Vendor (3rd Party) Security Assessments

We understand the importance of maintaining good business relationships.

You rely on business partners to provide critical services. It’s no wonder third parties are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. We’ve tested and fine-tuned our risk assessment methodology over many years and thousands of assessments.

Partner Trust Assessment (PTA)

Our analysts ask relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The PTA includes:

  • Operational Security (Review of SOC2s, ISO 27001 documentation, policies, procedures, risk management cadences, background checks, etc.)
  • System Security (Review of patching processes, hardening processes, role based access control, management of privileged accounts, etc.).
  • Business Continuity (Review of DR, BCP plans / procedures, notification processes, etc.)
  • Data Security (Use of encryption and data security during processing transmission and storage)
  • Network Security (Review of network topology and security controls, antivirus configurations, penetration testing, security monitoring capabilities, etc.).
  • Application Development Security (When applicable, review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc.).
  • Physical Security (When applicable, review of security cameras, badge access, etc.).

Privacy Impact Assessment (PIA)

With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and state privacy regulations. Our PIA includes review of:

  • GDPR Core Information Context (Review and discovery of controller and processor responsibilities)
  • Data in the System (Review data collected, sources, technologies, etc.)
  • Data use and accuracy (Review of uses and collection practices)
  • Sharing practices (Review of how data is shared and transmitted)
  • Notification of use (Review of notice practices, use of out-in/out, use of consent)
  • Access to data (Review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc.)

Business Impact Analysis (BIA)

What’s the worst that could happen? Our analysts outline the business impact from:

  • Confidentiality Assessment (Review of consequences of unauthorized or unintended disclosure of information, i.e., loss of confidentiality)
  • Integrity Assessment (Review consequences of unauthorized or unintended disclosure of information, i.e., loss of integrity)
  • Availability Assessment (Review consequences of prolonged outage of the system or application, i.e., loss of availability)

Many organizations use this information to start shaping their business continuity plan (BCP), recovery time objective (RTO), and recovery point objective (RPO).

Recent Blog Posts

Top Three Breaches of the Last Decade

Unless you’re living in a cave, you’ve provided data to a corporation, and a hacker has probably stolen it. Personal data today is one of the most valuable assets on the planet, which leads organizations to spend enormous resources to collect data. However, those same...

Yearly Assessments

of all vendors in your security risk management program

Monthly Status Reports

include assessment progress, dashboards of overall risk levels, and key deliverables

Annual Risk Level Report

provides your management team or board members with a 20,000 foot view of your vendor risk

Compliance HIPAA, PCI, 23 NYCRR, IRS 1075, MARS-E, etc

Identify potential risk you’re inheriting from vendors


Accountability use assessment results to improve your third party service providers’ accountability

Evaluate potential partners earlier in your relationship and make better business decisions
Minimize inherited risk from potential and existing partners

Transparency provide metrics and reporting on vendor security risk to your executive team

“NuHarbor assessments give visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.”

CIO, Insurance Company

Single-Serve Assessments

Take a test drive. Try a single vendor assessment.


Tailored Assessments

Do you need an assessment questionnaire specific to your business needs? For example, security frameworks, project requirements, compliance, and industry best practices are metrics our analysts can utilize.

Identifying Quality Partners

We can inquire into potential partners. We detail the processes and data involved to gauge risk.


Customized Reporting

Need to track certain metrics or risk areas? We can work with you to meet your reporting requirements.

User Controls

Yearly review of complementary user controls.

Analyze Trends and track security risk for all partners in your vendor security risk management program
Benchmark vendors to see if they are complying with best security practices
Measure risk posture of your partners over time

Adjust Contracts based on your vendors’ risk levels

Scalable quickly onboard new vendors into your vendor management program