Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Download Publication

Home
Publications
Streamlining Vendor IT Security and Risk Assessments
Streamlining Vendor IT Security and Risk Assessments

Streamlining Vendor IT Security and Risk Assessments

Release Date: 12/09/2018

Working Group: Open Certification Framework

Cloud computing has rapidly gained traction as a significant and even default IT system for many different organizations. In such a dynamic environment, cybersecurity is paramount—especially when third parties that provide cloud-based services to companies are involved. However, developing a comprehensive IT risk management program that involves third-party service providers often eludes many organizations, consuming a lot of time and cost while resulting in a limited understanding of a vendor’s risk profile.

In this paper, the Cloud Security Alliance (CSA) and the National Technology Security Coalition (NTSC) advocate for a new approach to how organizations manage risks, achieve assurance, and enable trust in the cloud. We encourage all stakeholders to increase their level of collaboration while utilizing existing standards and open tools. Through this document, we make it clear that the future of cybersecurity, the future of cloud security, and the resilience of our economy, is largely in the hands of the consumers of cloud services.

Key Takeaways:
  • How new technologies are significantly changing the cloud
  • The ways in which the cloud is shifting information security best practices
  • The state of IT regulatory environments related to cloud computing
  • The unique challenges that cloud computing poses to vendor management
  • The CSA resources you can use to create consistency, greater accountability, and security within the cloud ecosystem, such as the STAR Program, CCM, and CAIQCloud provider vetting best practices
  • Tips for rolling out cloud provider vetting programs and improving existing programs
  • Advanced program tools and insights that can help you get more out of your cloud provider vetting and assessments, such as our STAR cloud assurance certification
Who It’s For: CISOs, those looking for guidance on information technology regulation, and other parties interested in IT security assessment
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
Related resources

Related Resources

PublicationsBlogs
Requirements for Bodies Providing STAR Certification
Requirements for Bodies Providing STAR Certific...
Download Now
STAR Level 1: Security Questionnaire (CAIQ v4)
STAR Level 1: Security Questionnaire (CAIQ v4)
Download Now
STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)
STAR Certification Guidance Document: Auditing ...
Download Now
View all publications
What an Auditor Should Know about Cloud Computing Part 3
What an Auditor Should Know about Cloud Computing Part 3
Published: 04/27/2021
​CSA STAR Attestation and STAR Certification Case Studies
​CSA STAR Attestation and STAR Certification Case Studies
Published: 02/28/2021
Using CSA STAR to Improve Cloud Governance and Compliance
Using CSA STAR to Improve Cloud Governance and Compliance
Published: 12/19/2020
Continuous Auditing and Continuous Certification
Continuous Auditing and Continuous Certification
Published: 03/20/2020
View all blogs
View all webinars

Acknowledgements

John Yeoh
John Yeoh
Global Vice President of Research, CSA

John Yeoh

Global Vice President of Research, CSA

With over 15 years of experience in research and technology, John excels at executive-level leadership, relationship management, and strategy development. He is a published author, technologist, and researcher with areas of expertise in cybersecurity, cloud computing, information security, and next generation technology (IoT, Big Data, SecaaS, Quantum). John specializes in risk management, third party assessment, GRC, data protection, incid...

Read more

Hillary Baron
Hillary Baron
Senior Technical Director - Research, CSA

Hillary Baron

Senior Technical Director - Research, CSA

This person does not have a biography listed with CSA.

Luciano (J.R.) Santos
Luciano (J.R.) Santos
Chief Customer Officer, CSA

Luciano (J.R.) Santos

Chief Customer Officer, CSA

J.R. Santos serves as the Chief Customer Officer for the Cloud Security Alliance. In this role, J.R. serves as a CSA Member advocate, partnering with leaders across all business units to transform the member experience and ensure that members are the center of every business decision. J.R. leads the Experience Services organization that includes the CSA Membership and Sales team, who work collaboratively to promote a consistent experience f...

Read more

Frank Guanco
Frank Guanco
Research Program Manager, CSA

Frank Guanco

Research Program Manager, CSA

This person does not have a biography listed with CSA.

Sean Heide
Sean Heide
Technical Research Director, CSA

Sean Heide

Technical Research Director, CSA

This person does not have a biography listed with CSA.

​Aaron Guzman
​Aaron Guzman

​Aaron Guzman

Aaron is a passionate information security professional specializing in IoT, embedded, and automotive security. He is co-author of the “IoT Penetration Testing Cookbook” and a technical editor for the "Practical Internet of Things Security” Packt Publishing books. Aaron is co-chair of CSA’s IoT working group as well as a leader for OWASP’s IoT and Embedded Application Security projects; providing practical guidance to address the most commo...

Read more

Jim Reavis
Jim Reavis
Co-founder and Chief Executive Officer, CSA

Jim Reavis

Co-founder and Chief Executive Officer, CSA

For many years, Jim Reavis has worked in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. Jim’s innovative thinking about emerging security trends have been published and presented widely throughout the industry and have influenced many. Jim is helping shape the future of information security and related technology industries as co-founder, CEO and driving force of the Cloud Secur...

Read more

Pete Chronis Headshot Missing
Pete Chronis

Pete Chronis

This person does not have a biography listed with CSA.

Patrick Gaul Headshot Missing
Patrick Gaul

Patrick Gaul

This person does not have a biography listed with CSA.

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Join this Working Group
View all Working Groups

Related Certificates & Training