Vendor security assessments

Assess your third-party vendors to identify security risk exposure and establish accountability. Confidently direct your business partnerships to meet evolving expectations.

Let's get started

Partner trust assessment (PTA) 

Our analysts ask relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The PTA considers the following security elements:

  • Operational security: review of SOC2s, ISO 27001 documentation, policies, procedures, risk management cadences, background checks, etc.
  • System security: a review of patching processes, hardening processes, role-based access control, management of privileged accounts, etc.
  • Business continuity: review of disaster recovery (DR) and business continuity plans (BCP), procedures, notification processes, etc.
  • Network security: review of network topology and security controls, antivirus configurations, penetration testing, security monitoring capabilities, access, etc.
  • Data security: use of encryption and data security during processing transmission and storage.
  • Application development security: review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc.
  • Physical security: a review of security cameras, badge policy, etc.
Team working on a project with notes on wall.
Two men working together pointing at screen.

Privacy impact assessment (PIA)

With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and state privacy regulations. Our PIA includes review of:

  • GDPR core information context: review and discovery of controller and processor responsibilities.
  • Sharing practices: review of how data is shared and transmitted.
    Data in the system: review data collected, sources, technologies, etc.
  • Notification of use: review of notice practices, use of out-in/out, and use of consent.
  • Data use and accuracy: review of uses and collection practices.
  • Access to data: review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc.

Business impact analysis (BIA)

What’s the worst that could happen? Our analysts find out and determine what that means for your business. The BIA can be used to drive business continuity plans (BCP), recovery time objectives (RTO), and recovery point objectives (RPO). We collect this data through three assessments.

  • Confidentiality assessment: a review of consequences of unauthorized or unintended disclosure of information, i.e., loss of confidentiality.
  • Availability assessment: a review of consequences from a prolonged outage of a system or application, i.e., loss of availability.
  • Integrity assessment: a review of consequences from unauthorized or unintended disclosure of information, i.e., loss of integrity.
Two people sitting at a desk collaborating

Full-featured vendor assessment services

Assess your third-party solution providers’ SLA agreements, security posture, and a number of compliance regulations to understand the level of risk you’re inheriting. Get monthly and yearly reporting.

Comprehensive Vendor Assessments

Yearly assessment that identifies, categorizes, and assesses all the vendors in your security risk management program.

Risk Level Reports

Annual reports with metrics that provide management or board of directors with a 20,000-foot view of your vendor risk profile.

Monthly Status Reports

Receive data-driven reports tracking the assessment progress, evolving dashboards to overall risk levels, and key deliverables to share with stakeholders.

We understand the importance of maintaining good business relationships.


nuharbor-2023-0726-0125 - glitch


You rely on business partners to provide critical services, but third-party applications and services are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. 

We’ve tested and fine-tuned our risk assessment methodology over many years and thousands of assessments. Here’s what you can expect:

  • Accountability: Measure the risk posture of your partners over time. Use assessment results to improve your third-party service providers’ accountability and adjust contracts accordingly.
  • Transparency: Metrics and reporting on vendor security risk benchmarked against industry best practices.
  • Compliance: HIPAA, PCI, 23 NYCRR, IRS 1075, MARS-E, etc.
  • Awareness: Know the risks of potential partners earlier in your relationship and make better business decisions.
  • Scalable: Quickly onboard new vendors into your vendor management program.
  • Customized: Get tailored assessments and custom reporting.  Track the metrics or risk areas you need. Create assessment questionnaires specific to your business needs or industry. Build custom security framework and project requirements into your assessments.
  • No Strings Attached: Our single-serve vendor assessments let you take our services for a test drive without committing to a larger project.
  • Risk-Averse: We identify quality vendors before you engage by inquiring into their processes and data and gauging risk before you sign a contract.  

Our Approach

We make it easy to improve and manage your security

We believe great cybersecurity exists at the intersection of exceptional service delivery and purposeful deployment of security solutions.

Learn more about making cybersecurity easier

  • Easy to understand

    Our security experts are trained to support and communicate in ways you can understand. Cybersecurity solutions are created to answer your questions on your terms.

  • Easy to choose

    We have an established reputation as security and technology leaders. With a clear definition of cybersecurity outcomes for your business, you can make the best decisions to secure your organization.

  • Easy to trust

    We deliver clear and consistent communication. Paired with our trusted operations and reporting, your stakeholders can have peace of mind in their cybersecurity decisions.

Our solutions make it easy to progress in your cybersecurity journey.

No matter where you are in your cybersecurity journey, we can help. Whether you're just beginning, looking to improve, or not sure where to go next, our trusted experts are committed to your success and can help you every step of the way.

Strategic partners

We make it easy to tackle whatever comes next. We deliver the most comprehensive set of integrated security services in the market by harnessing the best technology available.

View all of our strategic partners

CrowdStrike logo
CrowdStrike Endpoint
Microsoft Logo
Microsoft Security Analytics & SIEM
Splunk logo
Splunk Security Analytics & SIEM
Tenable logo
Tenable Vulnerability Management
Zscaler logo
Zscaler Cloud Security

Explore comprehensive cybersecurity protection today.

  1. Consult with an expert

    Talk to one of our cybersecurity experts so we can better understand your needs and how we can help.

  2. Agree on a plan

    Based on your objectives we’ll create a tailored plan to meet your cybersecurity needs.

  3. Start maximizing your protection

    Experience peace of mind knowing what matters most is secure.

Consult with an expert