Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
CISOs, CIOs, and Risk Managers often understand the importance of vendor information security assessments but don’t know where to begin. I manage a team of analysts who perform vendor assessments, and we have experience making this process both successful and relatively painless.
The goal of your vendor security assessment program is to understand the overall risk posture of your strategic vendors, and therefore, risks to the confidentiality, integrity, or availability of your data. The first step in the process is to identify which vendors you should assess. We reviewed this process in a recent blog Risk Management – Which Vendors Should I Assess? After you have identified the vendors, the next step is to identify the information security controls you want to assess. Creating an assessment questionnaire to send to vendors will keep the focus of the assessment on the controls that matter most to your business.
Vendor assessment surveys do not need to ask hundreds of questions. Instead, to ensure that your assessment process is successful, keep it simple. Focus on key relevant security controls that are the foundation for a strong security posture and are relevant to your business. What are the core concepts and controls you need to understand to assess the security posture of a vendor? In our practice, we have narrowed it down to a core list of thirty-six questions that are grouped in the following categories.
To build your own set of questions, look at the control families within NIST 800-53 as a guide. Some of the control families can be grouped together and all families do not need to be included in your assessment of third parties. Notice that we divide our questions into just eight categories (we also include two privacy categories). After you have your categories, review the major controls in each related NIST control family to identify the questions you need. Focus on the basics. For instance, related to access controls we ask vendors to respond to five questions:
You don’t need many questions to get a good sense of how well the vendor is doing in each category. If you can limit the number of assessment questions, you are more likely to get timely and well-developed responses from your vendors. Most vendors aren’t willing to respond to unnecessarily large questionnaires, and you wouldn’t want to review a long list of responses.
What if your vendor isn’t willing to fill out custom questionnaires? In these cases, vendors will submit SSAE16 SOC2 reports or other appropriate documentation to provide evidence. You can use your list of foundational control questions as a guide as you review the documentation. You want to find evidence that each of your key control areas has been addressed. If some questions are not evidenced in the documentation, we find that most vendors are willing to personally respond to a shorter list of follow-up questions via e-mail or phone.
Our clients have chosen to outsource vendor risk assessments, and that choice often makes sense. This process is time consuming and using the experience of security professionals who do this regularly adds value to the results. If you choose to perform these assessments yourself, consider using our suggestions as you design your process. We have found the approach to be less painful for both vendors and reviewers, and we have discovered it yields more accurate and focused results. Keeping it simple will provide better insight into the overall security posture of your vendor and identify the most significant risks they bring to your business.
If you're looking for help with vendor assessments, please contact us today.
https://nuharborsecurity.com/vendor-assessments
Subscribe to our blog to get insights sent directly to your inbox.