Organizations of all sizes, in every sector, around the world, are increasingly relying on external vendors for products and services that are vital to their operations. Correspondingly, the number of data breaches attributed to third party vendors is rising steadily.
It has become apparent that it is no longer sufficient for businesses to only secure their internally-controlled infrastructure and services. They must also diligently evaluate the security policies and procedures of third party vendors.
Conducting a security assessment is essential to gathering the information and documentation needed to ensure the third party companies selected have the proper security mechanisms in place.
Understanding and Classifying Risk
Before beginning a security assessment of third party vendor, it is paramount to thoroughly understand the product or service being provided, the goals of the project and the amount and sensitivity of the data being shared. These factors will aid in classifying the inherent risks of an engagement and will help tailor the assessment questions and attestations requested from the vendor.
There are many ways to classify risk. There are broad classifications such as compliance risk, financial risk, reputational risk and so forth. These categories can be further broken down into more granular descriptions.
As technology becomes more prevalent in all parts of business, there has been a shift to classify risks based on elements such as whether the vendor connects to internal company systems, the vendor has access to sensitive data such as Personally Identifiable Information (PII) or the vendor provides critical software.
Security Assessment Templates and Tools
With an understanding of the engagement and the risks to the business, the next step is to initiate the security assessment of the vendor. Luckily, there are several digital options that make the assessment process easy and customizable to fit any scenario.
The Shared Assessments organization created the Standardized Information Gathering (SIG) Questionnaire Tools which provides different levels of pre-built questionnaires based on industry standard frameworks.
Qualys also has a Security Assessment Questionnaire product that is cloud-based and has a simple to use drag and drop interface for selecting questions from popular security frameworks.
Security Assessment Questions and Documentation
Whether sending the vendor a formal questionnaire or conversing with the vendor via telephone or email, the goal is to obtain the necessary information to determine if the proper security practices are in place to make the risks acceptable.
There are several fundamental questions and documentation items to consider verifying or requesting:
A written information security policy
This document should have clear statements regarding access controls, password policies, data handling, etc.
Does the vendor encrypt data in transit and data at rest?
Ensures sensitive data is protected while being stored in computers, phones and databases as well as when being transmitted over a network between devices.
Business continuity and disaster recovery plans
Explains how the vendor will continue operations and guarantee the availability of their product or service during a time of adverse conditions.
Industry certifications
Industry certifications can provide confidence about a vendor’s security practices due to their standardization and often rigorous requirements. These certifications include:
- ISO/IEC 27001
- Service Organization Controls (SOC) 2
- Payment Card Industry Data Security Standard (PCI DSS)
Does the vendor conduct security assessments on third party companies they work with?
If so, what does the process entail?
Hiring practices
Whether a solution is highly technical or not, all businesses are a collection of people. Learning about how a vendor sources employees and whether they conduct background checks or other pre-employment screening can help you understand the people who will be accessing your company’s data or acting on your company’s behalf.
When working with third party vendors, the actions of both entities are often inextricably linked. A mistake or data breach by a third party vendor can lead to real consequences for both parties, including financial or reputational harm.
The evidence is clear that it is no longer acceptable to make assumptions about the security practices of third party vendors. It is imperative to be proactive and engage with third parties to truly understand the products and services being provided and the security mechanisms in place to protect all of the data and systems involved.
Taharka Beamon is a New York native and CISSP who has spent the last 5 years of his career at Reed Exhibitions USA, where he is currently a Security Analyst. He specializes in working with global teams to facilitate third party vendor security assessments, vulnerability management and security awareness. Taharka is currently pursuing a Cybersecurity Graduate Certificate from Harvard Extension School.