The decision to use a particular service or software is often already made before third-party risk management is engaged.
Common process would be that a department head decides they want to hire a service or buy software to solve a business problem. They engage with a few vendors and based on the look, feel, features, and the price they decide on their preferred vendor. Before they sign the deal, they require a thumbs up from the person(s) in the organization that manage third party risk.
Here are the steps I recommend following when you are vetting the security and privacy posture of a third party.
1. Understand the scope of the engagement, the potential risks, and impact if things were to go wrong
In the third-party risk management process, it is imperative to review the use case and the type of data and systems that will be shared or accessed through the engagement. What would the fallout be in the event that there was a loss of confidentiality (data leaked into the public domain or into the hands of competition or hackers)? What about integrity, if data becomes incomplete or erroneous? Or systems or services become unavailable for a considerable period of time?
Also, make sure that you cover the privacy and legal concerns. Is the data or processes involved controlled by privacy legislation or other legal considerations (GDPR, PIPEDA, etc)? The results of this scoping and risk assessment process will determine the areas of concern which will dominate the following steps of the process. You’ll also learn the level of depth the risk assessor should take to ensure proper care and due diligence.
2. Research the vendor
In this step of the process, you want to understand the risk profile of the vendor. Third-party risk management involves research, asking questions, and scrutinizing the policies and procedures of your vendors.
a. Do they have a security or privacy page, or have they provided you with a security and privacy report?
Many organizations have a security page on their website which outlines their commitment to data security and the high-level components of their program. This may also include compliance statements and or certifications. Review this carefully, the more diligent companies will often proactively provide you with the majority of what you are looking for. If they don’t, you are going to have to dig deeper and engage directly with the vendor.
b. Have they had a breach in the past?
If so how did they handle it? Be more concerned with how they handled the breach vs. whether or not they had one. In my experience, companies that have experienced a breach usually undergo a major security and privacy overhaul after they get through the initial breach fallout.
In many cases, a major breach has acted as the reality check that senior management requires to actually invest a reasonable amount of resources into security. Looking at how a company reacts to a breach will, however, provide strong inside into the company’s moral and ethical stature. Did they come clean and act with the best interest of the customer or did they try to slide it under the rug, prioritizing their reputation over the impact to the affected businesses or individuals? Be wary of companies that have taken the latter approach.
c. Are there known vulnerabilities?
Search the web for known vulnerabilities if the engagement involves hardware or software. Make sure those known vulnerabilities have been patched.
d. Have they passed certified audits? (SOC 2, ISO 27001…)
Just because a company has passed a security audit does not mean that they are 100% covered. However, it does provide an indication that they are investing in security. It also shows an external security professional has reviewed and vetted their practices and deemed them to be in compliance with security best practices.
e. Do they offer security features in their application?
Look for features such as two-factor authentication, auto-logout, password minimum strength enforcement, subject data access request process, etc. Companies that take security and privacy seriously in today’s day and age offer end-user security features.
Be wary of companies that do not offer multi-factor authentication, new device access alerts, password change alerts, or minimal password strength enforcement. If a company is not offering these options that indicates that security and privacy are not a priority.
3. Engage with the vendors’ security team
If risks are significant and you are unable to get a clear picture of their security and privacy compliance and posture through the vendor research process then you should engage with the vendor’s person(s) that manage the security and privacy function of the business. Here are the key steps to engaging with the third party’s security team:
a. Send a Detailed Security Questionnaire
In an effort to save time and money, strike any non-applicable questions before sending the questionnaire. I can’t tell you how rare this is. So many well-established companies send the same vendor security questionnaire to every third party. This is lazy and in the end, wastes more time in back and forth questions than it takes to tailor the questionnaire to the engagement with your vendor in the first place.
b. Third-party pen test clean bill of health and code testing practices
If the vendor is providing you with a SaaS product as part of the engagement ensure that they are conducting regular pen tests to ensure their software is safe from hackers. Generally, most security standards mandate a minimum of an annual test.
However, today’s modern SaaS company typically commits new code to production weekly, daily, or even multiple times per day. Any of these commits could accidentally inject new exploitable vulnerabilities. For this reason, you should look beyond the pen test to get a better understanding of their code review and testing processes and procedures. What other vulnerability management do they do on their software and infrastructure? Do they have a bug bounty program? A pen test from several months ago is better than nothing. But if they have done hundreds of code commits since that point, there needs to be additional security and vulnerability management processes in addition to the pen test.
c. Third-party audit or privacy impact assessment
Ask for and review any third-party security or privacy audits or assessments the vendor has had. As I mention above, these assessments are not on their own enough to provide confidence that the vendor makes security a top priority. You still want to complete your own third-party risk management. However, they indicate at least that formal processes are established and the tools are in place to secure your data.
d. Review key security policies
Asking for a few key security policies from the vendor will help you get a better understanding of the depth of their security program. If you are dealing with a software company I would recommend looking at their patch management, vulnerability management, and software development lifecycle policies.
e. Review key questionnaire results in a meeting with the vendor
This is a great way to get a feel for how real the vendor’s security program really is. In conducting this process I have discovered many critical security flaws in companies that otherwise look pretty good thus far in the process.
This is especially companies that are early stage and financially still fairly bootstrapped. I use this call to determine how well the people on the call are acquainted with their policies and practices. There are many companies that have developed policies to meet customer or audit requirements. But they may lack the determination and prioritization to actually ensure that the employees know and follow the policies.
4. Report findings to senior management
The job of the third-party vendor risk assessor is to get a clear understanding of the engagement, the risks, and the quality of the vendor’s controls and processes to mitigate and reduce the risk to a reasonable level. In the end, senior management has to decide if the risk of working with the vendor is worth the reward.
5. Ensure that the Terms of Service or contract with the vendor includes key privacy and security obligations
In addition to the security and privacy review, it is a good idea to include the key security and privacy obligations as part of the contractual arrangement with the vendor. This gives you a strong legal position in the event of a breach. Or another critical incident where the vendor is negligent in following the policies and procedures they shared in the due diligence process.
6. Activate vendor system security features
Once the deal is done make sure that you activate the appropriate security features of the vendor’s software before you invite all of your users and start entering data. As mentioned above this can include things such as two-factor authentication, password complexity thresholds, etc. All that third-party risk management isn’t as useful if you don’t utilize the security options the vendor gives you.
7. Develop required policies and procedures associated with the new vendor
It is a good idea to document the use case and limitation of the software tools that your company uses. Who is permitted to use the software, for what reasons, and from what devices? What types of information can be entered into the system? What is not allowed to be entered into the system? Create clarity around this document it and share it with all users and administrators.
8. Educate users on the new system, any associated risks, as well as updates to policies and procedures
It’s a good idea to ensure that users are familiar with all new software and systems and any processes, procedures, or special considerations associated with each tool.
9. Conduct periodic reviews to ensure the vendor is maintaining their security and privacy commitment
It is good data security hygiene to re-visit vendor assessments at least annually. Basically, that process involves going through the above eight steps. Has anything changed in the scope? Is the vendor still certified? Have they had a recent pen test? Did they pass? Has the vendor experienced a breach or other major incident? How did they respond?
A lot can change over time. Just because a vendor performed positively on an assessment last year does not mean that they are still on top of things. When it comes to third-party risk management, you should always carefully assess everything.