How to properly assess the risk management profile of your IT Vendor

Is your outsourced vendor protecting the confidentiality, integrity, and availability of data and access in the same way you would?

business continuity, data management, enterprise solutions, risk management, security, study, Vendor Assessment Cheat Sheet

We all know the prevalence of cybersecurity threats and the damage they can pose to the operations and reputation of a company following an attack – but what most may not know is that more than half of these breaches are not due to an actual external intrusion, but are caused by a third-party vendor who was not as stringent in their cybersecurity protocols, a recent study revealed.

Given the recent examples of the Singapore Airlines data leak through a passenger service system, Singtel’s Accellion File Transfer Appliance breach and breach of 30,000 e2i client names from a malware attack – it’s evident there is a need to address the management of third-party IT vendors for robust cyber resilience.

Security considerations do not stop at the perimeter of our networks. We must take into account the posture of vendors who process our data, integrate with our systems, or those who we rely on in our day-to-day operations.

After all, an organisation’s security posture is only as strong as its weakest link, and whether we want to believe it or not, vendors have become an integral supply chain supporting our business operations.

For companies that run on a lean team, the concept of outsourcing a tech responsibility, process, or function that is not easily hireable is natural to allow existing staff to make the most effective use of their time. Outsourcing your IT is a great way to efficiently tackle those tech needs, but how secure is the portfolio of vendors you’ve partnered with? Are they protecting the confidentiality, integrity, and availability of data and access in the same way you would?

Most importantly, do you understand the security gaps and risks that your vendor relationships expose you to over time? If you don’t have a quick answer to all of these questions, then chances are you are neglecting an essential component of your organisation’s cyber resilience strategy.

Third-party risk management is not a one-time review

An IT security review does not mark the end of third-party risk management processes. If your program is tracking the actions this far, chances are you’ve identified some gaps in a few vendor’s processes. Don’t just document the deficiencies and send them on their way, you have to follow up.

Major deficiencies should be documented on both ends and followed up on based on the set milestones. Companies should also do their due diligence by ensuring remediations are allowed within the contact language so that unforeseen circumstances can have the legal space to be addressed.

Additionally, when there are major documented vulnerabilities, you should be asking ALL of your vendors if they are impacted as that will have a downstream effect on your cyber resilience.

Companies must create the capability to hold their most critical IT vendors accountable for quality proper security protocols. You can do this by implementing the four essential components to managing third party risk:

  • Identify: Understand your vendors and how they impact your cyber resilience
  • Prioritise: Tier them in terms of their importance to your operations and potential to adversely impact them in the event of a breach
  • Evaluate: Develop a process to evaluate that fits the vendor and your needs
  • Persist: Managing your vendors is a continuous process, not a one-time event

Next time there is a major vulnerability in a common piece of technology that is experiencing automated compromise, ask your vendors if they, or any of their critical vendors, were impacted and what they are doing about it. Until then, take a vendor inventory, prioritise them, evaluate them, and persist in these processes.

Do a vendor inventory

Any IT or security practitioner could tell you that the foundational step to any good initiative is knowing thyself, which means understanding your security posture. We take a detailed and comprehensive assessment of tracking of our goods and services we offer our customers, so why not inventory your vendors as well?

Without a general understanding of what vendors are used in your organization, chances are you will not be able to identify the actual vulnerable points in your third-party risk portfolio.

The taxonomy of your procurements plays an important role here. Every vendor coming in or going out should be accounted for, and properly identified in a system of record based on the type of service and relationship. That system of record can be in technology too, or a simple spreadsheet. The key here is simply developing processes and maintaining them.

Centrally managing a vendor portfolio has many advantages, only some of which are security- and risk-based. With a good understanding of what exists you can now evaluate redundancies and unnecessary relationships in a single place.

Do you actually know your IT vendor?

Not all vendors are created equal, and it can be difficult to explore the depths of each vendor in your vendor portfolio, especially when dealing with limited security resources.

In a world where risk management is a luxury, prioritise our efforts to those vendors whose compromise could introduce the greatest damage to our organisation or cause a significant disturbance to our operational tempo.

