# Viewing the security profile of a product with AWS Marketplace Vendor Insights
AWS Marketplace Vendor Insights gathers security data from sellers. A product's security profile displays updated information about the product's security, resiliency, compliance, and other factors needed for your assessment. This information supports buyers like you by helping you to procure trusted software that continuously meets industry standards. For each software as a service (SaaS) product that it assesses, AWS Marketplace Vendor Insights gathers the evidence-based information for multiple security controls.
**Topics**
+ [Dashboard in AWS Marketplace Vendor Insights](#dashboard-vendor-insights)
+ [Viewing the security profile of a SaaS product](#view-data)
+ [Understanding control categories](#control-categories)
## Dashboard in AWS Marketplace Vendor Insights
The dashboard presents the compliance artifacts and security control information for a software product that is gathered by AWS Marketplace Vendor Insights. Evidence-based information for all security [control categories](#control-category-sets) is provided such as a change in data residency or certification expiration. The consolidated dashboard provides compliance information changes. AWS Marketplace Vendor Insights removes the need for you to create additional questionnaires and use risk assessment software. With a consistently updated and validated dashboard, you can continuously monitor the software's security control after procurement.
## Viewing the security profile of a SaaS product
AWS Marketplace Vendor Insights helps you make decisions about a seller's software. AWS Marketplace Vendor Insights extracts data from a seller's evidence-based information across 10 control categories and multiple controls. You can view profile and summary information for a SaaS product on the dashboard or select control categories to learn more about data gathered. You must be subscribed to the product and granted access to view compliance information through the profile.
1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).
1. Choose **Vendor Insights**.
1. From **Vendor Insights**, choose a product.
1. On the **Profile detail** page, choose the **Security and compliance** tab.
**Note**
A number in a red circle indicates the number of non-compliant controls.
1. For **Control categories**, choose the text under any of the listed categories to view more information.
+ Choose the first control name (**Do you have a policy/procedure to ensure compliance with applicable legislative, regulatory and contractual requirements?**).
+ Read the information presented. You can also view reports from AWS Artifact third-party report or view exceptions from the auditor.
+ Select the product name in the navigation above to return to the **Product detail** page.
## Understanding control categories
AWS Marketplace Vendor Insights provides you with evidence-based information from multiple controls within 10 control categories. AWS Marketplace Vendor Insights gathers the information from three sources: vendor production accounts, vendor self-assessment, and vendor ISO 27001 and SOC 2 Type II reports. For more information about these sources, see [AWS Marketplace Vendor Insights](buyer-vendor-insights.md).
The following list provides a description of each control category:
Access management
Identifies, tracks, manages, and controls access to a system or application.
Application security
Verifies if security was incorporated into the application when designing, developing, and testing it.
Audit, compliance, and security policy
Evaluates an organization's adherence to regulatory requirements.
Business resiliency and continuity
Evaluates the organization’s ability to quickly adapt to disruptions while maintaining business continuity.
Data security
Protects data and assets.
End user device security
Protects portable end user devices and the networks they are connected to from threats and vulnerabilities.
Human resources
Evaluates the employee related division for handling of sensitive data during processes such as hiring, paying, and terminating employees.
Infrastructure security
Protects critical assets from threats and vulnerabilities.
Risk management and incident response
Evaluates the level of risk deemed acceptable and the steps taken to respond to risks and attacks.
Security and configuration policy
Evaluates the security policies and security configurations that protect an organization's assets.
### Control category sets
The following tables provide detailed information for each category with information about the values for each category gathered. The following list describes the type of information within each column of the table:
+ **Control set** – Controls are assigned to a control set, and each control reflects the security function of its category. Each category has multiple control sets.
+ **Control name** – Name of the policy or procedure. "Requires manual attestation" means written confirmation or documentation of the policy or procedure is required.
+ **Control description** – Questions, information, or documentation needed about this policy or procedure.
+ **Evidence extraction detail** – Information and context needed about the control to further obtain the data needed for this category.
+ **Sample value** – Example given for guidance to what a compliance value for this category might look like so that it's in accordance with regulatory standards.
**Topics**
+ [Control category sets](#control-category-sets)
+ [Access management controls](#access-management)
+ [Application security controls](#application-security)
+ [Audit and compliance controls](#audit-comp-controls)
+ [Business resiliency controls](#business-resiliency)
+ [Data security controls](#data-security-controls)
+ [End user device security controls](#end-user-device-security)
+ [Human resources controls](#human-resources)
+ [Infrastructure security controls](#infrastructure-security)
+ [Risk management and incident response controls](#risk-management-incident-response)
+ [Security and configuration policy controls](#security-configuration-policy)
### Access management controls
Access management controls identify, track, manage, and control access to a system or application. This table lists the values and descriptions for access management controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Application security controls
Application security controls verify if security was incorporated into the application when designing, developing, and testing it. This table lists the values and descriptions for application security policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Audit and compliance controls
Audit and compliance controls evaluates an organization's adherence to regulatory requirements. This table lists the values and descriptions for audit and compliance controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Business resiliency controls
Business resiliency controls evaluate the organization’s ability to quickly adapt to disruptions while maintaining business continuity. This table lists the values and descriptions for business resiliency policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Data security controls
Data security controls protect data and assets. This table lists the values and descriptions for data security controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### End user device security controls
End user device security controls protect portable end user devices and the networks they are connected to from threats and vulnerabilities. This table lists the values and descriptions for end user device security policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Human resources controls
Human resources controls evaluate the employee related division for handling of sensitive data during processes such as hiring, paying, and terminating employees. This table lists the values and descriptions for human resources policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Infrastructure security controls
Infrastructure security controls protect critical assets from threats and vulnerabilities. This table lists the values and descriptions for infrastructure security policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Risk management and incident response controls
Risk management and incident response controls evaluate the level of risk deemed acceptable and the steps taken to respond to risks and attacks. This table lists the values and descriptions for risk management and incident response policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)
### Security and configuration policy controls
Security and configuration policy controls evaluate security policies and security configurations that protect an organization's assets. This table lists the values and descriptions for security and configuration policy controls.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)