An organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor. What should the information security manager do FIRST to support this initiative?
A.
Review independent security assessment reports for each vendor.
B.
Benchmark each vendor's services with industry best practices.
C.
Define information security requirements and processes.
D.
Analyze the risks and propose mitigating controls.
Defining information security requirements and processes is the first step that the information security manager should take when supporting the organization's use of Software as a Service (SaaS). This is because it sets the foundation for the selection of a SaaS vendor that meets the organization's security needs and expectations. Without clear security requirements and processes, it may be difficult to determine the level of security that each vendor can provide, or to assess the suitability of each vendor for the organization's specific needs. By establishing the security requirements and processes first, the information security manager can ensure that the selection of a SaaS vendor aligns with the organization's overall information security strategy.
Damn...another one...
So let's see... Looking at the scenario, the most logical sequence of things should be C, A, D, A.
I guess if we're still in the process of selecting a vendor, that means nothing's really decided yet so first you figure out the security requirements and processes and based on that you start checking the vendors (through independent audit reports, so as objective as possible). Then when you understand all the risks with each vendor you propose mitigation. And lastly you do security monitoring of vendors services through security benchmarks.
Analyze the risks in using SaaS solution. Identify the controls. (D) These are then translated into security requirements (C). How else will you know what the security requirements are?
Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses. Document your requirements and request prospective vendors to address each item directly
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/third-party-vendor-selection-if-done-right-its-a-win-win
Let me draw your attention to what you wrote:
Once you have IDENTIFIED which processes can be outsourced as well as their inherent RISKS, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential RISKS IT POSES
I'm thinking you meant to select D???
Defining information security requirements and processes should be the initial step to ensure that the organization's specific security needs are understood and can serve as a foundation for subsequent activities such as risk analysis, benchmarking, and vendor assessment
FIRST he needs to define the security requirements and processes relative to the new SaaS and then he can review reports based on these requirements to see if vendors comply.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Broesweelies
Highly Voted 1 year, 9 months agobeever
Highly Voted 1 year, 9 months agoBooict
Most Recent 2 months, 3 weeks agoAlexJacobson
9 months, 4 weeks agoec2bdb1
10 months agoCISSPST
1 year, 1 month ago6and0
1 year, 2 months agoCISSPST
1 year, 1 month agoKunzle
1 year, 2 months agooluchecpoint
1 year, 2 months agoAidanSun
1 year, 3 months agowickhaarry
1 year, 3 months agorichck102
1 year, 4 months agowello
1 year, 5 months agoCarlPTY07
1 year, 8 months agoMyKasala
1 year, 10 months ago