The Importance of Having a Cloud Vendor Assessment Policy

August 30, 2018

Developing a vendor risk assessment process is vital for organizations of all sizes. In today’s security-conscious landscape, CIOs, IT teams, and InfoSec professionals need to have a Cloud Vendor Assessment Policy in place that they can use to reinforce security standards and requirements for applications and infrastructure resources that users access via the Internet. A policy like this is vital to ensuring your organization’s data remains secure and uncompromised by outside cloud vendors in which your organization conducts business.

In this article, we’ll review the basics of a Cloud Vendor Assessment Policy and provide you with access to a pre-populated template that you can implement at your organization right away.

What’s the purpose of a Cloud Vendor Assessment Policy?

In 2016, the number of data breaches increased 40%, with the average U.S. data breach costing $7.1 million. On top of that, 63% of data breaches are linked to third parties in some way.

At Whistic, we believe the purpose of this type of policy is to establish a standard of practice for the procurement, risk evaluation, and use of cloud-based software vendors that your organization relies on each and every day — and to protect you from becoming part of a statistic like the one above. By applying a Cloud Vendor Security Policy, you will provide your organization with a level of guidance and security when procuring vendors, managing users, protecting data, and securing assets that you would not be able to achieve otherwise.

Cloud vendors pose very different risk than other vendors, such as contractors, physical service providers, or even on-premise or installed technologies.

Some of the risks associated with using self-provisioned cloud services include:

  • Unclear, and potentially poor access control or general security provisions
  • Sudden loss of service without notification
  • Sudden loss of data without notification
  • Data stored, processed, or shared on cloud service may be mined for resale to third parties that may compromise individual’s privacy
  • The exclusive intellectual rights to the data stored, processed, or shared on cloud service may become compromised

While cloud services have extraordinary benefits (Whistic is a cloud-based vendor, after all), these solutions should be evaluated differently than other vendors due to their potential risks.

What should your organization consider when creating a Cloud Vendor Assessment Policy?

While there are many aspects that should be considered when creating a policy, such as level of risk, business criticality, risk evaluation steps, security assessment renewals, and policy compliance, it all starts by asking these 2 initial questions of your internal team:

  1. What data does the vendor store, transmit, process, and have access to? Consider data points like employee information, personally identifiable information (PII), customer data, financial records, HR information, marketing campaigns which often include customer and prospective customer information, and even your company’s proprietary coding language.
  2. What applications or integrations does the third party vendor have access to? Consider whether the vendor pulls in data from other systems in order to create richer profiles, such as a CRM or marketing automation system, or whether the vendor has connections to your accounting or email providers.

Download your free Cloud Vendor Assessment Policy template!

Developing your first Cloud Vendor Assessment Policy can often seem daunting, but it doesn’t have to be. By taking the first steps and asking your team the questions above, you’ll be well on your way to protecting your organization.

To help you get started, we’ve created a thorough template that you and your team can use as a starting point when developing your own policy. Download it, customize it, and make it your own:

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity vendor risk management cloud services vendor assessment

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.