Vendor (3rd Party) Security Assessments
We understand the importance of maintaining good business relationships.
You rely on business partners to provide critical services. It’s no wonder third parties are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. We’ve tested and fine-tuned our risk assessment methodology over many years and thousands of assessments.
Partner Trust Assessment (PTA)
Our analysts ask relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The PTA includes:
- Operational Security (Review of SOC2s, ISO 27001 documentation, policies, procedures, risk management cadences, background checks, etc.)
- System Security (Review of patching processes, hardening processes, role based access control, management of privileged accounts, etc.).
- Business Continuity (Review of DR, BCP plans / procedures, notification processes, etc.)
- Data Security (Use of encryption and data security during processing transmission and storage)
- Network Security (Review of network topology and security controls, antivirus configurations, penetration testing, security monitoring capabilities, etc.).
- Application Development Security (When applicable, review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc.).
- Physical Security (When applicable, review of security cameras, badge access, etc.).
Privacy Impact Assessment (PIA)
With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and state privacy regulations. Our PIA includes review of:
- GDPR Core Information Context (Review and discovery of controller and processor responsibilities)
- Data in the System (Review data collected, sources, technologies, etc.)
- Data use and accuracy (Review of uses and collection practices)
- Sharing practices (Review of how data is shared and transmitted)
- Notification of use (Review of notice practices, use of out-in/out, use of consent)
- Access to data (Review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc.)
Business Impact Analysis (BIA)
What’s the worst that could happen? Our analysts outline the business impact from:
- Confidentiality Assessment (Review of consequences of unauthorized or unintended disclosure of information, i.e., loss of confidentiality)
- Integrity Assessment (Review consequences of unauthorized or unintended disclosure of information, i.e., loss of integrity)
- Availability Assessment (Review consequences of prolonged outage of the system or application, i.e., loss of availability)
Many organizations use this information to start shaping their business continuity plan (BCP), recovery time objective (RTO), and recovery point objective (RPO).
Recent Blog Posts
Unless you’re living in a cave, you’ve provided data to a corporation, and a hacker has probably stolen it. Personal data today is one of the most valuable assets on the planet, which leads organizations to spend enormous resources to collect data. However, those same...
How Vendor (3rd Party) Security Assessments can help you build a better security program By: Justin Fimlaid Are you thinking about Vendor (3rd Party) Security Assessments? Aspirations to build onto your Vendor Security Assessment program? Why wouldn't you -- you go...
of all vendors in your security risk management program
Monthly Status Reports
include assessment progress, dashboards of overall risk levels, and key deliverables
Annual Risk Level Report
provides your management team or board members with a 20,000 foot view of your vendor risk
Identify potential risk you’re inheriting from vendors
Accountability use assessment results to improve your third party service providers’ accountability
Transparency provide metrics and reporting on vendor security risk to your executive team
“NuHarbor assessments give visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.”
Take a test drive. Try a single vendor assessment.
Do you need an assessment questionnaire specific to your business needs? For example, security frameworks, project requirements, compliance, and industry best practices are metrics our analysts can utilize.
Identifying Quality Partners
We can inquire into potential partners. We detail the processes and data involved to gauge risk.
Need to track certain metrics or risk areas? We can work with you to meet your reporting requirements.
Yearly review of complementary user controls.
Adjust Contracts based on your vendors’ risk levels