The prioritisation, or the tiering of vendors, can be used to guide a series of processes in the vendor management cycle:

  • Set a cadence for vendor diligence across the enterprise
  • Define specific requirements for vendors at each tier
  • Fast track the procurement processes for low-risk vendors
  • Allow prioritisation of investigation into high tier vendors

Here are some key criteria that should be considered when assessing and tiering your IT vendors. We have a Vendor Assessment Cheat Sheet in case you need one.

business continuity, data management, enterprise solutions, risk management, security, study, Vendor Assessment Cheat Sheet

How to properly assess your IT vendors

As the complexity of vendor relationships evolves, so should the methods by which we assess them. The era of the standardised checklist has come and gone and yet many organisations continue to rely solely on a checklist’s ability to gauge complex security processes. This is like trying to quantify a three-dimensional problem with a two-dimensional approach.

Now that you have developed criteria for identifying your most critical vendors, you can take a step back and develop a proper way to assess them–one that measures vendors in a way that mirrors your internal requirements.

In most cases, those Tier 1 vendors should be treated as an extension of your organization, and thus, you should ensure they have similar or better policies, procedures, processes, and capabilities than those you have set for your organization.

It becomes imperative to ask yourself if this particular vendor were to be breached, what would be the impact on our operations and those of our customers? Assess the vendor against those priorities. If availability concerns you, build firm Service Level Agreements (SLA) into the contract and ensure they have an adequate response plan in the event of an incident.

Be sure their business continuity plans are built and tested to withstand the unforeseen, not just to comply with a requirement. If your concerns are primarily around data, then be sure the proper access controls are built into their environment, peel a layer deeper, verify encryption standards are adopted, ensure audit trail logs are reviewed, etc.

The scenarios could go on forever, but the important thing is not to overlook gaps in the vendor’s processes and orient your assessment based on a firm understanding of what they do for you and how it impacts your resilience. It’s very easy to take credit for the existence of a process, but proving its effectiveness and efficiency through documentation is much harder to do.

So be sure to investigate further, ask questions, meet with the right representatives, and document their plans to address any issues or concerns. Remember, you’ve prioritised a handful of these vendors as critical, it’s time you start treating them that way.

If such plans do not exist, then work with them to develop a plan of action with milestones. This will help them track progress to meet the desired solution. If this option is not on the table, be sure you have a system in place to transfer the risk back onto the vendor or establish compliance via contractual language.

Best practices and assurances can no longer be expected, they should be delivered as requirements when entering a vendor relationship, if not upheld, all or part of the damage should be assumed by the vendor.

Contractual security language will not only protect you by having vendors abide by best practices, but it will set the cadence for the relationship. It will bind both parties to the standards that should be met in the event of an incident.

Things like incident response, data retrieval, data ownership, rights to an assessment, etc. should all be termed upfront in these relationships. These may seem like basic requirements, but when push comes to shove, you’ll be glad your legal team can call upon these clauses to expedite a response or an action from the vendor.

Ryan Weeks is the CISO of Datto

Internet Explorer Channel Network
News Related


Victoria to scrap quarantine for fully-vaccinated international arrivals

Victoria will scrap quarantine for fully-vaccinated international arrivals from 1 November as Australia moves to reopen. © Provided by The Guardian Photograph: Joel Carrett/AAP Victorian premier Daniel Andrews confirmed the ... Read more »

Quarantine scrapped in Vic for travellers

Victoria is scrapping quarantine for fully vaccinated travellers arriving from overseas, bringing the state into line with NSW. © James Ross/AAP PHOTOS Victoria is joining NSW in dropping quarantine from ... Read more »

Gold Coast cop acquitted of perjury

Gold Coast police officer Superintendent Michelle Stenner has stood trial twice and spent four years facing accusations of lying to Queensland’s corruption watchdog. © Jono Searle/AAP PHOTOS Michelle Stenner has ... Read more »

Hiding from a man she once loved meant leaving everyone and everything she ever knew behind

© Provided by ABC NEWS Ruby spent two decades immersed in the underground world.  (Unsplash: Zach Guinta) Ruby Smith* was just 11 years old when she was introduced to an outlaw bikie ... Read more »

Ayres can't recall Berejiklian grant talks

The new deputy leader of the NSW Liberals, Stuart Ayres, says he does not recall any interactions with Gladys Berejiklian about a controversial $5.5 million grant to a regional shooting club ... Read more »

