Establish Proof of Security Testing
Once the SLA is established, it is important to make sure that both sides are clear about the nature, levels and frequency of independent security testing. As part of this, look to the CSP to provide specific documents that describe the security practices they utilize. These may include, for example, penetration of the CSP’s wired and wireless network, or its web applications. The frequency of testing should be determined based on your company’s specific needs, with quarterly or semi-annual checks as the most commonplace. Annual is not enough and leaves room for vulnerabilities to go unnoticed for too long. Likewise, monthly security testing is too frequent and would not show enough of a substantial change to identify risks or exposure points.