[BreachExchange] Top 7 Questions to Ask Your Vendors about Their Security Policies

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 31 14:08:19 EDT 2017


http://resources.infosecinstitute.com/top-7-questions-ask-vendors-
security-policies/

Cyber security is one of the most critical issues the U.S. faces today. The
threats are real, and the need is pressing. The cyber security status is
unstable, especially when considering the enormous and growing scope of
these threats. So, cyberspace’s dynamic nature must be acknowledged and
addressed by policies that are equally dynamic.

As many breaches happened previously via targeting vendors first, so there
is a need to address cyber threats associated with the vendors. Evaluating
vendor’s security policies is the potential way to assure the data security
at vendor’s end. A security policy is a company’s best weapon in defending
against a possible breach or helping to restore a network and information
if a breach has happened. Having a security policy is a must for any
organization because it defines what should be done in the event that users
abuse the network, or if there is a network outage due to a natural
disaster or an attack on the network.

The breach at Target Corp. that exposed credit card and personal data on
more than 110 million consumers appears to have begun with a malware-laced
email phishing attack sent to employees at an HVAC firm that did business
with the nationwide retailer. Moreover, the details of more than 70m
customers of the food-to-clothes chain were compromised, including the
accounts of more 40m credit card holders, snatched by a criminal who
entered the system using access granted to a refrigeration and air
conditioning supplier.

With so many breaches worldwide, regardless of industry, organizations are
moving towards adopting security services to secure their communication and
data. However, to find the best and secure vendor is hard to find nowadays.
To make sure that your company stays ahead of the threat, consider the
following security questions to ask your vendors:

Have you achieved any data protection standards?

There are some security standards that a company should follow to meet the
market competition. Whether your organization prefers certified from ISO
27001, SSAE16 or Safe Harbor, those security standards are doubly important
in your vendors as you have much less control over entities outside of your
company, and ostensibly, the data you share with those vendors.
Certification and implementation of ISO 27001 and other standards that are
defined by the vendors, provide the company with a strategic information
security framework that can help to win business and educate staff on key
measures for protecting valuable data.

How do you assess employees’ security understandings?

This question will help you to get an idea of how seriously they take
security. If they answer with a detailed established process for their
security awareness program, then it’s good to go. If not, you should remind
yourself that human error accounts for nearly all major security breaches.

A vendor that does not provide enough reliable security awareness training
is not worth your time to ask further questions, drop that vendor and look
for another.

Do you separate customer data from the main infrastructure?

If your vendors are giving you detailed feedback about their practices,
such as their methods of encrypting data and its secure transmission, then
they are doing well. The same thing can be said about the segmentation of
client data and critical infrastructure, because many breaches could have
been easily avoided, or at least its impact could have reduced, by storing
sensitive customer data in a different place than where their vendor portal
resided.

Not separating the database and web server would be the worst mistake by
any vendor as it makes it easier for a hacker to access it. So, a database
should reside on a separate database server located behind a firewall, not
in the DMZ with the web server. While this makes for a more complicated
setup, the security benefits are well worth the effort.

What training does your development and testing teams receive specific to
application security?

This question is for the software solution providing vendors and has its
own weightage in assessing the vendor’s position in securing your
organization’s data. Many vendors neglect to perform secure programming
that creates a huge loophole in security infrastructure when it comes to
defending from rapidly growing attacking vectors and automated attacks. So
it is essential to acquire the security related training that they provide
to their employees to practice and accomplish their task securely.

What is your disaster recovery plan?

Asking this question is highly recommended and essential because they tend
to reveal how proactive a vendor is in keeping up with their own data
security and disaster planning. Their answers also indicate how vigilant
they are likely to be when things hit the fan. An active and dedicated
information security team is a plus that can make a huge difference when it
comes to sharing relevant threat data and detailing exact plans for
technology outages to minimize financial loss to both your business and
theirs.

If the vendor does not have any recovery plan, then it is risky to rely on
them. In many cases, the attacker targets the vendor first to gain
organization’s detail. So, associating with the vendor that doesn’t pose an
effective security posture with recovery plan is not worth it.

However, these are not the only questions that can help you to make the
final decision to choose a vendor, but these are essential questions that
should not be skipped. Moreover, these questions will create a broader
picture of what you are getting and how reliable the vendor will be for
your organization and its market growth.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170331/16c9ac55/attachment.html>


More information about the BreachExchange mailing list