Episode 9 — Govern service providers and shared responsibility rigorously
This episode covers service provider governance, an area the ISA exam tests heavily because misunderstandings here cause real incidents and failed assessments. You’ll define what PCI considers a service provider, what shared responsibility actually means, and why “the vendor does PCI” is never a complete control statement. We’ll cover how to evaluate and document responsibilities for hosting providers, managed security services, payment gateways, support platforms, and outsourced development, including how scope and evidence change when third parties administer systems that can impact the CDE. You’ll learn how to review attestations, validate the applicability of a provider’s controls to your environment, and confirm that contracts and operational procedures match reality. We’ll also discuss troubleshooting situations like missing AOCs, unclear responsibility for patching, and vendors that limit access to logs or configurations, along with practical approaches for closing gaps through governance, technical controls, and evidence requirements that support a credible assessment. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
