Requesting that a SaaS company answer a Vendor Security request has become a regular thing for companies who work in the cloud. But have you thought about how the reverse works, that is, when your customer has a VSA process focusing on you?

The Vendor Security Assessment, or VSA, is the means by which your infosec team confirms that a cloud vendor, or any vendor who might have access to your data, is going to be as careful with your data as you are. And of course, you are as careful with your customer’s data, protecting it from unauthorized access, alteration, or destruction. It would be very embarrassing, to say the least, for your customer’s data, code, or inner workings to be available to the internet at large through a vendor breach.

Most VSAs requests start with some internet research on the vendor and a questionnaire about their practices. Your ability to satisfy the potential customer about your security posture can make or break a sale.

What sort of questions are being asked? Well, as the concept of a VSA is still relatively new, each prospect asks questions a bit differently. Someday, there will be a standard form or even a certification with an annual audit. Until then, each VSA recipient needs to communicate what processes should give customers confidence in their ability to keep their information private, such as:

Data classification: Having data in a “need to know” structure. This includes not only access to drive shares but also applications like Git, Salesforce, and Confluence. It also ensures that only appropriate access within the tool is granted to the right employees. Many users of these tools find the siloing of information and systems frustrating, but by preventing data from being available to just anyone with a login, (Read more...)