NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
Podcast
    • NuHarbor
    • Industry Insights
November 5, 2018

3 Parts of your Vendor Security Assessment Program

Justin Fimlaid Justin Fimlaid

3 Parts of your Vendor Security Assessment Program
Show Notes: https://justinfimlaid.com/3-parts-of-your-vendor-security-assessment-program/

Sponsor: https://nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/
3 Parts of your Vendor (Third Party) Security Management Program
Over the last few months that we've had a lot of questions about this topic. So to break it down I would actually break apart the topic or the idea of third party security management or vendor security management into three parts.
The 3 Parts are:
1. Outside the firewall.

2. Inside the firewall.

3. Ongoing/Continuous Monitoring of your Vendors. 

For outside the firewall, there are many software providers that exist within the marketplace that effectively do a vulnerability scan of your target vendors that measures their security posture based on information that's publicly available. Today when one of those software providers does a scan of your vendor they're effectively looking at whether you're vendors using deprecated SSL (or basically an older version of SSL) and therefore they they might be more susceptible to security weakness. They're looking at entries within a companies DNS record, things like whether your email has been configured for SPF or you have the appropriate DKIM records to ensure your email security. They're also looking for open ports. They're basically looking for anything that's publicly available on the web that might infer or suggest what their overall security posture could be inside the firewall.

So there are some pros and cons to only looking outside the firewall. So the pro obviously is that this is a very quick way to get a measure of someone's perceived security posture or get an idea of what their security posture might be. Cons are that is only a look outside the firewall.

The second type of vendor security assessment or third party security assessment is inside the firewall. So this would be examples of this would be sending a questionnaire to your vendor or your third party, and you have human interaction to ascertain whether the answer supplied in that questionnaire are are appropriate. In some cases it's even picking up the phone to talk to your your vendor. 

In these cases you're asking whether they have you know policies and procedures in place around security whether they have a vulnerability management program in place whether they manage their vendors. You're trying to understand where they're storing your information with the security around their databases basically how they govern security and how they protect their technology with within their environment.

Where I see folks really get tripped up is once you've either done an outside the firewall review or inside the firewall look and you find a vulnerability where you find a security weakness. What happens next?

In some cases for some organizations it could be "hey, this this vulnerability is just too egregious. We're not going to do business with potential partner" or "let's work with our vendor or partner to help them rightsize their security posture so that we can continue to collect business value from this vendor". So this is we're really starting to see the rise of continuous vendor management saying if you're able to do the outside of the firewall look and or the inside the firewall look of this vendor and find a vulnerability. Let's create a partnership between your organization and the vendor or partner that's providing value to your business to ensure that everybody's security posture is what it should be and everybody's information is being protected. And so that back and forth that partnership is what's kind of evolving as continuous vendor security management or continuous third party security management.

Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Pwned GigaByte - Eric and Randy Get Paid to Break Into Other Peoples Stuff Listen Now
Pwned Byte Sized - Continuity of Operations Planning Listen Now
Breach of the Week: One Person's Trash Is Another's Treasure Listen Now

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.