Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data.

As we’ve seen with numerous breaches where attackers were able to leverage a weakness in a contractor or service provider, third-party risk must be assessed and mitigated during the early stages, as well as throughout a partnership. The following tips can help security decision-makers more effectively address the risks posed by relationships with technology vendors.

Do your homework

Conducting thorough due diligence on a prospective vendor is essential. Organisations could evaluate technical and regulatory risk through due diligence questionnaires, for example, or even on-site visits

if necessary. The point is to evaluate not only a third party’s information security risk, but compliance with regulations such as GDPR for privacy and PCI-DSS for payment card security. An organisation may also want to evaluate a third party’s adherence to industry standards such as NIST or ISO in certain security- and privacy-related areas.

Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what

questions you still have and, if possible, seek answers from the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose:

  • When was your last penetration test? Is your remediation on schedule?
  • Have you documented security incidents? How did you remediate those incidents?
  • Do you have the result of your last business continuity test? If yes, can you share it?
  • What security controls exist for your users? Do they use multifactor authentication and so on?
  • How are you maturing your security program?
  • Are you ISO, SOC 1/SOC 2 and NIST Compliant, and is there documentation to support this?

Additional security: it’s all in the controls

If you’re dissatisfied with the answers from a potential partner

regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business. That’s not always the case, however. If you must partner with a particular third party and if no other reputable vendors offer anything comparable, you will likely need to implement additional technical and or policy controls to mitigate the security risks associated with your business’s use of the offering, such as:

Technical: These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead. In most cases, there are two options:

  • Remediation: Can you work with the vendor to remediate the technical risk?
  • Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?

Policy: These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely.

Some typical policy scenarios include:

  • Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
  • Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working with vendors who don’t meet certain security and privacy standards?
  • Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.

Asset inventory is a must.

There are several reasons why it’s imperative to know which of your

business’s assets the vendor will be able to store and/or access. This knowledge can help identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted, as well as who is doing what with your inventory, can expedite your response and identify and mitigate any exposure efficiently and effectively.

Written by Josh Lefkowitz, CEO of Flashpoint

Avatar
by IBS Intelligence
imp-loader
preloader