Overview
Welcome to The Cybersecurity Mindset YouTube channel. As a cybersecurity professional, one aspect of your job, title dependent, should be to vetting third-party vendors your organization uses. Unfortunately, there have been many breaches because a third-party had some form of unchecked access to your corporate network or data.
Third-party vendors and providers should be classified based on their criticality to the businesses operations. For example, your ERP vendor might be classified as a critical provider. Meaning, if there were an interruption to service, it would have a large impact to operations. Vendors should be reviewed annually or bi-annually based on their criticality.
There are several important documents you should consider reviewing to ensure they meet your security requirements. These documents can provide insights into the third-party vendor’s security practices, policies, and compliance. Keep in mind, a lot of vendors and clients a like will keep this information held under lock and key. You should expect to sign an NDA or MNDA to obtain this information. Your legal counsel can advise on this. Your organization may already have this in place with an existing contract.
Here are some key documents to consider when vetting third-party vendors
Policies and Frameworks
Security Policies: Request copies of the vendor’s security policies, including their information security policy, data classification policy, access control policy, incident response policy, and any other relevant policies. These documents outline their approach to security and demonstrate their commitment to protecting data.
Risk Management Framework: Inquire about the risk management framework or methodology that the third-party vendors may use. This document should outline how they identify, assess, and mitigate cybersecurity risks in their operations. Look for evidence of a systematic and comprehensive approach to risk management.
Planning
Security Incident Response Plan: Ask for the vendor’s incident response plan (IRP). This document should outline the steps they take in the event of a security incident, including incident detection, containment, eradication, and recovery. Evaluate whether their plan aligns with your organization’s incident response requirements.
Business Continuity and Disaster Recovery Plans: Request copies of the vendor’s business continuity plan (BCP) and disaster recovery plan (DRP). These plans detail how the vendor ensures the availability and integrity of their systems and data in the face of disruptions or disasters. Assess whether their plans are robust enough to minimize potential downtime and data loss.
Audits and Assessments
Security Audits and Assessments: Inquire about any third-party security audits or assessments that the vendor has undergone. Look for reports from reputable auditing firms that evaluate the effectiveness of the vendor’s security controls and practices. Review the findings and recommendations to gauge their commitment to security.
Compliance and Training
Compliance and Certifications: Determine if the vendor complies with relevant security standards and regulations such as ISO 27001, NIST Cybersecurity Framework, SOC 2, GDPR, HIPAA, or any industry-specific requirements. Obtain documentation or certifications that validate their compliance.
Data Protection Agreements: Request copies of data protection agreements, including data processing agreements (DPAs) or other contracts that outline the vendor’s responsibilities regarding data protection, confidentiality, and data sharing. Ensure that these agreements align with your organization’s legal and regulatory requirements.
Security Awareness Training: Inquire about the vendor’s security awareness training programs for their employees. Ask for details on the training curriculum, frequency, and methods employed to educate their staff on cybersecurity best practices.
Takeaways
Remember to involve your organization’s legal, procurement, and cybersecurity teams during the vetting process to thoroughly review these documents and assess the vendor’s security posture. Additionally, conducting on-site visits or security audits can provide further insights into their security controls and practices.
Third-party Tracking and Tools
Tracking all of this information can be tough. If you’re a small operation that doesn’t have a budget for a tool, you can simply leverage a spreadsheet and file share. I’ll provide the template I use as a download on my site.
Template
I’ll go out and request the pertinent information from my vendors and keep that information stored in a secure file share along with a spreadsheet of their status. You can then use your calendar to keep track of the review schedule. This obviously does not scale well, but does work to get you a review your vendors. Those of you with a more sophisticated budget that can afford a tool to manage vendors, there are many out there that will perform a similar function.
KnowBe4 and Vanta both have vendor risk management modules you can purchase. These tools can offer additional functions, such as being able to send out security questionnaires to your vendors.
Conclusion
If you liked this video and found it helpful, please consider subscribing to the channel and liking this video. It greatly helps me out with the YouTube algorithm. You can find other helpful information at my blogsite, achubbard.com.