Vetting Vendors: You Are Not the Weakest LinkPublished June 22, 2017 by Karen Walsh • 5 min read
Vetting vendors can almost feel like a game show that has stakes higher than any prize. Anyone who remembers the old television show The Weakest Link can vividly recall how one by one, each contestant was told, “you are the weakest link,” until only the strongest competitor remained. Vetting vendors in the security space works similarly. When choosing a vendor, you want to have similar compliance profiles to ensure that they are not the weak link in your security profile. While it may be easy to understand your own landscape, applying that to a vendor sometimes feels more difficult. This guide offers suggestions for approaching the process of vetting vendors.
Vetting Vendors: 7 Steps to Successful Decisions
Review the IT Security Protocols
It may seem obvious to review a vendor’s security protocols, but at the same time, it may be hard to know what questions to ask. Certainly, using the vendor’s services means adhering to their requirements. For larger vendors, you may be able to find a SOC report, or SOX reports if the vendor is publicly held, that can help determine the controls used. Smaller vendors, however, may not have gone through the SOC audit process, so you will need to be in charge of reviewing the security requirements. Lisa Traina suggests in the Journal of Accountancy that organizations ask the following questions.
IT security controls: All vendors should report on the key security measures they employ, and, in fact, many publish white papers explaining their security standards. Minimum security controls that should be in place for hosted data include:
- Strong password parameters requiring complex passwords that expire periodically and strong controls limiting administrative privileges for vendors and ensuring that vendors do not share administrative passwords and privileges;
- Invalid login lockout settings—e.g., three strikes and you’re out;
- Multifactor authentication to prevent logins from new systems, unidentified devices, etc.
- Encryption of data in transmission and at rest. It is worth noting that encryption at rest is sometimes an optional feature;
- Limits on which resources vendors are authorized to access;
- Establishment of an audit trail to identify who, by name, accessed the systems and which data, if any, they could see and/or change.
In many ways, vetting vendors’ security stances is similar to reviewing your own. It is important, however, to keep in mind that if they fail to meet these standards, you are also at risk. Simply asking a vendor about their security profile does not protect you if their actions do not match their policy.
Ensure that the Vendor Does Penetration Testing
This is the corollary to your vendor’s IT security profile. When you look at the types of penetration testing done by your vendors, you need to think about the risk to your organization’s assets. If the vendor will be handling high risk information, you want to ensure that their pen testing methodology matches your needs. To ensure this, you want to determine whether they are incorporating both external and internal threats in their assessments.
Moreover, this review should incorporate an analysis of the type of penetration testing done. Some vendors may apply a “grey box” approach that incorporates limited knowledge of the infrastructure and provides the benefit of offering a review of Incident Response Plans and of IDS/IPS devices. Other vendors may use a “white box” approach with more in-depth coverage, targeting of specific systems, and a business impact analysis.
Use the Vendor Security Alliance Questionnaire
If you’re still not sure what questions to ask, the Vendor Security Alliance (VSA) can help. The VSA is a group of companies focused on measuring and reducing vendor risk. The VSA was founded by Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, Go Daddy, and AirBnb. After noting that the majority of large breaches were due to vendors that were compromised, rather than attacked, these companies mobilized to protect the security of information.
The questionnaire offers seven tabs to walk a company through the things that need to be reviewed. It addresses service overview, data protection and access controls, policies, and standards, proactive security, reactive security, software supply chain, and compliance. According to the VSA, the questionnaire takes a data-risk based approach. As noted on the website, non-VSA members can send this questionnaire to their vendors. Upon completion, it may be used to assess risk and set benchmark cybersecurity risk.
Ask How They Vet Their Vendors
Almost every organization uses a vendor for some aspect of their business. In vetting vendors, you want to understand how they review their subcontractors. Ultimately, the flattening of business leads to interconnected liability. When choosing vendors, this means that their negligence may end up being your negligence.
Over at Malware Bytes, William Tsing notes, “do not accept ‘We have to protect our sources and methods.’ This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to ‘I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.’”
When vendors are part of the liability stream, their sources are your sources as well. If your vendors cannot account for their vendors, they may not be as secure as the paperwork indicates.
Assess the Vendor’s Financial Health
Vendors need to be reliable. If a vendor is having financial difficulties, they may not be able to protect your information assets or may end up causing business disruption. However, if the vendor isn’t a publicly held company, it can be difficult to find the right information. The MPI Foundation notes that some signs of poor financial health may be loss of major accounts, product or service delays, slow bill payment, asking for prepayment or quick payment, unusual price concessions, poor employee morale, high employee turnover, and workforce reductions.
The more important the vendor is to your ongoing processes, the more important the financial security of the vendor. Vetting vendors involves looking at more than just their information security profile. To protect information assets, you need to ensure that the vendor will be able to stay solvent so information will not have to be transferred multiple times.
Know the Location of Physical Facilities
The physical location of cloud based vendors poses an additional security risk. Cloud based storage reduces IT costs while also offering opportunities for scalability, reliability, and flexibility. Cloud based vendors can be risky because of the possibility that a physical location will be moved outside of the United States.
Although most cloud based providers offer “military level security,” as one article notes, there may be additional risks to the facility’s ability to protect the equipment housing the data. When vetting vendors, you need to understand both the IT and physical security profiles to protect your organization from business disruption.
Analyze Support Availability
The old adage states, “Jack of all trades, master of none.” If businesses could do everything for themselves, they would. However, that would mean engaging in services that may not be your company’s strengths. Vendors offer the opportunity to boost your company’s ability to focus on its strengths. However, this often means that when something goes wrong, you may have a difficult time finding the fix on your own. When vetting vendors, you want to focus on what types of technical support your organization needs from them.
James Leon lists several considerations in his article in the Journal of Accountancy, “is there 24/7 live human support? Does the vendor offer assistance in making the transition (for example, data format conversion) from your current system to theirs? Upon termination of services—when the vendor no longer serves your company—what process will the vendor follow to return your company’s data to you? Is the vendor willing to meet with and demonstrate its applications to decision makers in your company?”
When outsourcing to a vendor, it is important to understand how the vendor provides its main service to your organization. Just as important, however, is how well that service is supported when something goes wrong or when there are questions.
As more companies require more vendors to negotiate the specialty niches in a digital world, vetting vendors will increasingly become more important than before.
To learn more about how GRC automation can help with vendor management, read our eBook GRC Software Buyer’s Guide.