Vendor (3rd Party) Security Assessments
We understand the importance of maintaining good business relationships.
Our Methodolgy
Partner Trust Assessment (PTA)
Our analysts ask questions from relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The Partner Trust Assessment includes:
- Operational Security (Review of SOC2s, ISO 27001 documentation, Policies, Procedures, Risk Management Cadences, Background checks, etc)
- System Security (Review of Patching processes, hardening processes, role based access control, management of privileged accounts, etc).
- Business Continuity (Review of DR, BCP plans / procedures, notification processes, etc)
- Data Security (use of encryption and data security during processing transmission and storage)
- Network Security (Review of network topology and security controls, Anti-virus configurations, Penetration Testing, Security Monitoring capabilities, etc).
- Application Development Security (When applicable, review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc).
- Physical Security (When applicable, review of security cameras, badge access, etc).
Privacy Impact Assessment (PIA)
With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and State Privacy Regulations. Our Privacy Impact Assessment includes review of:
- GDPR Core Information Context (Review and discovery of Controller and Processor responsibilities)
- Data in the System (Review data collected, sources, technologies, etc)
- Data use and accuracy (Review of uses and collection practices)
- Sharing practices (Review of how data shared and transmitted)
- Notification of use (Review of notice practices, use of out-in/out, use of consent)
- Access to data (Review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc)
Business Impact Analysis (BIA)
What’s the worst that could happen? Our analysts outline the business impact from:
- Confidentiality Assessment (review of consequences of unauthorized or unintended disclosure of information, i.e. loss of confidentiality)
- Integrity Assessment (review consequences of unauthorized or unintended disclosure of information, i.e. loss of integrity)
- Availability Assessment (review consequences of prolonged outage of the system or application, i.e. loss of availability.)
Many organizations use this information to start to shape their business continuity plan (BCP) recovery time objective (RTO) and recovery point objective (RPO).
Recent Blog Posts
Breach of the Week – Catch of the Day
We live in a world where everything is connected to the internet, even fish tanks, and as we learn in today's episode, that internet connected fish tanks can cause you some real headaches. Justin found a story about a fish tank in a casino that was used to access a...
SOAR for MSSPs
This week we explore security orchestration, automation and response (SOAR) and how managed security service providers (MSSP) can leverage SOAR to better secure your organization. We'll discuss the challenges of traditional security monitoring and the benefits of...
Three variations of Vendor Assessments

Outside the Firewall
- Checks for external security posture using publicly available info.
- Gives each vendor a security score from a “hackers view”.
- GDPR readiness rating.
- Gives vendors a list of vulnerabilities to remediate.

Inside the Firewall
- Internal review/audit of vendor security posture
- Review of security posture (policies, testing, processes, etc.)
- Review of privacy posture (Privacy Impact Assessment – GDPR, State Privacy, etc.
- Review of business continuity (Business Impact Analysis)

Continuous Vendor Monitoring
- Corrective Action Remediation
- Vendor follow up to make sure they’re remediating security/privacy risks
- Periodic check for high-risk vendors in at established intervals
- Continuous Vendor Supply Chain Risk Program Management
Managed Service Deliverables
Yearly Assessments
of all vendors in your security risk management program
Monthly Status Reports
include assessment progress, dashboards of overall risk levels, and key deliverables
Annual Risk Level Report
provides your management team or board members with a 20,000 foot view of your vendor risk
Why Conduct An Assessment?
“NuHarbor assessments give visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.”
We Can Also Help With…
Single-Serve Assessments
Take a test drive. Try a single vendor assessment.
Tailored Assessments
Do you need an assessment questionnaire or process specific to your business needs? For example: security frameworks, project requirements, compliance, and industry best practices are metrics our analysts can utilize.
Identifying Quality Partners
Our Risk Assessment Team can inquire into potential partners. We detail the processes and data involved to gauge risk.
Customized Reporting
Need to track certain metrics or risk areas? We can work with you to meet your business’s reporting requirements.
User Controls
Yearly review of complementary user controls