Does your annual review include all partners/third-party providers upon which your information supply chain depends?

Do you permit tenants to perform independent vulnerability assessments?

Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks?

Do you review all agreements, policies, and processes at least annually?

Do you assure reasonable information security across your information supply chain by performing an annual review?

Do third-party agreements include provision for the security and protection of information and assets?

Do you provide the client with a list and copies of all subprocessing agreements and keep this updated?

Do you review the risk management and governanced processes of partners to account for risks inherited from other members of that partner’s supply chain?

Are policies and procedures established, and supporting business processes and technical measures implemented, for maintaining complete, accurate, and relevant agreements (e.g., SLAs) between providers and customers (tenants)?

Do you have the ability to measure and address non-conformance of provisions and/or terms across the entire supply chain (upstream/downstream)?