As we discussed in Part I: Designing Your VRA Roadmap, a successful vendor security audit program requires organizations to hold their critical vendors to the same standards they maintain internally. While there’s no universal approach to vendor risk assessments (VRAs), there are specific questions that must be answered, regardless of the methodology you choose.
1. Do you have a formal security framework in place?
First and foremost, it’s important that you understand the current cybersecurity posture of your supply chain. A security program establishes the structure for maintaining a company’s desired level of security. The program is critical for analyzing risks, determining ways to reduce those risks, and developing plans to maintain security practices up to date.
2. Is there a periodic security testing policy? If so, when was the most recent security audit conducted?
Whether or not a vendor participates in regular penetration testing is usually a good indicator of where the organization stands in terms of cyber security. Simply saying that they employ pentesting isn’t enough, either. Knowing the frequency of pentests will also gain insight into how seriously they take maintaining a good cyber posture.
3. What do you do from a human security standpoint?
It only takes one gateway for cyber criminals to wreak havoc, which is what makes employee security education and management so essential. Not only should the organization be monitoring for leaked credentials on the dark web, they should hold their entire workforce accountable to a certain point.
Are employees trained on a regular basis? Are you conducting social engineering tests on your employees to prove the adoption of a security-first mindset? What are the minimum password security standards? All of these questions should be a part of your VRA program, as well as those around remote security access and multi-factor authentication because of today’s work-from-home culture.
4. What is your software security policy?
Nowadays, there’s a solution for just about any business need. However, not all providers are diligent about their security processes and will actually cause more harm than good. To get a pulse on the situation, don’t hesitate to ask that vendors prove their software is trustworthy and that security is at the core of their DevOps cycle.
5. What are the controls in place for sharing sensitive information?
Whether the vendor is aware of the criticality of personally identifiable information (PII) shared with itself is of paramount importance. Which servers harbor the PII? What are the security controls, such as server security and employee access rights, in place for this PII?
We’ve seen the ripple effect have a detrimental impact on the supply chain, so be sure to ask whether the PII is shared with further parties, such as a hosting provider or another vendor of theirs. Additionally, ask whether a data protection officer is employed wherever GDPR is applicable.
6. Is there a security assessment available for their third parties (AKA your fourth parties)?
Given the complexity of today’s supply chains, it comes as no surprise that many attacks are now caused by fourth parties. It could be the hosting provider of a third party that is hit and in turn puts your data at risk. It’s not just about your third parties, but rather anyone involved in your vendor ecosystem.
Get an understanding of their own third-party risk management (TPRM) processes. Do they carry out a due-diligence process with vendors before you enter into a contract with them? Are they periodically conducting similar security assessments for their own vendors that they already work with?
7. Is there a cyber incident response plan in place?
Last but not least, preparation is key. Cyber incidents can be examined and prioritized using proper incident handling methods, allowing the next best course of action to be followed to address the problem. Breach notification is an important aspect of incident management, and it is now required by a number of legislation, with a focus on vendor reporting.
Ask whether a formal cyber incident response plan has been defined. Does it include detailed processes and designate responsibilities? History can also be a good indicator of a company’s security threshold. If a former breach has occurred, request those reports and understand the lessons that were learned, as well as the measures that have been taken since.
Nevertheless, as critical as vendor security assessments have become, it’s no secret as to how daunting they can be. To streamline the process and eliminate room for human error, security teams can benefit from introducing automated tools to the process. Learn more about how Black Kite can help automate vendor questionnaires.