3 Parts of your Vendor Security Assessment Program

Show Notes: https://justinfimlaid.com/3-parts-of-your-vendor-security-assessment-program/

Sponsor: https://www.nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/

3 Parts of your Vendor (Third Party) Security Management Program

Over the last few months that we’ve had a lot of questions about this topic. So to break it down I would actually break apart the topic or the idea of third party security management or vendor security management into three parts.

The 3 Parts are:

1. Outside the firewall.

2. Inside the firewall.

3. Ongoing/Continuous Monitoring of your Vendors. 

For outside the firewall, there are many software providers that exist within the marketplace that effectively do a vulnerability scan of your target vendors that measures their security posture based on information that’s publicly available. Today when one of those software providers does a scan of your vendor they’re effectively looking at whether you’re vendors using deprecated SSL (or basically an older version of SSL) and therefore they they might be more susceptible to security weakness. They’re looking at entries within a companies DNS record, things like whether your email has been configured for SPF or you have the appropriate DKIM records to ensure your email security. They’re also looking for open ports. They’re basically looking for anything that’s publicly available on the web that might infer or suggest what their overall security posture could be inside the firewall.

So there are some pros and cons to only looking outside the firewall. So the pro obviously is that this is a very quick way to get a measure of someone’s perceived security posture or get an idea of what their security posture might be. Cons are that is only a look outside the firewall.

The second type of vendor security assessment or third party security assessment is inside the firewall. So this would be examples of this would be sending a questionnaire to your vendor or your third party, and you have human interaction to ascertain whether the answer supplied in that questionnaire are are appropriate. In some cases it’s even picking up the phone to talk to your your vendor. 

In these cases you’re asking whether they have you know policies and procedures in place around security whether they have a vulnerability management program in place whether they manage their vendors. You’re trying to understand where they’re storing your information with the security around their databases basically how they govern security and how they protect their technology with within their environment.

Where I see folks really get tripped up is once you’ve either done an outside the firewall review or inside the firewall look and you find a vulnerability where you find a security weakness. What happens next?

In some cases for some organizations it could be “hey, this this vulnerability is just too egregious. We’re not going to do business with potential partner” or “let’s work with our vendor or partner to help them rightsize their security posture so that we can continue to collect business value from this vendor”. So this is we’re really starting to see the rise of continuous vendor management saying if you’re able to do the outside of the firewall look and or the inside the firewall look of this vendor and find a vulnerability. Let’s create a partnership between your organization and the vendor or partner that’s providing value to your business to ensure that everybody’s security posture is what it should be and everybody’s information is being protected. And so that back and forth that partnership is what’s kind of evolving as continuous vendor security management or continuous third party security management.