Vendor security assessments

Assess your third-party vendors to identify security risk exposure and establish accountability. Confidently direct your business partnerships to meet evolving expectations.

Let's get started

Cybersecurity services trusted by 500+ organizations and growing!

NuHarbor’s advanced 24/7 monitoring and engineering expertise in managing security alerts, dashboards, and data integration, with world class customer service has created a true partnership with us as their team feels like an extension of ours. Working with NuHarbor, knowing our systems are being monitored and managed by their team of expert analysts, gives us confidence in our ability to respond to potential incidents. NuHarbor’s engineering expertise provides us with customized dashboards and regular updates, which keep us informed and empowered to make smarter security decisions. 
NuHarbor helped us identify the correct assets to monitor, then tuned our systems for maximum results. Now we only receive notifications for true positive alerts so my team can spend more time focusing on their objectives.
We’ve utilized NuHarbor for a few years now to conduct quarterly vulnerability assessments. Our usual policy is to change vendors every few years, but we’ve had such exceptional service from NuHarbor that we see no need to shop around. The reports we receive are comprehensive and prioritize remediation advice.
NuHarbor conducted a web application penetration test on a few of our edge applications. They discovered many configuration weaknesses including insecure direct object reference (IDOR). They notified us immediately and offered advice on how to fix it. Their skilled engineers provided step-by-step assistance and retested to ensure that this critical vulnerability was fixed.
Wifi. Yeah, that’s an unfamiliar animal to deal with. We hired NuHarbor to test the wireless networks we provide for our employees and customers to access store services. NuHarbor came onsite and set up their “toolkit” with antennas sticking out all around. They were able to set up a rogue access point, mimicking our access points, and users unknowingly logged on. NuHarbor initiated an evil twin attack to capture and inject packages into the network stream between user computers and other systems and then delivered findings so we could educate and curve our user behavior.
NuHarbor performed an external penetration test on our networks and alerted us to critical vulnerabilities. They let us know what the affected response might be from the host before they tried to exploit it. We were updated twice a day which was super helpful to me and my staff. They also provided great remedial guidance that helped us quickly correct vulnerabilities.
Our company outsources our web development. We asked NuHarbor to review the source code and check for insecure API calls. We were astonished at the findings they uncovered. It was an uneasy feeling knowing that the web developer we hired left so many security flaws in our code. I can’t say enough how comforting it was to have the NuHarbor team give us, and our partner, clear recommendations to fix our source code.
NuHarbor waged a phishing campaign against our employees by mirroring a realistic payroll website that we use in our company. The NuHarbor engineers captured several IT administrators’ credentials. With domain administrator access, they were able to compromise our whole domain within 20 minutes of starting the phishing campaign. We had the opportunity to show our leadership how pertinent it is to implement better user account practices, MFA, and improved user security awareness training and build the funds into our annual IT security budget.
NuHarbor performed an internal penetration test of our organization utilizing one of our legacy network protocols. They were able to gain administrative access and push malicious code to our network. Had this been a real attack, we could have lost everything.
NuHarbor assessments provide visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.
NuHarbor has been instrumental to our SOC operations. Without their flexibility, expertise, and quick reaction, our small SOC team could not operate. NuHarbor continually engages with us at the operational and executive level. They’re always looking for new, creative solutions. Not only are they willing to think outside the box, they actually deliver.

Partner trust assessment (PTA) 

Our analysts ask relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The PTA considers the following security elements:

  • Operational security: review of SOC2s, ISO 27001 documentation, policies, procedures, risk management cadences, background checks, etc.
  • System security: a review of patching processes, hardening processes, role-based access control, management of privileged accounts, etc.
  • Business continuity: review of disaster recovery (DR) and business continuity plans (BCP), procedures, notification processes, etc.
  • Network security: review of network topology and security controls, antivirus configurations, penetration testing, security monitoring capabilities, access, etc.
  • Data security: use of encryption and data security during processing transmission and storage.
  • Application development security: review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc.
  • Physical security: a review of security cameras, badge policy, etc.
Team working on a project with notes on wall.
Two men working together pointing at screen.

Privacy impact assessment (PIA)

With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and state privacy regulations. Our PIA includes review of:

  • GDPR core information context: review and discovery of controller and processor responsibilities.
  • Sharing practices: review of how data is shared and transmitted.
    Data in the system: review data collected, sources, technologies, etc.
  • Notification of use: review of notice practices, use of out-in/out, and use of consent.
  • Data use and accuracy: review of uses and collection practices.
  • Access to data: review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc.

Business impact analysis (BIA)

What’s the worst that could happen? Our analysts find out and determine what that means for your business. The BIA can be used to drive business continuity plans (BCP), recovery time objectives (RTO), and recovery point objectives (RPO). We collect this data through three assessments.

  • Confidentiality assessment: a review of consequences of unauthorized or unintended disclosure of information, i.e., loss of confidentiality.
  • Availability assessment: a review of consequences from a prolonged outage of a system or application, i.e., loss of availability.
  • Integrity assessment: a review of consequences from unauthorized or unintended disclosure of information, i.e., loss of integrity.
Two people sitting at a desk collaborating

Full-featured vendor assessment services

Assess your third-party solution providers’ SLA agreements, security posture, and a number of compliance regulations to understand the level of risk you’re inheriting. Get monthly and yearly reporting.

