The Anti-Checklist Manifesto

Intro
The Anti-Checklist Manifesto Thoughts On Assessing Third Party Risk
Chances are, a business team set the deliverables The legal team discussed the contract terms Only then did the compliance and infosec team get brought in Odds are, engineering wasn't consulted at all
What Is To Be Done?
Ask questions. Up front.
A preliminary security speed bump at the start of a bake-off can prevent teams from wasting their time.
Speed bump. No more than 10 questions.
To work, these questions must be simple, and proxies for Security'.
Do you encrypt all our data in transit, and at rest within your systems? Are all our data segregated from other customers' data?
Please describe the architecture and segregation of customer data within S3 buckets/blob/etc storage.
Describe your internal authentication regime.
Please describe how you maintain least-privilege in your environments.
Do any of your internal systems use static credentials? How do you audit their use?
How do you manage secrets in your production and non-production environments?
Do you have a named executive responsible for security? What is their title, and to whom in the organization do they report?
Do you have written information security, data security, encryption, acceptable use, and physical security policies?
Does your company require all engineers to undergo regular secure coding training?
PISA: security questions before a bake-off. You still need DD- this just disqualifies providers. SOC2 is not a free pass [butland] Lack of SOC2 isn't a disqualifier (Use VSA Core) Seek sensible answers Stop the Spreadsheet Cat Rodeo.