I'm seeking guidance on establishing general regulatory compliance with our cloud vendors. What should I be aware of and include? Are there any best practices or templates available to assist me in this process?

CloudProcess Management
1.2k viewscircle icon2 Comments
Sort by:
Strategy & Digital Transformation VP, Information Technology in Manufacturinga year ago

Building upon what others have said, each of the major cloud providers offer policy "overlays" for cloud environments. Say you need to be PCI compliant, both AWS and Azure have reviewed areas of risk and control specific to that framework. When you apply that governance framework to your instance, it will highlight your compliant and non-compliant configurations.

At the higher vendor management level, we ask any vendor we work with to complete a security questionnaire which explores topics of security, patching, data management, change management, etc.. Smaller providers will tend to answer directly. Larger providers will tend to have a set of governance documents, such as a SOC2 report. We will review those and potentially accept them in lieu of our questionnaire.

I hope this helps.

IT Director in Healthcare and Biotecha year ago

A good starting point would be to check your vendor's compliance management details. AWS provides the "Artifact" service https://aws.amazon.com/artifact/ for this, Azure has a comprehensive list of compliance documents https://learn.microsoft.com/en-us/azure/compliance/ and GCP has their compliance resource center https://cloud.google.com/compliance?hl=en. 

You should also be mindful of the SLAs, data security and access policies in their shared responsibility models to ensure that you are covering any possible gap that they are not covering. There are generic SLAs but you might have agreed something more specific in your contract.

For templates, a good starting point would the the Cloud security alliance Cloud Controls Matrix (https://cloudsecurityalliance.org/research/cloud-controls-matrix) and the NIST compliance templates. 

As compliance requirements vary a lot depending on the country where your company provides services and per industry, consider also looking into more specific guidance like the ISO/IEC 27001 Toolkit, the GDPR Compliance Checklist or the PCI DSS Self-Assessment Questionnaire.

Content you might like

Which process mapping software does your organization use to map out current processes and future workflows?

Read More Comments

What’s your approach to cloud cost management tools? Do you see value in paying for third-party services to monitor cloud spend, or have you found more cost-effective alternatives?

Read More Comments

Which of the following cloud security architecture skills are missing in your team?

Cloud risk management29%

Cloud security architecture methods39%

Business architecture37%

Cloud security frameworks & best practices36%

Business relationship management16%

Strategic planning19%

Political navigation20%

Privacy advocacy12%

Native curated security10%

Cloud DevSecOps26%

Container service security21%

Cloud IAM patterns18%

IaaS/PaaS/SaaS security deployments7%

Native cloud security tools7%

CASB, cloud workload protection platforms (CWPPs) and cloud security posture management (CSPM) capabilities11%

Cloud WAF/CDN/DDoS services8%

Hypervisor security5%

View Results

Has anyone successfully completed a transition from Salesforce CPQ (Steelbrick) to Salesforce Revenue Cloud? We are in a high tech industry domain and happened to customize our Steelbrick CPQ to meet the business needs and now that Steelbrick CPQ is no longer being sold, the innovation is coming to an end. Salesforce hasn't announced a EOL date. Has anyone gone through this transition and what was it like - pain points, best practices, etc?

How many days in advance do you plan if you need to renew, change, or terminate a SaaS app?

Just before the renewal4%

A few days in advance37%

A few weeks in advance23%

A few months in advance32%

A few years or more in advance2%

View Results