining and strengthening the implementation of Operating Systems, Databases, MS Office / Exchange environments, Server Infrastructures, Network/Firewalls Infrastructure, Virtual machines, Remote Access, Mobile Technologies, Secure file/data transfers, Encryption, Access management, Incident Management, Business Continuity Management etc.

( Read more: Security Technology Implementation Report- Annual CISO Survey )

Checklist for Technology/Vendor/Solution Evaluation:

•Ensure company is registered/subscribing to one or more industry standard/benchmark. Eg. Center of Internet Security (CIS), National Institute of Standards and Technology (NIST), National Security Agency (NSA) etc.

•Ensure an Information Security Policy Framework is in place that describes the company strategy to have

  • Information Security Policies
  • General security controls those are applicable across enterprise
  • Technical control areas those are applicable across the enterprise
  • Processes and Procedures required for adopting some of the technologies/standards

• Understand the current enterprise implementations, documentations, policies, procedures and other artifacts in place 

 The infrastructure –

  • Types/Kinds of servers
  • Different OS’s implemented
  • Network/Firewall solutions in place
  • Databases being used
  • Virtualization strategy
  • Data Loss Prevention controls/tools in place
  • End-point’s being used
  • Strategies for desktops/laptop/mobile device encryptions
  • Incident Management in place
  • Access and authentication management in place
  • Business Continuity / Disaster Recovery Management

• Define the team structure involved in policy development, review, testing, approvals etc. E.g.

  • Identify/register/subscribe to industry standard benchmark providers
  • Identify the authors/contributors and policy developers within the organization or hire an expert agency to develop the policy framework/policies etc
  • Identify the SMEs (Subject Matter Experts) who would be involved in reviewing all of the documents being developed
  • Identify the SMEs and technical teams who would be involved in thoroughly testing all of the controls/policies being documented
  • Identify the business approvals. Ensure right stakeholders are involved in approving different sets of documentations mentioned above

( Read more:   How Should a CISO choose the right Anti-Malware Technology? )

Key Learning: Do's and Don’ts

  • Ensure information security strategy/program in place
  • Ensure Information security policy framework is in place
  • Ensure registration/subscription to industry standard practices and benchmarks.
  • Ensure every policy/procedure/control/standard document is thoroughly reviewed and approved by SME’s
  • Ensure every control in these documented is tested to fit the business requirements and security practices/strategies of the company
  • Avoid the temptation of covering the entire universe in the policies, procedures, controls and standards. The industry benchmarks/standards generally cover the entire gambit of the topic and it is key to understand what is relevant to business and the security strategy of the company and implement only that much as a policy or a standard.

- With Mahesh Sonavane,SunGard Global Technology on How To Evaluate Compliance Solutions ClickToTweet

What are your evaluation parameters for GRC Solutions. Share your views in comments below or write your article here

Views: 409

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform



CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */