Completed
Intro
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
The Anti-Checklist Manifesto
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 The Anti-Checklist Manifesto Thoughts On Assessing Third Party Risk
- 3 Chances are, a business team set the deliverables The legal team discussed the contract terms Only then did the compliance and infosec team get brought in Odds are, engineering wasn't consulted at all
- 4 What Is To Be Done?
- 5 Ask questions. Up front.
- 6 A preliminary security speed bump at the start of a bake-off can prevent teams from wasting their time.
- 7 Speed bump. No more than 10 questions.
- 8 To work, these questions must be simple, and proxies for Security'.
- 9 Do you encrypt all our data in transit, and at rest within your systems? Are all our data segregated from other customers' data?
- 10 Please describe the architecture and segregation of customer data within S3 buckets/blob/etc storage.
- 11 Describe your internal authentication regime.
- 12 Please describe how you maintain least-privilege in your environments.
- 13 Do any of your internal systems use static credentials? How do you audit their use?
- 14 How do you manage secrets in your production and non-production environments?
- 15 Do you have a named executive responsible for security? What is their title, and to whom in the organization do they report?
- 16 Do you have written information security, data security, encryption, acceptable use, and physical security policies?
- 17 Does your company require all engineers to undergo regular secure coding training?
- 18 PISA: security questions before a bake-off. You still need DD- this just disqualifies providers. SOC2 is not a free pass [butland] Lack of SOC2 isn't a disqualifier (Use VSA Core) Seek sensible answe…