How to enforce effective controls and compliance therewith:
How to enforce effective controls and compliance therewith:
CSA Swiss Chapter Research Topics
October 30, 2025
- Use an industry standard control framework such as CSA CCM, add TPAM, for PII / CID: within jurisdiction storage & processing, Location Aware Access Controls
- Demand a clean SOC2 Type 2 or CSA Star L2 with all details and controls scope, plus an independent pen test with remediation confirmation, which are renewed annually and given to you in full detail, for all Third Party Service Providers and all of their Supply Chain
- Audit the controls and insist on detailed feedback with supporting evidence, raise findings, ask for remediation, for all Third Party Service Providers and all of their Supply Chain
- For all findings on control or operating effectiveness failures, demand design change proposals and nail them in the contract with sanctions and exit clause
- Review implementation of the design changes
- Review continuously adherence to the controls and design agreed, for all Third Party Service Providers and all of their Supply Chain
- Demand implementation with evidence of the 12 Golden Controls:
- Temporary Privileged Access Management
- Multi-Factor Authentication
- HSM backed key vault with Customer Specific Keys
- Unstructured data classification and encryption and DLP
- Log immutability
- Records immutability
- Jurisdiction specific storage and processing: If you process PII or CID in the SaaS: demand for and ask for proving evidence of within jurisdiction storage and processing and Location Aware Access Control for all users including support staff, including privileged / admin roles
- Data segregation by customer
- Nail the above concretely in your contracts for all Third Party Service Providers and applicability for their respective contracts with all of their Supply Chain sub-service providers, with sanctions and exit clause
