Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
When it comes to building a security program, one of the most frequently overlooked areas is that of vendor management. Organizations focus significant resources on internal security, such as vulnerability scans, centralized log management, or user training, while not extending the same diligence towards their third-parties. Organizations end up trusting the security of their network and data to an unknown and untested third-party.
As we all know, a chain is only as strong as its weakest link. If an organization cannot verify the security of its third-parties, then it has introduced the potential for risk and reduced the information assurance of their system. It is essential to realize that even if the cause of a breach is due to a third-party, it is still your company's name and brand that is at risk.
The potential cost associated with a breach can include:
Loss of trust
What damage can vendors do?
Despite the warning above, you may still be thinking, "what damage could my vendors really do?". The answer to that question will vary based on the access, control, and data you provide to them. For example, if your office caterer was breached the overall risk to the organization is easily contained by simply canceling whatever card you offered them.
On the other hand, if you have a third-party accountant or lawyer you could be exposed to much more damage. In this example, you would be releasing highly private and potentially valuable data into unknown systems, with unknown controls and unknown users. This line of thinking can apply to any organization and any vendor, regardless of size or industry, and can help you identify where to focus your efforts.
Any vendor that has access to your systems or data is inherently a risk to your company. Every threat or vulnerability you face, your vendors will also face. Are you confident they take these threats as seriously as you do? Or are they even aware of them?
Regardless of how confident you may feel, I highly recommend you continue reading! The rest of this article is dedicated to providing tips and advice for building a program to assess, vet, and remediate risks related to your third parties.
What can you do?
Now that you understand the risks vendors pose to your organization, you need to determine what you can do to help to reduce them. There are a few steps any organization can take to develop a more robust stance on vendor management. It must be noted that to build a truly effective and mature program you must be willing to dedicate the time and resources to do it right. I have broken out the necessary steps below and have provided advice for what these steps should cover.
A vendor management program should have, at a minimum, the following components:
Policy – A vendor management policy should cover the purpose behind assessing vendors, staff responsibilities, communication channels, and other core components of the overarching program.
Procedures – Along with the policy, your organization will need several defined procedures to implement and manage the vendor management program effectively. These procedures can include:
The processes you create should be relevant to the size and scope of your program and must fit your general operations.
Rankings – To provide that resources are used effectively, you must come up with a ranking system to classify your vendors. While there is no 'right' answer to ranking vendors, a few metrics you can use to determine criticality are:
Sensitivity of data they receive
Volume of data they receive
Importance of service they provide
These can be used by themselves or combined to form a more robust ranking system. There are other ways to rank vendors, and you should make sure to pick the metrics that best fit your organization.
Escalation Points – As part of the policies and procedures supporting this program, there should be defined staff who serve as escalation points for any issues or security concerns. These staff should be senior members of the organization or those with authority to make decisions. This is a necessary component of any program because, unfortunately, not all vendors will be willing to remediate gaps, or even undergo an assessment. In these cases, it is up to the assigned staff members to determine the best course of action.
Contract Requirements – Make sure to have standardized contracts with your vendors that include things like service level agreements (SLAs) to provide that your vendors are actually obligated to provide the services you buy from them. Without an SLA you have little recourse if your vendor suffers long-term outages, or otherwise fails to deliver the promised service(s).
Internally, these requirements should be monitored by the specific teams or employees that work with these vendors regularly. The staff using the system or working with the vendor will be in the best place to notice abnormalities or contractual failings.
Vendor management is a complex and time-intensive task which many organizations do not, and in many cases, cannot dedicate the time and resources to managing. For companies with a small number of vendors, this can be manageable, but most organizations will need additional support to create and implement these programs effectively. By dedicating resources to developing a program, organizations can begin to understand and eliminate the threats posed by their third-parties.
For those organizations that do not have the resources to establish or maintain this type of program, AT&T Cybersecurity Consulting offers numerous solutions to help create, implement, and manage vendor management programs of any size.