We’re surrounded by networks, many not our own. It’s next to impossible to run a business today without network interconnectivity. Even the smallest mom-and-pop shop has a website and hosting provider that connect to at least one computer holding client and payment information. The larger your organization, the more vendor/supplier/partner relationships you’re likely to have and the greater your risk. Of course, the bigger your ecosystem, the greater the risk—because it’s hard enough to understand just one provider’s security posture let alone 1,000.
Yet, regardless of how many third parties your organization works with, you must understand how all of those third parties approach and manage security. When a breach occurs, your clients are not going to care if the attackers came in through your organization’s front door or if they snuck in through your supplier’s basement window. And with GDPR on the horizon, things are getting even tougher.
InfoSec Insider: What are companies’ third-party obligations when it comes to vendor/supplier security?
Ron Woerner: The use of third parties is often a good option for companies that need or want to supplement capabilities or provide additional services, either to internal staff or to the organization’s client base. While third-party relationships can provide tremendous benefits, partnering does not relieve the primary organization of ultimate responsibility for its own security and compliance or exempt the entity from accountability and obligation for ensuring the security of their environment and any sensitive data under their care. When handing off data to a third party for processing or storage, an organization is not absolved from data protection oversight. You can outsource functions, but not responsibility.
This reality is reflected in many third-party security compliance requirements, laws, standards, and regulations. For example, companies that accept credit card payments are required to vet third-party service providers as a part of the Payment Card Industry Data Security Standard (PCI DSS). Clear policies and procedures need to be established between the company and its service providers to meet all applicable security requirements. It’s your responsibility to ensure that all third parties you are working with meet them—when the partnership is initiated, and throughout the entire lifetime of the agreement. Companies can’t approach vendor security management as a “one-and-done” project. It needs to be a continuous process.
Proper due diligence and risk analysis are critical components in the management of any third parties in use. Ignorance or complacency are no excuse for ignoring third parties that have access to your infrastructure, networks, systems, or data. Target learned that lesson the hard way. Needless to say, if any third parties can access your company’s infrastructure, you need to continually take steps to ensure the third party has adequate security in place. Failure to do so could be a big headache.
II: How does a company measure/manage suppliers? Is the contract enough?
RW: Managing suppliers starts with contracts. The language needs to contain enforceable service level agreements (SLAs) not only based on uptime, but also other common metrics. Those include (but are not limited to):
- Time to patch
- Staff dedicated to security efforts (full and/or part-time)
- Frequency of security reviews (vulnerability assessments, pen tests, audits, etc.)
If the supplier has access to any sensitive systems or data, the company should conduct this review at least annually, although quarterly is better. Standards for measurement include the NIST Cyber Security Framework (CSF) and the Center for Internet Security (CIS) Controls. These types of established frameworks and standards should be used as benchmarks to evaluate a supplier’s contract and measure their current security posture and continual improvement of their security program.
Primary organizations should also ask what benchmarks the third party uses to harden their systems. CIS has over one hundred configuration guidelines for securing major operating systems, applications, and technologies. The U.S. Defense Information Systems Agency also provides configuration standards in their Security Technical Implementation Guides (STIGs). While STIGs is focused on DOD/Military systems, they are good benchmarks for anyone to follow, if for no other reason than because they are free and have been tested.
II: From a practical point of view, how would a company start an assessment (i.e., do you just hold your nose and jump in if, say, SalesForce or AWS is your vendor and you’re an SMB with much more limited staff/resources/capabilities)?
RW: In short, take the following steps with any vendor:
- Ask the vendor to provide a report or a letter attesting to their security
- Trust, but verify. Ask the vendor questions about their security (with or without a report)
- Evaluate the vendor’s security posture yourself, either through NIST or CIS standards or penetration testing.
It starts by asking the vendor about their security. Don’t let them blow smoke. Force them to explain details of their security program and infrastructure. If they don’t answer, consider taking your business elsewhere—there are plenty of options on the market. Remember: It’s your butt on the line if the third party fails with their security and those systems are connected to yours. Third-party security management can’t be about legacy relationships or promises; you must have a clear understanding and insight into how the third party is actively protecting the data and systems with which your organization connects.
Fortunately, there are many tools available. An assessment could start with the NIST CSF or CIS Controls (see above). These are both industry standards for assessing the many cybersecurity domains. Most well-known vendors should already be familiar with these and may already have a report that will attest to their established security practices. Further, request a copy of an audit report. Although audits are point-in-time, you may be able to find some clues as to how the vendor approaches security by reading through a report and seeing the results first hand. Or, ask the vendor to allow you to run a penetration test against their systems using a third-party consultant. This is obviously the most costly option, but for critical systems or data, you will receive the best assurance through hands-on testing.
Asking vendors which security standards they follow and how well they’re doing are fair questions and a great way to emphasize that your company takes security seriously--and you expect them to as well.