Google has decided to open source an internal vendor security framework so that firms can better assess the security posture of third parties looking to work with them.
The web giant first developed its Vendor Security Assessment Questionnaire (VSAQ) in a bid to streamline and automate the vendor review process, which has to deal with hundreds of potential partners each year.
It’s described in a blog post by Google Security duo Lukas Weichselbaum and Daniel Fabian as a “collection of self-adapting questionnaires for evaluating multiple aspects of a vendor's security and privacy posture.”
“We've received feedback from many vendors who completed the questionnaires. Most vendors found them intuitive and flexible — and, even better, they've been able to use the embedded tips and recommendations to improve their security posture,” they explained.
“Some also expressed interest in using the questionnaires to assess their own suppliers.”
As a result, Google is opening up the VSAQ Framework (Apache License Version 2) and any “generally applicable parts of our questionnaires” for the benefit of others.
The idea is not only that companies will use it to vet their own suppliers, but that security-aware suppliers use the framework as a self-assessment tool to improve their own security posture.
The framework itself comes with four questionnaire templates covering: web applications; security and privacy programs; infrastructure security; and physical and data center security.
These can then be extended with company-specific questions, Google said.
“The VSAQ Framework comes with a simple client-side-only reference implementation that's suitable for self-assessments, for vendor security programs with a moderate throughput, and for just trying out the framework,” Google concluded.
“For a high-throughput vendor security program, we recommend using the VSAQ Framework with a custom server-side component that fits your needs (the interface is quite simple).”
Third party risk is contributing to an ever-growing number of data breaches and security incidents, as outsourcing becomes the norm and CISOs struggle to manage the complexities involved.
In January TalkTalk admitted that three call center workers in India at its outsourcing provider Wipro had been arrested on suspicion of using customer data to commit follow-up identity fraud.