Vendor (3rd Party) Security Assessments

Partner Trust Assessment (PTA)

Our analysts ask relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The PTA includes:

• Operational Security (Review of SOC2s, ISO 27001 documentation, policies, procedures, risk management cadences, background checks, etc.)
• System Security (Review of patching processes, hardening processes, role based access control, management of privileged accounts, etc.).
• Business Continuity (Review of DR, BCP plans / procedures, notification processes, etc.)
• Data Security (Use of encryption and data security during processing transmission and storage)
• Network Security (Review of network topology and security controls, antivirus configurations, penetration testing, security monitoring capabilities, etc.).
• Application Development Security (When applicable, review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc.).
• Physical Security (When applicable, review of security cameras, badge access, etc.).

Privacy Impact Assessment (PIA)

With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and state privacy regulations. Our PIA includes review of:

• GDPR Core Information Context (Review and discovery of controller and processor responsibilities)
• Data in the System (Review data collected, sources, technologies, etc.)
• Data use and accuracy (Review of uses and collection practices)
• Sharing practices (Review of how data is shared and transmitted)
• Notification of use (Review of notice practices, use of out-in/out, use of consent)
• Access to data (Review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc.)

Business Impact Analysis (BIA)

What’s the worst that could happen? Our analysts outline the business impact from:

• Confidentiality Assessment (Review of consequences of unauthorized or unintended disclosure of information, i.e., loss of confidentiality)
• Integrity Assessment (Review consequences of unauthorized or unintended disclosure of information, i.e., loss of integrity)
• Availability Assessment (Review consequences of prolonged outage of the system or application, i.e., loss of availability)

Many organizations use this information to start shaping their business continuity plan (BCP), recovery time objective (RTO), and recovery point objective (RPO).