Ask the CISO: Third-Party Vendor Management

Written by

Reader Question: Should we be documenting our relationships with third-party vendors and should third-party vendors be required to incorporate security controls?

This is a very timely question. The majority of companies rely on some degree of outsourcing, yet we often lack adequate visibility into the depth of the relationship we have with our vendors. The past months have seen vendor-provided and managed point-of-sale systems used by restaurants compromised by malware, resulting in credit cards being breached. We have also seen vendor-managed HVAC systems connected to corporate networks used as an initial infiltration point.

We should be documenting our relationships with third-party vendors. This documentation should include categories, such as: Is it a critical vendor? Does it have direct access to corporate premises or systems? What services does it currently provide, and have they changed over time?

It is not uncommon for vendors to take on more services if they have had success with other services. However, this may require additional security controls that may not have been part of the initial review. Third-party vendors need to have appropriate security controls in place for the type of service that they are providing.

In addition, the terms of the contract or services agreement are very important. The contract should include the expectation of maintaining adequate security based on the nature of the service being provided, the right to audit, and the expectation that the vendor notifies you if it outsources any of the services that you contracted to receive.

For example, let’s suppose that you contract with a marketing firm and you give them your customer data. Originally, the firm was processing the data in its data center. Now, based on efficiencies, the marketing company has opted to host that data in the cloud for cost savings. A change of this manner should require it to notify your company.

Lastly, vendors do need to be reined in on a regular basis. The frequency of this review should be based on the criticality of the vendor and the nature of services that it provides to your organization.

Ask the CISO

To ask David a question, leave a comment below, tweet us (@InfosecurityMag) with the hashtag #AskTheCISO or email us at David will aim to answer as many of your questions as possible in future blog posts.

More information on this series can be found here.

What’s hot on Infosecurity Magazine?