ISAS advice to clients is that the constant battle to maintain the integrity of the networks and information processing systems can only be won with all stakeholders putting their shoulder to the wheel. This only works if everyone is working in the same direction. This includes all parties in your supply chain and assessing the status of your suppliers is an important part of knowing that all elements are up to standard.
Cloud Service Audit
Many organisations are embracing the opportunities presented by Public Cloud computing - whether Infrastructure (IaaS), Platform (PaaS), or Software as a Services (SaaS). Each of these service models shares the responsibility for Information Security between the Cloud Service Provider (CSP) and the Cloud Service Customer. These customer organisations need to make the time to fully understand or implement the security capabilities of the Cloud services they consume. For example, SaaS services such as Microsoft’s Office 365 or Google G-Suite incorporate a wide range of controls to help organisations meet their data protection and other legal, regulatory or technical compliance demands. In many cases these capabilities are available at no extra cost as part of the customer’s existing subscriptions, but if they are not using such functionality the customer is probably not realising the full benefits of their Cloud service expenditure.
ISAS are regularly called on to assist organisations that have been compromised by assuming that default settings were adequate for their security objectives. The ISAS Cloud Audit Service is designed to assist organisations identify and implement risk-appropriate security controls within their chosen Cloud service.
Third Party Supply Chain
Where organisations are reliant on the supply of key products or services from third party suppliers, it is important to assess the appropriateness of those suppliers’ information security arrangements. Where sensitive data forms part of that product or service, the risk of fraud, data compromise, and revenue loss can be significant.
External suppliers are a vital component of business operations. Suppliers may have access to a wide range of information. Once shared with a supplier, direct control of this information is lost, regardless of sensitivity or value.
ISAS have extensive experience in performing Supplier Security Reviews on behalf of clients. Our audit methodology provides the framework for detailed analysis providing a comprehensive evaluation of a supplier’s ability to secure your data.
The EU General Data Protection Regulation (GDPR) makes it clear that organisations are accountable for data breaches caused by third-party service providers therefore third-party supply chain assessment is key to ensuring compliance with the GDPR.
GDPR Processor Audits
Organisations operating as Data Controllers should have rights to conduct audits of their Data Processors if they have an Article 28 compliant agreement in place.
ISAS undertake such audits to provide assurance to a Data Controller that there are adequate controls in place and provide a report that could be used to evidence they are discharging their responsibilities as a Data Controller.
The independence of ISAS ensures that our client can always be assured that they are getting advice regarding technology and procurement with no vested interests.