Cyber security is truly a shared responsibility. To ensure our solutions are compliant and deliver maximum security, confidentiality, and reliability we work closely with our partners and customers. To do this effectively, vendors, sub-service organizations, and users should understand what shared responsibility means and who is responsible for what.
In a shared technology model, vendors, sub-service organizations, and users are responsible for upholding specific responsibilities for a system to work effectively.
For example, software as a service (SaaS) vendors, like AuditDashboard, are typically responsible for all physical and logical security. In AuditDashboard's case, we assure users that our services are available and accessible, and that all data is encrypted when intransit and stored on our servers.
Users will also have their own set of responsibilities when it comes to physical and logical security. For example, firm users are given specific access rights in AuditDashboard that may allow them to view and download confidential data that their clients have uploaded for review. It is the customer's responsibility to set and monitor these access rights and outline how this data should be handled once it is downloaded. In this case, it is essential to define where the data can be stored, when it should be deleted, and what should happen if it falls into the wrong hands.
Vendors should clearly outline shared responsibilities in contracts and supplementary documentation. Where possible, technology partners should go the extra mile to automate the enforcement of specific commitments to make their customers lives easier.
Password complexity is an excellent example of this. SaaS vendors often ask end-users to set a strong, unique, and confidential password. In many cases, end-users are rarely trusted to uphold this responsibility. Instead, vendors like AuditDashboard establish automated application controls that require passwords to meet industry-accepted complexity and length requirements.
Another example is when customers are responsible for managing data retention. It is hard to manage document retention policies without automation and a SaaS vendor like AuditDashboard offers flexible and automated mechanisms to help our clients with this process.
Everyone has a responsibility to ensure partners, customers, and end-users understand where they fit in the ecosystem of shared cybersecurity responsibility. Data supply chains are only as strong as their weakest link. Understanding your role, your organization's role, where, and how these shared responsibilities intersect could help prevent an incident that jeopardizes the security, compliance, confidentiality, or reliability of your system.