Third-party security assessment

July 2, 2020

Eight areas of a successful third-party security assessment

Why should you care about the security assessment of your vendors?
As a company owner or a manager, your primary goal is to keep your employees and business safe. As a data-driven and dependent business, data will most likely be your most valuable asset. You will collaborate with third-party suppliers or ‘vendors’ to enrich, improve and append your customer database.  
We already wrote about why you should care about privacy in dealing with a supplier. In this blog, we’ll broaden the topic, so you have the holistic approach of assessing your vendors.
It’s worth mentioning that these days, third-party assessments will go further from cybersecurity and compliance and will potentially look into ethical business practices, safety procedures or even environmental impact as well.  

Taking care of your internal processes and your ‘endpoints’ first.  

First things first, you will probably have to deal with some basic recommendations and tactics to address general cyber-security guidelines and your basic user management.  

The SANS Institute in their 2019 Survey on Next-Generation Endpoint Risks and Protections, published the following;

• 39% of respondents have concerns about mobile devices and lack processes for them  
• 27% of laptops and mobile devices are centrally managed  
• 28% of respondents cannot collect logs from assets that are off company-controlled networks  
• 11% of respondents report an inability to identify what data has been breached and 66% find it difficult  
• 62% of breaches can be identified within the first 24 hours  
• 28% of survey respondents confirmed that attackers had accessed endpoints.  

How a third-party security assessment impacts you?  

Assuming you are taking care of the most critical steps to protect your organisation and security, you will probably want to match your standards, your clients’ safety and your data with an equally trusted partner.  

Based on our experience with security assessments, we are sharing with you eight groups of assessment practices, process and controls when we are responding to our clients’ requirements.

1/ Cyber – Governance policy
Your potential vendor has a formal risk assessment program in place, to identify, measure, and track potential risks, and performs assessments at least once per year, and provides Senior Management with those insights.  
The entire business aligns with the Information Security Policy, which is managed and reviewed on regular bases. Ideally, your potential partner will have a regular training security program in place and employment process that will include background checks.  
2/ Data leakage  
Data leakage solutions, techniques and tools are in place to identify, monitor and protect data in use, motion or rest. They minimise the risk of sensitive data being shared outside your partner’s secure and controlled network.
3/ Cyber – Technical defence
Technical defence presumes that customers data in transit and data at rest is encrypted based on industry standards, and key certificates are protected with restricted access and audited periodically. This group of security requirements addresses patches, regular automatic and manual testing taking place to access vulnerabilities and malware detection and scanning.  
4/ Physical & Environmental Security
This group of requirements addresses how your partner manages and audits access to systems and password policies, which should also be monitored and improved.
5/ Cyber monitoring and detection
This one requires putting mechanisms in place to protect systems containing sensitive or client information with logs retained in line with published guidelines and consequently. If an incident does occur, it is quickly detected with enough information to minimise the impact and mitigate any future occurrence.
6/ Cyber incident response
The incident response presumes incident management is in place, including a process and policy that guides employees to identify, report, manage and respond to incidents. Accidents must be recorded, documented and communicated to internal and external stakeholders.  
7/ Resilience – business continuity
Training in business continuity is carried out with the key stakeholders to drive improvements and ensure ongoing business resilience.  
8/ Regulatory compliance
This list is a long one, but, in short, it includes thoroughly knowing your third-parties up to the political exposures of key employees. It also requires periodical reviews to prevent conflicts of interest, including having a set of policies in place to make sure that the vendor’s management is compliant with legal and regulatory requirements.

Conclusion by IDG Communications compiled a list of the largest 21st Century breaches using one simple criterion: The number of people whose data was compromised. The biggest breach impacted 153 million user records.  
With an engineering background specialised in working with financial institutions, we have always been aware of the potential security implications of the entire data supply chain. Our senior engineers have more than a decade of experience working with institutions with a high standard for data quality and security.
By carefully picking your supplier and your vendor, you will mitigate risks and leave your most valuable business asset in the hands of a trusted, and reliable partner. You can then focus on growing your business instead of worrying about exposing it to potential data breaches.

• Acceleon third-party security assessment template 2020
• The SANS Institute in their 2019 Survey on Next-Generation Endpoint Risks and Protections