Third Party Risk Assessment - The Basics: Less is More

By: Paul Dusini, Information Assurance Manager

CISOs, CIOs, and Risk Managers often understand the importance of vendor information security assessments but don’t know where to begin. I manage a team of analysts who perform vendor assessments, and we have experience making this process both successful and relatively painless.

The goal of your vendor security assessment program is to understand the overall risk posture of your strategic vendors, and therefore, risks to the confidentiality, integrity, or availability of your data. The first step in the process is to identify which vendors you should assess. We reviewed this process in a recent blog Risk Management – Which Vendors Should I Assess? After you have identified the vendors, the next step is to identify the information security controls you want to assess. Creating an assessment questionnaire to send to vendors will keep the focus of the assessment on the controls that matter most to your business.

Third-Party Security

Vendor assessment surveys do not need to ask hundreds of questions. Instead, to ensure that your assessment process is successful, keep it simple. Focus on key relevant security controls that are the foundation for a strong security posture and are relevant to your business. What are the core concepts and controls you need to understand to assess the security posture of a vendor? In our practice, we have narrowed it down to a core list of thirty-six questions that are grouped in the following categories.

  • Operational Security
  • Business Continuity
  • Physical Security
  • System Security
  • Access Controls
  • Data Security
  • Network Security
  • Application Development Security

Creating Your Own Questionnaire

To build your own set of questions, look at the control families within NIST 800-53 as a guide. Some of the control families can be grouped together and all families do not need to be included in your assessment of third parties. Notice that we divide our questions into just eight categories (we also include two privacy categories). After you have your categories, review the major controls in each related NIST control family to identify the questions you need. Focus on the basics. For instance, related to access controls we ask vendors to respond to five questions:

  • Please describe your access management procedures including support for role-based access control (RBAC) utilizing least privilege and separation of duties.
  • How often are account permissions reviewed?
  • Describe any additional security controls in place for the management of privileged accounts.
  • Describe any policies in place regulating the use of personal equipment to access the system.
  • If employees or contractors access systems remotely, describe any remote access security controls and polices in place.

You don’t need many questions to get a good sense of how well the vendor is doing in each category. If you can limit the number of assessment questions, you are more likely to get timely and well-developed responses from your vendors. Most vendors aren’t willing to respond to unnecessarily large questionnaires, and you wouldn’t want to review a long list of responses.

When Questionnaires Do Not Work

What if your vendor isn’t willing to fill out custom questionnaires? In these cases, vendors will submit SSAE16 SOC2 reports or other appropriate documentation to provide evidence. You can use your list of foundational control questions as a guide as you review the documentation. You want to find evidence that each of your key control areas has been addressed. If some questions are not evidenced in the documentation, we find that most vendors are willing to personally respond to a shorter list of follow-up questions via e-mail or phone.

Outsourcing Vendor Assessments

Our clients have chosen to outsource vendor risk assessments, and that choice often makes sense. This process is time consuming and using the experience of security professionals who do this regularly adds value to the results. If you choose to perform these assessments yourself, consider using our suggestions as you design your process. We have found the approach to be less painful for both vendors and reviewers, and we have discovered it yields more accurate and focused results. Keeping it simple will provide better insight into the overall security posture of your vendor and identify the most significant risks they bring to your business.

If you’re looking for help with vendor assessments, please contact us today.