Sourced Group chooses Mimi Giraud to head ASEAN

Previously the Regional Director at Schneider Electric, Girard is responsible for driving the company’s regional expansion efforts. Read more »

Three steps to delivering a personalised customer experience

A customer-driven campaign should ideally include a personalised experience based on the customer’s needs and desires. The challenge is that user data is often siloed and messaging is difficult to track. Read more »

Recovering Paine eyeing return to cricket

Tim Paine is targeting a return to cricket through a second XI game for Tasmania as the Australia captain strives to prove his fitness ahead of the first Ashes Test. ... Read more »

Qld parliament to probe council watchdog

Queensland Deputy Premier Steven Miles will refer a number of complaints against the state’s local government watchdog to a parliamentary committee for investigation. © Albert Perez/AAP PHOTOS Steven Miles will ... Read more »

Import Gold Trip lame, out of WS Cox Plate

French import Gold Trip has failed a race-eve veterinary check and will not run in the WS Cox Plate. © PR HANDOUT IMAGE PHOTO Trainer Ciaron Maher has been left ... Read more »

Here's where Qantas and Jetstar are flying to as international travel in Australia opens up

There will be more flights departing Australia from next month, as Qantas and Jetstar bring forward the restart date for some international routes. Qantas chief executive Alan Joyce today announced ... Read more »

Palmer 'reluctant' to run for parliament

Businessman Clive Palmer says he’s “reluctant” to run for federal parliament again because he’s got a new boat and has faith in Craig Kelly to lead the United Australia Party. ... Read more »

Spiranovic's journey comes full circle

Sixteen years after Matthew Spiranovic first turned out for Melbourne Victory as a spikey-haired teenager in a baggy kit, he can’t wait to do it all over again. © George ... Read more »

Watergate journalist Bob Woodward warns democracy is fragile after Donald Trump

© Provided by ABC NEWS Bob Woodward says it is “highly likely” Trump will run for the US presidency next election. (Supplied: Lisa Berg) Australia and the world are right ... Read more »

Nix elevate rookies for ALM campaign

After another dislocated pre-season, Wellington Phoenix have settled on a 21-strong squad for the opening rounds of the A-League Men’s campaign, elevating two rookies. © Dan Himbrechts/AAP PHOTOS Gary Hooper ... Read more »

Inquiry questions News Corp climate splash

News Corp’s global head has defended the editorial independence of the company’s Australian newspapers. © Lukas Coch/AAP PHOTOS News Corp CEO Robert Thomson has appeared via video link at an ... Read more »

NSW records 345 COVID-19 cases, five deaths as Victorian border talks continue

NSW reported 345 new local coronavirus cases on Friday, as Premier Dominic Perrottet flagged a possible change to arrangements for travel from Victoria after that state ended its lockdown. About ... Read more »

One person dead after bus and car crash in Sydney's west

A person has died after a bus and a car crash near Smithfield in Sydney’s west. Emergency services were called to the intersection of Warren Road and Liverpool-Parramatta Transitway where ... Read more »

NSW records 345 Covid cases and five deaths as state braces for spike

© Provided by Daily Mail MailOnline logo NSW has recorded 345 Covid cases and five deaths from the virus on Friday as the state’s health minister announced gymgoers would no ... Read more »

South Australia police investigate human bones found in sand dunes

An investigation has been launched after human bones were found in South Australian sand dunes. The bones were found by a member of the public in the sand at Nora ... Read more »

'Key' alleged gang figure arrested as police launch clampdown

An alleged “key figure” of the Alameddine crime family was arrested overnight, as police today pledged to step up their efforts against organised crime in Sydney, following the shooting of ... Read more »

Kids vax blitz ahead of NSW school return

Parents are being urged to get their kids vaccinated and to be vigilant for COVID-19 symptoms ahead of a full return to school in NSW. © Bianca De Marchi/AAP PHOTOS ... Read more »

No local Qld cases, but truckie positive

Queensland has recorded no local cases of COVID-19 two days after a man tested positive on the Gold Coast, and a second man may have been infectious in Brisbane earlier ... Read more »

Queensland records no new locally acquired community cases, Gold Coast man Duran Raman in serious condition in hospital