Comprehensive Vendor Assessments

Yearly assessment that identifies, categorizes, and assesses all the vendors in your security risk management program.

Risk Level Reports

Annual reports with metrics that provide management or board of directors with a 20,000-foot view of your vendor risk profile.

Monthly Status Reports

Receive data-driven reports tracking the assessment progress, evolving dashboards to overall risk levels, and key deliverables to share with stakeholders.

We understand the importance of maintaining good business relationships.

 

nuharbor-2023-0726-0125 - glitch

 

You rely on business partners to provide critical services, but third-party applications and services are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. 

We’ve tested and fine-tuned our risk assessment methodology over many years and thousands of assessments. Here’s what you can expect:

  • Accountability: Measure the risk posture of your partners over time. Use assessment results to improve your third-party service providers’ accountability and adjust contracts accordingly.
  • Transparency: Metrics and reporting on vendor security risk benchmarked against industry best practices.
  • Compliance: HIPAA, PCI, 23 NYCRR, IRS 1075, MARS-E, etc.
  • Awareness: Know the risks of potential partners earlier in your relationship and make better business decisions.
  • Scalable: Quickly onboard new vendors into your vendor management program.
  • Customized: Get tailored assessments and custom reporting.  Track the metrics or risk areas you need. Create assessment questionnaires specific to your business needs or industry. Build custom security framework and project requirements into your assessments.
  • No Strings Attached: Our single-serve vendor assessments let you take our services for a test drive without committing to a larger project.
  • Risk-Averse: We identify quality vendors before you engage by inquiring into their processes and data and gauging risk before you sign a contract.  

Our Approach

We make it easy to improve and manage your security

We believe great cybersecurity exists at the intersection of exceptional service delivery and purposeful deployment of security solutions.

Learn more about making cybersecurity easier

  • Easy to understand

    Our security experts are trained to support and communicate in ways you can understand. Cybersecurity solutions are created to answer your questions on your terms.

  • Easy to choose

    We have an established reputation as security and technology leaders. With a clear definition of cybersecurity outcomes for your business, you can make the best decisions to secure your organization.

  • Easy to trust

    We deliver clear and consistent communication. Paired with our trusted operations and reporting, your stakeholders can have peace of mind in their cybersecurity decisions.

Our solutions make it easy to progress in your cybersecurity journey.

No matter where you are in your cybersecurity journey, we can help. Whether you're just beginning, looking to improve, or not sure where to go next, our trusted experts are committed to your success and can help you every step of the way.

Strategic partners

We make it easy to tackle whatever comes next. We deliver the most comprehensive set of integrated security services in the market by harnessing the best technology available.

View all of our strategic partners

CrowdStrike logo
CrowdStrike Endpoint
Microsoft Logo
Microsoft Security Analytics & SIEM
Splunk logo
Splunk Security Analytics & SIEM
Tenable logo
Tenable Vulnerability Management
Zscaler logo
Zscaler Cloud Security

Explore similar services

Curated Threat Intelligence

Be informed with relevant, up-to-date threat intelligence for your security operations. We feed our threat intelligence platform into your systems and/or prepare threat briefings on your terms.

Learn more

CrowdStrike Managed Detection and Response (MDR)

Combine your CrowdStrike technology with our human expertise to perform threat hunting, monitoring, and response. 

Learn more

Microsoft Security Managed Services

Activate the full potential of Microsoft Security. We manage Sentinel, Defender, Purview, and more to drive stronger detection, compliance, and protection.

Learn more

SOC as a Service

Continuous monitoring, high-fidelity alerting, real-time investigation, and actionable threat intelligence minimize the time to detect attacks or vulnerabilities.

Learn more

Splunk Managed Services

Ensure 24/7 monitoring, management, and optimization of your Splunk environment with our expert team. We provide continuous health checks, high-fidelity alerting, and proactive support to ensure optimal performance. Our service helps you leverage Splunk’s powerful analytics while minimizing the time to detect and respond to security threats.

Learn more

Tenable Managed Services

Optimize your vulnerability management efforts with Tenable Managed Services. We will set up scans, manage policies, and ensure asset coverage. Our service provides timely advice to help you prioritize and mitigate vulnerability risks in your organization. 

Learn more

Vulnerability Management

Set up scan schedules, manage policies, ensure asset coverage, and provide timely advice to mitigate vulnerability risk.

Learn more

Zscaler Support Services

Expedite your Zscaler deployment, tune the platform to maximize security functionality, and benefit from a team of security experts to turn the noise of constant alerts into actionable insights without the overhead.

Learn more

Explore comprehensive cybersecurity protection today.

  1. Consult with an expert

    Talk to one of our cybersecurity experts so we can better understand your needs and how we can help.

  2. Agree on a plan

    Based on your objectives we’ll create a tailored plan to meet your cybersecurity needs.

  3. Start maximizing your protection

    Experience peace of mind knowing what matters most is secure.

Consult with an expert