The Inner Circle

Expand all | Collapse all

Should I share our Company Policies during a security assessment

  • 1.  Should I share our Company Policies during a security assessment

    Posted 22 days ago
    Edited by Greg Collins 22 days ago
    As a SaaS solution/product, I go through many security reviews by enterprise companies we are selling to. I'm trying to get a feel for what I should hand out and what I should just say we have.

    As an example, I've been asked for our encryption management policy.

    Should I just send the summary page i.e. title, revision history, approved data, table of contents. Or do I send the whole document.

    Note: we are SOC2 certified.

    ------------------------------
    Greg Collins


  • 2.  RE: Should I share our Company Policies during a security assessment

    Posted 21 days ago
    I would expect that your SOC2 compliance certification should satisfy this and many other questions.  For my clients, HITRUST certification serves that purpose.  When asked such things, I tell them that I would be happy to do so following execution of an NDA (I would recommend that revealing any internal documents (policies, SOC2 Type 2, etc.) begins with executing an NDA).  This is about management of supply chain member risk, and the prospect is in your supply chain as well.  I face the same question frequently, and this is what I do.

    In the context of the encryption policy, I normally reveal only that we use NIST-certified algorithms and follow their recommendations on management processes - which the SOC2 would confirm.


    ------------------------------
    Ross Leo
    Galen Data, Inc.
    Galen Data, Inc.
    ------------------------------



  • 3.  RE: Should I share our Company Policies during a security assessment

    Posted 20 days ago
    When I perform SOC 2 audits and assess vendors on behalf of large financial institutions, we are not concerned about the specific procedures in place when we are looking at the policy.  Policy documents should only include the following:
    1. The purpose of the policy
    2. The scope of the policy
    3. Roles and responsibilities for the activities required for the policy
    4. Statement that directs the establishment of procedures
    5. Any regulatory guidelines that may apply
    6. Review and update cadence statement
    7. Statement on how the policy is disseminated to employees
    8. Formal approval from stakeholders

    The procedure document would then state how the policy is being met.  You may have your policies and procedures in the same document, but I would only start off by providing policies that only include the information I listed above, which should not be sensitive information. If they want specific procedures, then you should force them to sign an NDA - depending on how much leverage you have in the business relationship, you may have to "bite the bullet" and provide procedures.

    Troy - Security Auditor
    Schneider Downs

    ------------------------------
    Troy Fine
    Schneider Downs
    Schneider Downs
    ------------------------------



  • 4.  RE: Should I share our Company Policies during a security assessment

    Posted 18 days ago
    Edited by André Uchôa 18 days ago
    I would expect that your SOC 2 report should cover that. But I understand that some clients or prospects still ask for more. For that reason, for some of those most requested policies and procedures during security assessments, I use to have simplified versions of those documents, only enough detailed to satisfy those companies without giving out sensitive information. In those documents, I also make it clear that they are simplified versions that exist to avoid the disclosure of sensitive information.

    ------------------------------
    André Uchôa
    CEO (co-founder)
    Scienti
    ------------------------------



  • 5.  RE: Should I share our Company Policies during a security assessment

    Posted 17 days ago
    I see this all the time - especially in healthcare.  Have a SOC2? Great, send us that and all your policy docs and this 100 item questionnaire :)

    (In Federal, you will by definition submit all your policies, procedures and control implementation docs.  It's a given.)

    HITRUST is more variable - yes some accept this as-is but many - especially large healthcare enterprises do NOT.  They still expect you to complete their forms, attend a review call, and send the policy, DRP, BCP, IR docs.

    Best solution is to keep you policies and procedures in git (we use markdown) so it is easy to update, link and cross link, and use github actions to drive workflows.

    Happy to share tips and tricks if interested. If enough are interested (and I can carve out time) maybe a blog post is needed.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 6.  RE: Should I share our Company Policies during a security assessment

    Posted 17 days ago
    Check out the documentation that Amazon and Microsoft publish on the topic of encryption. It is (or was when I last looked a year or so ago) extensive and impressive, and it is in addition to compliance certifications (so it is not part of any contract, but very informative and, because of the transparency and detail, very trust-inspiring). Here are some links to these (I can't find the AWS document any longer):
    https://docs.microsoft.com/en-us/microsoft-365/compliance/technical-reference-details-about-encryption?view=o365-worldwide
    https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide

    ------------------------------
    PAUL RICH
    Me
    me, myself, and I
    ------------------------------