© Provided by ABC News Queensland Premier Annastacia Palaszczuk held a COVID-19 press conference this morning. (News Video) Queensland has recorded no new cases of locally acquired COVID-19 cases a ... Read more »

When your kid gets COVID at school: Katy Gallagher on being prepared

Katy Gallagher has lived every parent’s worst nightmare during the pandemic. The federal Labor Senator’s youngest child, Evie, caught COVID-19 at school during drama class, and more than two months ... Read more »

ACT records 13 new cases as retail reopens

The ACT has recorded 13 new cases of COVID-19, as the capital’s retail stores reopened to customers for the first time in more than two months. © Mick Tsikas/AAP PHOTOS ... Read more »

Live music returns to regional Victoria

Live music will grace Victoria’s regions again as part of an expanded concert series to test the state’s COVID-19 vaccination system for large crowds. © Joel Carrett/AAP PHOTOS Victoria’s Sidney Myer ... Read more »

'Project had merit': Stuart Ayres at ICAC

The new deputy leader of the NSW Liberals, Stuart Ayres, has been questioned by the state’s corruption watchdog about his support for a controversial $5.5 million grant to a regional ... Read more »

Victorian government used ‘low grade' mask study to justify mandate, experts say

A study relied on by the Victorian government to justify its strict mask mandate has been criticised by some doctors and epidemiologists as “low grade” evidence. © Provided by The ... Read more »

Mystery of human remains found at beach deepens

© Provided by Daily Mail MailOnline logo The mystery surrounding a set of human remains found in sand dunes in remote South Australia has deepened – with questions outstanding about ... Read more »

Victorian health department faces court

Victoria’s health department has faced court after it was charged over hotel quarantine failures that led to the state’s deadly second wave of COVID-19. © James Ross/AAP PHOTOS The health ... Read more »

Brumbies release Kata from Super contract

Solomone Kata has been granted a release from his Super Rugby contract with the Brumbies so he can remain in New Zealand for family reasons. © Jeremy Ward/AAP PHOTOS Solomone ... Read more »

‘Unacceptable': NSW Premier seeks urgent advice as Obeid family keeps millions despite jail terms

NSW Premier Dominic Perrottet has vowed to take action against the Obeid family, who will keep $30 million in proceeds of crime despite family patriarch Eddie Obeid and his son ... Read more »

Scott Morrison says Singapore travel bubble could be established within next week

A quarantine-free travel bubble between Australia and Singapore could be established within the next week after Prime Minister Scott Morrison confirmed the two countries were in the final stages of ... Read more »

Cleo Smith search nears one-week mark, with WA missing girl investigation entering new phase

As the search for Cleo Smith nears the one-week mark, the investigation into the four-year-old’s disappearance in Western Australia is entering a new phase. Cleo’s family say they last saw her ... Read more »

Bec and Lleyton Hewitt gear up to move to Sydney

© Provided by Daily Mail MailOnline logo They are gearing up to move to Sydney with their three children – Mia, 15, Cruz, 12, and Ava, 10. And removalists arrived at Bec ... Read more »

Aboriginal groups call on NSW government to end cultural fishing prosecutions

The New South Wales government should cease prosecuting Aboriginal people for exercising their cultural fishing rights, says a coalition of legal, social justice and Aboriginal groups. © Provided by The ... Read more »

Victoria has recorded 2,189 new local COVID-19 cases and 16 deaths as Melbourne lockdown ends

Victoria has recorded 2,189 new local COVID-19 cases and 16 deaths as the state comes out of lockdown. There are now 23,230 active cases of the virus in Victoria, and ... Read more »

Aussies could travel to Bali by Christmas, Qantas CEO says

Qantas CEO Alan Joyce has said travel to Bali will return by early 2022 “at the latest”. Currently, vaccinated travellers to the Indonesian island have to spend seven days in ... Read more »

NSW takes aim at capital gains tax breaks for property investors in bid to help first-home buyers

© Provided by ABC NEWS The housing market is growing at its fastest pace since 1989. (ABC Pilbara: Verity Gorman) The New South Wales government has taken aim at controversial tax ... Read more »
On you will find lots of free English exam practice materials to help you improve your English skills: grammar, listening, reading, writing, ielts, toeic