Firstly the CISO has to work with the CIO and the business to understand the business need to implement this and then clearly articulate associated risk exposure to the firm and its stakeholders.
A detailed due diligence has to be completed following which the risk posture and risk mitigation guidance has to be provided. Subsequently a corporate policy along with the mitigating controls has to be implemented and training imparted to the relevant business users.
( Read more: Top 5 Application Security Technology Trends)
Key parameters based on which a CISO should choose a vendor
Apart from the standard vendor due diligence one has to ensure the following –
- Review security awareness & preparedness of the vendor (including staff) and real world deployment of the same from Cloud services perspective
- Does the vendor meet all relevant Security and Compliance related industry standards?
- Does the vendor have a strong DR program (Implemented & Tested) to maintain the continuity of services and has a DR site geographically at a safe distance?
- Overall location of the vendor hosting center/facility from a threat exposure perspective (external & internal influencers)
- Does the vendor offer “Try Me” program before getting into contract?
( Read More: Top 6 'Cloud Security' talks from RSA Conference 2016 (USA))
Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist
- How does the vendor address Security issues like Data protection in motion, Encryption Key management, Data management/storage, Access Controls?
- Does the vendor offer Right to Audit
- Does the vendor have a DR site? How far is it from the hosting site?
( Watch more : Checklist: How to choose between different types of Application Sec...)
Top mistakes to avoid while selecting a vendor
- Not doing a due diligence on the vendor & services offered e.g. speaking to service provider’s customers
- Not understanding Cloud’s intrinsic security issues and the standards involved
- Not involving the multiple service providers in selection process. It is important that service providers with proven track record in the area are invited
-By Rajesh R Nair, Vice President, Credit Suisse
( More: Want to become a speaker and address the security community? Click here )