We’ve heard all the horror stories… Target, Jeep, Michael’s… and sadly, the list keeps growing. Third-Party risk management issues have been the talk of mainstream media for some time now. Who hasn't been personally impacted, or known someone who has had their personal data exposed? As security professionals, we are often asked to help organizations complete Third-Party risk assessments, but are the 800-question questionnaires actually helping mitigate risk? Would it be more beneficial to see the results of your Third-Party’s pen test? Let’s take a deeper dive and ask, how much scrutiny is ‘enough’?
What is a Third-Party breach?
A Third-Party breach is where attackers compromise your network or systems via one of your partners, suppliers, or vendors. Attackers commonly take advantage of the trust imparted upon Third-Parties since they often have some means of logical network or system access, yet may not apply due diligence in protecting access mechanisms. For example, one of the most infamous breaches took place at Target in 2013 when the initial attack vector was a Third-Party HVAC company. The attackers gained a foothold with the limited access they were authorized to have, then tunneled their way into more critical systems through various attack methods.
What key indicators actually matter?
Even though security questionnaires are a best practice, they don't take an organization’s unique needs into consideration, causing them to be the bane of many security professionals. One-size-does-not-fit all in the security world and when looking at what really matters, shouldn't context be taken into consideration? Doesn’t it make sense to determine which vendors need to be assessed every year versus those that need to be inspected less frequently? The cadence should be influenced by what data they can access or care for. A huge prerequisite is to gain a clear understanding of the data a vendor has access to/ can impact through meticulous mapping of data flows, business processes, and system architectures. Also, the actual questions themselves should be tailored to the actual nature of the business relationship and the nature of the data that is shared/handled.
Factors to consider:
- Is the data highly sensitive?
- How often is it accessed or handled?
- How much data is accessed or handled?
- Is this data critical to your operations?
- If something were to happen to this partner, how would your business be impacted?
Depending on the nature of the relationship with the Third-Party provider, it is best to take a pragmatic view to measure risk. The riskier the associated relationship with the Third-Party provider, the more questions should be asked.
Other questions you might want to ask include:
- What assessments/certifications have they had conducted (i.e. IS27001, SSAE16 SOC2, PCI, etc.)?
- Have them provide the results of their pen test
- Have them provide the results of their vulnerability scans
- How do they practice risk management?
- Do they have a security policy?
- Do they have supporting procedures?
- Do they have secure build standards?
- Do they have effective access controls?
- Do they have effective authentication controls?
- Do they have centralized logging?
- Do they have effective physical security?
- Do they have outdated technologies?
- Do they have an effective vulnerability management process?
How does this impact my organization?
Developing a set of quality questions over an abundance of ambiguous questions will provide you with a more accurate picture of the risk associated with your Third-Party relationships. Whether you’re asking a Third-Party to fill out a risk assessment or if you are actually the Third-Party, a higher quality and focused assessment could be a game changer. While it usually is a good thing for businesses to work with more partners (i.e. to be connected to them), there is also an inherent risk associated with that connectivity.
No one will argue that it is essential to practice due diligence to ensure that reasonable security measures are followed, but at the same time you don’t want to waste resources reviewing questionnaire responses that don’t align with the business relationship. Your Third-Party questionnaires should be right-sized for that particular relationship. Another aspect to think about is whether or not you have the resources to even consider going through the process to work with a big organization.
At Online we’ve worked with many clients to help them both answer these questionnaires (we too have felt the pain of responding to poorly scoped questionnaires) and develop Third-Party assessment programs. Companies are now expected to exercise proper due diligence in vetting their would-be partners, not only during the pre-dating phase, but periodically to ensure that both the nature of the business relationship doesn’t require a review of additional controls and to ensure that the Third-Party has continued to maintain adequate security posture.
Have you had to fill out one of these questionnaires? Is there anything you like/would change about them? Tell us about your experience in the comments below.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.
Submit a Comment