4

In the context of managed/cloud hosting, what level of information does a provider typically share (under NDA) with its customers for compliance audit/3rd party risk assessment purposes? What are documents that are generally made available, and what are some that aren't?

For example, does a provider share policies and standards, but not procedures; an Information Security Policy but not a Business Continuity Plan; Internal-use classification, but not business confidential? Does a provider forego sharing detailed information in favor of its own 3rd party audit?

The audits are generally related to common regulations/standards/frameworks such as HIPAA, PCI-DSS, SOX, ISO 27001, etc.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
phiz
  • 306
  • 1
  • 6

1 Answers1

5

This question verges upon opinion-based, but I'll try and provide some suggestions based on my experience (which is biased towards PCI but touches on others). It isn't specific to the cloud but I believe there's an equivalence.

Some rules of thumb:

  • Attestations / summaries are distributed, reports are generally not
  • Policies are more likely shared than distributed
  • Formal audits are often subject to distribution limits

Some more information on these ROT:

Audits and scans often come in multiple levels. For example, a PCI audit will result in a ROC (Report On Compliance) and an AOC (Attestation Of Compliance). The former is a fully detailed report, and the latter is a quick summary. The AOC is for distribution, and the ROC is not. And - in the case of PCI - the AOC is not considered fully authoritative; the Service Provider Listing on the card brands' site is what customers are directed to for an authoritative source (compliance can be invalidated within a reports valid timeframe...)

The same is generally true of scans. Detailed scan results, which list items that are not desirable even if they aren't fully non-compliant, are almost never distributed. Top-level reports which list whether or not items existed are pretty much it.

When it comes to policies, these are generally handed out only grudgingly. A common practice is to permit partners to come onsite to view the policies rather than distributing them. This both ensures the security of the policies from distribution and subtly discourages partners from going through the trouble of coming to get them.

This is very one-sided, by the way. I've worked for a large bank which required copies of security policies for company that wanted to integrate anything with them. They're in a position to demand that, and they do. The client of a bank or a service provider, however, lacks the leverage required to demand the same. Also, what I said about the ROC and AOC - the ROC must be handed up the ladder to the Card Brands; that's what it for. But it's never shared downward.

Finally, be aware that limits may apply. If you have a contract, then it may include contractual obligations. Large customers will often demand clauses that allow them access to things, or even to audit the service provider on a regular basis. Some auditors place distribution limits on their full audit report, and in the case of SSAE16 SOC 2 report, distribution is disallowed by default.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I would add that you need to be careful to distinguish between what you are stating you currently do or have done and what you're committing to doing in the future. You don't want to end up in a contractual obligation by accident. – Neil Smithline Apr 25 '15 at 03:34
  • I agree it is somewhat subjective, but I am more interested in experiences than opinions. By and large I have seen what you describe, but am curious about what other people in the industry are seeing as well. Good points about the detail of information flow often being unidirectional and report distribution restrictions as well. – phiz Apr 25 '15 at 07:54