Control of the Week #1: Third-Party Risk Management
If you think about it, all security audits are straightforward in their content and requirements: all you need is the time to sift through the controls, translate the legalese doublespeak into layperson’s terms, and figure out what applies to your organization (these are especially true for certs like SOC 2 and ISO 27001). But in reality, who has the time to sift through all that? And even if you’re a veteran at implementing and verifying security controls, it still takes time. So to help you quickly understand what auditors look for in SOC 2 and ISO 27001 controls, our Tugboat Labs Team of former auditors and security analysts created a “Control of the Week” blog series. The series tells you why the control is important, and how you can implement it . This week’s control is on Third-Party Vendor Management.
Why this control is important At a nominal level, third-party vendor management is tied back to SOC 2 and ISO 27001 (real talk: both certs are probably why your customers are asking you for a third-party audit or certification): " RM2.0 – Third-Party Vendor Management: A vendor management process has been implemented whereby management performs risk assessments of potential new vendors and evaluates the performance of existing vendors on an annual basis. Corrective actions are taken as required based on the results of the assessments. " At a fundamental level for your business, you should always take inventory of your vendors and the risks they could present to your business. For example, we recently evaluated other video conferencing vendors in the wake of Zoom’s security issues and decided that we needed to switch to a more secure solution (especially since they still don't offer end-to-end encryption). The goal of this control is to make sure whomever you’re working with is keeping their data secure and are following security best practices. Or, put another way: everyone wants responsibility, but no one wants responsibility.
How to implement this control for your audits
You can implement this control in two steps:
1) Make sure your vendors actually comply with your expected security confidentiality and privacy requirements before you engage with them. 2) Conduct ongoing risk assessments of them to make sure they are keeping their promises regarding security compliance.
Step 1: Trust, but verify, your vendors’ security efforts and their overall fit
Regardless of your organization’s size, we recommend doing a self-evaluation as a starting point for tracking the number of vendors you rely on. Even if you’re a small start-up, you rely on a lot of vendors to power different parts of your business, e.g., G Suite for email and collaboration, Gusto for payroll, and AWS for cloud hosting. Here are some self-assessment questions you can use when evaluating vendors before you formalize relationships with them (internally, we drink our own champagne, and have used these questions in addition to our Vendor Risk Management module when evaluating our vendors): What are you using them for?
What info / data are you sending / sharing with them? How critical is the process you are outsourcing to your organization? Review their terms and conditions, security certifications (e.g SOC 2, ISO 27001), and whether their contracts have been updated – what are they doing with your data? How much are you getting out of them? What is their security posture? Do they have SLAs? Are their contractual terms aligned to what you expect for this type of service? What is the level of risk from each vendor? For example, an accounting firm you’ve hired to help manage your financials might have as high of a risk as the custodial staff your office building management employs – the accounting firm could get hacked via a phishing email while the custodial staff could steal sensitive documents if they aren’t locked away out of sight.
Step 2: Monitor and assess your vendors on an ongoing basis You can conduct your own vendor risk assessments using something as simple as the following set of considerations and questions, or use a tool like the Tugboat platform’s VRM module.
You should always consider the factors that are important for both you and your customers as part of your risk assessments. Here are some of the risk categories you should consider: Information Security – Assessment of third party controls related to security, confidentiality and availability of data shared with them. Ask yourself questions like:
Do they have proof of security certs? Do they conduct periodic assessments and have ongoing monitoring? What are their on/offboarding processes? How is security prioritized for their customers? How do they handle incorrectly classified and unidentified customer data? Monitoring gaps – Periodic assessments, ongoing monitoring, incident notification, on/offboarding, adherence and appropriateness of SLAs. Consider: What SLAs do they have in their contract? How are they planning to report to you on the compliance of the SLAs? How do you plan on monitoring them to make sure that they are providing the services as agreed? How do you involve the procurement team (if you have one)? How do you involve other internal parties and stakeholders? What are their incident notification and response, and disclosure policies? What are the SLAs around those and how well do the vendors adhere to them? Business Continuity – Availability considerations are key as third party services and solutions are becoming more critical to your operations, assess facility access and security measures, if applicable. Dig into: How long have they been around for? What does their business continuity plan entail? Regulatory Requirements – Regulators mandate the supervision of third party suppliers for security, privacy, and data protection compliance. Make sure you determine the following: How long have they been around for? What does their business continuity plan entail? Lack of due diligence – Distributed IT environments, legacy/ longstanding suppliers, limited supplier insight globally, and use of subcontractors by third party. To paraphrase Mountain Dew's slogan, do the due (diligence) with these: How robust is their organization based on what’s shown in LinkedIn? How credible is their executive team? How many customers do they have? How satisfied and dissatisfied are their customers?
Ultimately, your considerations depend on what you’re using the vendor, and the extent of your needs for securing data.