A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization’s customer database. The database will be accessed by both the company’s users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).

A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization’s customer database. The database will be accessed by both the company’s users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).
A . Physical penetration test of the datacenter to ensure there are appropriate controls.
B . Penetration testing of the solution to ensure that the customer data is well protected.
C . Security clauses are implemented into the contract such as the right to audit.
D . Review of the organizations security policies, procedures and relevant hosting certifications.
E . Code review of the solution to ensure that there are no back doors located in the software.

Answer: C, D

Explanation:

Due diligence refers to an investigation of a business or person prior to signing a contract. Due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance. Due diligence should verify the data supplied in the RFP and concentrate on the following:

Company profile, strategy, mission, and reputation

Financial status, including reviews of audited financial statements

Customer references, preferably from companies that have outsourced similar processes

Management qualifications, including criminal background checks

Process expertise, methodology, and effectiveness

Quality initiatives and certifications

Technology, infrastructure stability, and applications

Security and audit controls

Legal and regulatory compliance, including any outstanding complaints or litigation

Use of subcontractors

Insurance

Disaster recovery and business continuity policies

C and D form part of Security and audit controls.

Incorrect Answers:

A: A Physical Penetration Test recognizes the security weaknesses and strengths of the physical security. It will, therefore, not form part of due diligence because due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance.

B: A penetration test is a software attack on a computer system that looks for security weaknesses. It will, therefore, not form part of due diligence because due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance.

E: A security code review is an examination of an application that is designed to identify and assess threats to an organization. It will, therefore, not form part of due diligence because due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance.

References:

https://en.wikipedia.org/wiki/Due_diligence

http://www.ftpress.com/artic1es/artic1e.aspx?p=465313&seqNum=5

http://seclists.org/pen-test/2004/Dec/11

Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John

Wiley & Sons, Indianapolis, 2012, p. 169

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments