Limit Which Documents Are Given to 3rd Party Vendor/Provider During Vetting Process

[knightinnc]

Refrain from providing potential 3rd party vendors with "too" much information.
3rd party entities are requesting information above and beyond SOC2 Reports and HITRUST certs. We need to be cautions about what is provided to a vendor. Do not hesitate in providing heavily redacted documents. If the vendor's request for information is reasonable, only provide EXACTLY what they request and nothing else. Some if not many of these documents may contain critical infrastructure information.

[zealan]

Can you define vendor here? Are you referring more to a services-type vendor like an MSP?

In the context of a software vendor, I dont know why they would need to know this level of detail about their customers' environment, but I would say the reverse of this bad practice is also true: As a software vendor, there is a level of detail where if asked by the customer/prospect, a line should be drawn. To be clear, something must be given to the customer/prospect for their risk management process.

In truth, SOC2 reports dont provide much detail at all (mostly high level), but a customer getting deep into the trenches of a service they do not have internal visibility of, is a huge risk to the service provider; even under NDA.