Generally the decision to use a particular service or software is already made before third party risk management is engaged. Common process would be that a department head decides they want to hire a service or buy software to solve a business problem. They engage with a few vendors and based on look, feel, features, and price they decide on their preferred vendor. Before they proceed to signing the deal, they require the thumbs up from the person(s) in the organization that manage third party risk.
Here the steps I recommend following when vetting the security and privacy posture of a third party.
1. Understand the scope of the engagement, the potential risks and impact of things were to go wrong
In this process it is imperative to review the use case and the type of data and systems that will be shared or accessed through the engagement. What would the fallout be in the event that there were a loss of confidentiality (data leaked into the public domain or into the hands of competition or hackers), integrity (data becomes incomplete or erroneous), or availability (systems or services become unavailable for a considerable period of time). Also make sure that you cover privacy and legal concerns. Is the data or processes involved controlled by privacy legislation or other legal considerations (GDPR, PIPEDA ETC). The results of this scoping and risk assessment process will determine the areas of concern which will dominate the following steps of the process and the level of depth the risk assessor should take to ensure proper due care and due diligence.
2. Research the vendor:
In this step of the process you want understand the risk profile of the vendor:
a. Do they have a security or privacy page or have they provided you with a security and privacy report or statement?
Many organizations have have a security page on their website which outlines their commitment to data security and the high level components of their program. This may also include compliance statements and or certifications. Review this carefully, the more diligent companies will often proactively provide you with the majority of what you are looking for. If they don’t, you are going to have to dig deeper and engage directly with the vendor.
b. Have they had a breach in the past? if so how did they handle it?
Be more concerned with how they handled the breach vs. whether or not they had one. In my experience companies that have experienced a breach usually undergo a major security and privacy overhaul after they get through the initial breach fallout. In many cases a major breach has acted as the reality check that senior management requires to actually invest a reasonable amount of resources into security. Looking at how a company reacts to a breach will, however, provide strong inside into the company’s moral and ethical stature. Did they come clean and act with the best interest of the customer or did they try to slide it under the rug, prioritizing their reputation over impact to the affected businesses or individuals? Be weary of companies that have taken the later approach.
c. Are there known vulnerabilities?:
Search the web for know vulnerabilities if the engagement involves hardware or software. Make sure that known vulnerabilities have been patched.
d. Have they passed certified audits? (SOC II, ISO27K…)
Just because a company has passed a security audit does not mean that they are 100% covered, however it does provide an indication that they are investing in security and that an external security professional has reviewed and vetted their practices and deemed them to be in compliance with security best practices.
e. Do they offer security features in their application? (two factor auth, auto logout, password minimum strength enforcement, Subject data access request process, etc.):
Companies that take security and privacy seriously in today’s day and age offer end user security features. Be weary of companies that do not offer two factor authentication, new device access alerts, password change alerts or minimal password strength enforcement. If a company is not offering these types of services then it is a strong indicator that security and privacy is not priority.
3. Engage with vendors security team:
If risks are significant and you are unable to get a clear picture of their security and privacy compliance and posture through the vendor research process then you should engage with the vendor’s person(s) that manage the security and privacy function of the business. Here are the key steps to engaging with the third party’s security team:
a. Send a Detailed Security Questionnaire
In effort to save time and money strike non-applicable questions before sending the questionnaire. I can’t tell you how rare this is. So many well established companies send the same security questionnaire to every third party. This is lazy and in the end wastes more time in back and forth questions than it takes to tailor the questionnaire to the engagement in the first place.
b. Third Party Pen test clean bill of heath and code testing practices:
If the vendor is providing you with a SaaS product as part of the engagement ensure that they are conducting regular pen tests to ensure their software is safe from hackers. Generally most security standards mandate a minimal of annual one tests. However, today’s modern SaaS company typically commits new code to production weekly, daily, or even multiple times per day. Any one of these commits could accidentally inject new exploitable vulnerabilities. For this reason you should look beyond the pen test to get a better understanding of their code review and testing processes and procedures. What other vulnerability management do they do on their software and infrastructure? Do they have a bug bounty program? Although a pen test from several months ago is better than nothing, if they have done hundreds of code commits since that point, there needs to be additional security and vulnerability management processes in addition to the pen test.
c. Third party audit or privacy impact assessment
Ask for and review any third party security or privacy audits or assessments the vendor has had. As I mention above these assessments are not, on their own, enough to provide confidence that the vendor makes security a top priority, however they indicate at least that formal processes are established and the tools are in place to secure your data.
d. Review key security policies
Asking for a few key security policies from the vendor will help you get a better understanding of the depth of their security program. If you are dealing with a software company I would recommend looking at their patch management, vulnerability management, and software development lifecycle policies.
e. Review key questionnaire results in a meeting with the vendor
This is a great way to get a feel for how real the vendor’s security program really is. In conducting this process I have discovered many critical security flaws in companies that otherwise look pretty good thus far in the process. This is especially companies that are early stage and financially still fairly bootstrapped. I use this call to determine how well the people on the call are acquainted with their policies and practices. There are many companies that have developed policies to meet customer or audit requirements but lack the determination and prioritization to actually ensure that the employees know and follow the policies.
4. Report Findings to senior management
The job of the third party vendor risk assessor is to get a clear understanding of the engagement, the risks, and the quality of the vendors controls and processes to mitigate and reduce the risk to a reasonable level. In the end, senior management has to decide if the risk of working with the vendor is worth the reward.
5. Ensure that the Terms of Service or contract with the vendor includes key privacy and security obligations as part of their contractual commitment:
In addition to the security and privacy review, it is a good idea to include the key security and privacy obligations as part of the contractual arrangement with the vendor. This gives you a strong legal position in the event of a breach or other critical incident where the vendor is negligent in following the processes and procedures they shared with you in the due diligence process.
6. Activate vendor system security features:
Once the deal is done make sure that you activate the appropriate security features of the vendors software before you invite all of your users and start entering data. As mentioned above this can include things such as two factor authentication, password complexity thresholds etc.
7. Develop required policies and procedures associated with the new vendor:
It is a good idea to document the use case and limitation of the software tools that you use in your organization. Who is permitted to use the software, for what reasons and from what devices? What types of information can be entered into the system? What is not allowed to be entered into the system? Create clarify around this, document it and share with all users and administrators.
8. Educate the users on the new system and any associated risks, policies and procedures:
It's a good idea to ensure that users are familiar with all new software and systems and any processes, procedures, or special considerations associated with each tool.
9. Conduct periodic reviews to ensure vendor is maintaining their security and privacy commitment:
It is good data security hygiene to re-visit vendor assessments at least annually. Basically that process involves going through the above eight steps. Has anything changed in the scope? Is the vendor still certified? Have they had a recent pen test? Did they pass? Has the vendor experienced a breach or other major incident? How did they respond? A lot can change over time. Just because a vendor performed positively on an assessment last year does not mean that they are still on top of things.