I want to discuss on a topic that I touched upon in my initial post– third-party vendor risk assessments. As an information security "Subject Matter Expert" (SME), I perform assessments for third-party vendors as part of the Third-Party Risk Management (TPRM) Program. Third-party risk assessments should be performed as part of TPRM. Third-party vendors are assessed as part of the on-boarding process. They are also reassessed periodically. High and critical rated vendors are reassessed annually.
Before I elaborate, I want to provide some terms that might be useful for those new to the realm of Governance, Risk and Compliance (GRC).
Risk- the combination of the probability of an event and its consequence. Risks are often seen as an adverse event that can threaten an organization's assets or exploit vulnerabilities and cause harm.
Inherent risk- with all business endeavors, there is some degree of risk.
Risk tolerance- the acceptable level of variation that management is willing to allow for any particular risk.
Controls- proactive and reactive mechanisms put in place to manage risks.
I recommend using Microsoft OneNote to take detailed notes, but of course you can use whatever note-taking application you'd like. Before I begin the process of identifying and assessing the adequacy of a third-party vendor's controls, I collect the following information about the vendor:
-Location(s) (primary, data center, and recovery sites);
-Details about the services being rendered;
-The criticality of the services; and
-The classification/sensitivity of the data being accessed, processed, stored, or transmitted
The information above is usually gathered in an inherent risk questionnaire that is provided to third-party vendors. The inherent risk questionnaire is supplied by an organization to a vendor so that it can gain an in-depth understanding of the inherent risk associated with each outsourced activity. Risk is quantified in terms of loss potential.
For example, an organization with a low risk tolerance decides to use a third-party vendor for a critical service. The vendor provides a Software-as-a-Service (SaaS) web application. The web application processes, transmits, and stores Confidential information that is Personally Identifiable Information (name, telephone, email, etc.). In this scenario, the risk ratings given to individual risks will be quantified in terms of losing Confidential (PII) information.
After I've gathered the information required to understand the inherent risk associated with the outsourced activity, I assess the vendor's security controls. Third-party vendors typically complete a Standard Information Gathering (SIG) questionnaire, which is used to identify and assess security polices, standards, and controls. There are several information security-related domains within the questionnaire including: Information Security Governance, Human Resources, Risk Management, Third-Party Risk Management, Asset and Data Management, Logical Access Security, Endpoint Security, Server Security, Network Security, SDLC/Application Security, Physical and Environmental Security, Change Control, Data Protection and Cryptography, Logging and Monitoring, Business Continuity and Disaster Recovery, Cloud Security, Vulnerability Management, Incident Response and Security Testing. Again, the rigor of the assessment will vary depending on an organization's risk tolerance, the services being provided, and the data being accessed, processed, transmitted or stored. For example, the scope of an assessment may be limited to the SDLC/Application Security domain.
Unfortunately, I cannot provide an exhaustive list of security controls that should be implemented. However, I will briefly describe various security controls (or lack thereof) related to the Data Protection and Cryptography domain that are assessed. Data-at-rest should be encrypted with strong algorithms (e.g. AES-256 or RSA). Data-in-transit should also be encrypted with strong algorithms (e.g. HTTPS, SFTP, TLS 1.2). Data should be hashed using a strong algorithm like SHA-2, as SHA-1 is susceptible to collision attacks. All remote connections should require authentication and encryption. All internal network connections for systems that are categorized as sensitive or confidential should be protected via cryptographic methods. I also gather information related to disk encryption, cryptographic key management standards, certificate use (e.g. CA certified, self-signed, etc.), and Data Loss Prevention (DLP).
I will also review any documentation provided by the vendor including: SOC2 Type 2 Reports, information security policies and standards, penetration tests, and vulnerability assessments. SOC2 Type 2 Reports document the security controls used to protect data as well as their operating effectiveness. SOC2 Reports are provided by independent third-parties. Vendors might provide SOC2 Reports or full information security policies. Vendors might also provide an information security policy's table of contents or a link to one of its publicly available web pages. Sometimes vendors evade questions or only provide vague information as opposed to specific details. More documented information is always better.
After I've noted the presence or absence of security controls related to each domain, I develop follow-up questions to get clarification and/or further insight into a control, policy, procedure, process, or standard. These questions are provided to the vendor by the TPRM team. The TPRM gathers the vendor's responses and provides them back to Information Security (IS) for a second-round review. If further clarification is needed, a phone call between TPRM, IS, and the vendor is arranged to discuss identified risks, implemented security controls, and risk treatment. Identified risks are documented then provided to TPRM along with risk ratings and recommendations.
Third-party risk management is not the most glamorous aspect of information security, but it is one of the most overlooked. We have seen companies get owned through third-parties before (think Home Depot and Target). We will continue to see companies get owned if they do not do their due diligence, assess, and continuously monitor third-party vendors.
If you enjoyed this blog, please buy me a coffee. https://www.buymeacoffee.com/cassiecage