[BreachExchange] Managing Risk a Must in Third-Party Relationships

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 2 10:06:52 EDT 2018


All businesses rely to some degree on external vendors, and as a result,
all businesses face some degree of vendor risk. Though most businesses have
no choice but to obtain internet services, security solutions, and a range
of other business-critical technologies from third-party providers, they do
have a choice in how they manage the associated security risks. The
following tips can help security decision-makers more effectively address
the risks posed by technology vendor relationships:

Be Hands-On With Due Diligence

Conducting thorough due diligence on a prospective vendor’s security is
essential. Start with the vendor’s website where many post their security
compliance standards. Gathering this information is particularly important
if you require certain compliance certifications—such as GDPR if your
business processes or controls EU citizens’ data, for example—but it should
only serve as the beginning of your due diligence process.

Next, consider what this compliance information doesn’t tell you. What do
you still need to learn about the vendor’s security posture before deciding
whether you’re comfortable with it? Think about what questions you still
have and, if possible, seek answers from the vendor’s appropriate security
contact. Here are some questions to pose:

● When was your last penetration test? Is your remediation on schedule?

 ● Have you documented your last five security incidents? How did you
remediate those incidents?

 ● Do you have the result of your last business continuity test? If yes,
can you share it?

 ● What security controls exist for your users? Do they use multifactor
authentication, etc.?

 ● How are you maturing your security program?

Be Ready to Implement Additional Security Controls

What happens if you’re unsatisfied with the answers? First, determine
whether working with the vendor is critical to your business. If no, it’s
important to recognize that sometimes you need to walk away. If yes, and if
no other reputable vendors offer anything comparable, you will likely need
to implement additional security controls to mitigate the risks associated
with your business's use of the offering, such as:

Technical: These are typically restrictions on the access and/or technical
integrations of vendor offerings. For example, if a product is web-based
but unencrypted, consider blocking users on your network from accessing its
website; provided the proper authentication is in place, use its API

Policy: These are policies that users of the offering should follow, such
as limits on the types and amounts of data that can be input securely.

Keep Track of Your Assets

There are several reasons why it’s imperative to know which of your
business’s assets the vendor will be able to store and/or access. For one,
this knowledge can help you identify and shape any additional security
controls. Second, having this knowledge on hand is crucial should the
vendor suffer a breach. Knowing exactly what assets were impacted can
expedite your response and enable you to identify and mitigate any exposure
efficiently and effectively.

Prepare a Response Plan

Before finalizing a vendor relationship, it’s crucial to use all the
information gathered during your due diligence process to construct a
response plan in preparation for any future incidents the vendor might
experience. Tracking the assets to which your vendor has access is one
component of an effective response plan. Others include courses of action
to mitigate exposure, disclosure and notification procedures, external
communications strategies, and plans to re-evaluate the vendor’s security
and remediations following an incident.

The most effective way to manage vendor risk is not to work with any
external vendors in the first place, which isn’t a feasible strategy. The
most secure and successful vendor relationships are rooted in preparation
and transparency. Thoroughly understanding all facets of a vendor’s
security program, implementing additional controls as needed to
appropriately safeguard your business’s assets, and being prepared to
respond to future incidents can go a long way toward reducing business
risks associated with any vendor relationship.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180502/c4ebc24c/attachment.html>

More information about the BreachExchange mailing list