If you're one of businesses, you rely on a number of third-parties to help you with your essential operations. They also have the capacity to connect to your network in many circumstances. By granting them remote access, you are effectively increasing the attack surface available to fraudsters. So, what if their systems aren't up to snuff? They may unintentionally open a portal to your network, allowing a bad guy to gain access.
One of the best ways to mitigate cyber security risk posed by third-party vendors is to implement a Vendor Risk Management Program.The following are the measures you should take to create a successful programme.
#1. Identify all your vendors / business associates and what they have access to.
A quick word on vendor risk classifications. A note about risk classifications for vendors. Depending on regulatory requirements and best practises, your policy should include multiple risk classes. Your business owner, on the other hand, may not be familiar with the finer points, therefore use the following classes as a starting point:
- Critical: If the vendor fails to deliver services as promised, is your organisation in deep trouble, even to the point where you may fail? Do they have significant access to customer data, which, if breached, could cause immeasurable harm? That’s a critical vendor!
- Important: If you lost this vendor’s services, it would hurt, but it wouldn’t cause a significant disruption to your firm’s operations. This also includes vendors that have limited access to customer data.
- All of your company's vendors should be at least "useful," if not "vital" or "important.". (Indeed, if they’re not useful, why are you using them?) These are vendors who do not have access to customer data, and whose loss of services would not be disruptive to the organisation.
Bear in mind that the classification given by the business owner is merely a starting point, not the last word. It’s up to you, as your employer’s vendor risk manager, in conjunction with your organisation's vendor management policy, to make the final call.
#2. Prioritise vendors based on risk.
- Vendors that are crucial to your operation and whose failure or inability to execute contracted services could lead to the failure of your company.
- High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organisation is highly dependent operationally.
- Medium Risk: Vendors (1) whose access to customer information is limited; and / or (2) whose loss of services would be disruptive to your organisation. Low-risk vendors are those who do not have access to client data and whose absence of operations shouldn't have a significant impact on your business.
#3. Conduct thorough due diligence on all new vendors.
Define your process, which can include:
- Getting references;
- Using a standard checklist;
- Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.
- Document and report to senior management.
Require your Critical and High Risk vendors to provide:
- Evidence of security controls via contract and documentation. May include Information Security Policies, Business Continuity Program, Disaster Recovery test results, list of recent breaches, proof of insurance, financial statements, etc.
- Evidence that security controls are effective. May include SOC1 / SOC2 reports, synopsis of vulnerability scanning and / or independent penetration testing, compliance reports, etc. Learn more in our blog post Assessing Vendor Cyber Readiness: What to Look for in a SOC Report.
- Evidence that they can continue to provide contracted services in the event of a disaster.
- Evidence that they have a strong Incident Management Program and will duly report incidents to you as required by law, regulations, and best practice.
Ensure the vendor is cooperative. For example:
- Your requests should be expected.
- Consider an alternative if they refuse or are unable to deliver the needed information.
- Verbal assurance does not suffice.
#4. Regularly review all Business Associate Agreements (BAA) and contracts.
- Every year, all Critical and High Risk vendors should be subjected to a thorough due diligence evaluation.
- Every two years, all Medium Risk vendors should complete a risk-based due diligence evaluation. Note that some businesses and regulators may require you to do annual reviews on medium-risk vendors.
- All other vendors, including Low Risk vendors, should undergo an annual survey.
#5. Ensure all contracts are reviewed with legal counsel.
Here include following in new and renewal contracts for your Critical and High Risk vendors:
- Requirements to keep system and data secure per best practices and industry standards;
- Confidentiality and privacy requirements;
- Requirements to notify you of security breaches, incidents, and vulnerabilities;
- Independent penetration tests and vulnerability assessments are required; and
- Requirements to provide you access to audit documents.
#6. Have a backup plan.
If your vendor fails to provide the contracted services, you need to be able to quickly pivot to another vendor, especially if they are providing you with a critical service. Be sure you know who else is in the field and is able to provide the same services.
#7. Continuously review.
Just like everything in security, vendor management is a continuous process. We'll never get to the stage where we can yell, "Hurrah!" We’re finally 100% secure!” It's constant. Constant vigilance and constantly being aware of what is happening on your network, and of course, that also means what is happening on your vendor’s network.
Getting started with third-party risk management
Regulatory requirements, stakeholder expectations, and organizational goals and risks will shift over time. Talk to our Expert and Get the Compliance and Audit services on ISO 27001, GDPR, SOC 2, BCP, and PCI-DSS
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.