Vendor (3rd Party) Security Assessments
We understand the importance of maintaining good business relationships.
You rely on business partners to provide critical services. It’s no wonder third parties are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. We have tested and fine-tuned our risk assessment methodology over many years and thousands of assessments.
Partner Trust Assessment (PTA)
Our analysts ask questions from relevant security questions to assess the hygiene of your vendors. All evidence provided by your partners is reviewed and assessed. The Partner Trust Assessment includes:
- Operational Security (Review of SOC2s, ISO 27001 documentation, Policies, Procedures, Risk Management Cadences, Background checks, etc)
- System Security (Review of Patching processes, hardening processes, role based access control, management of privileged accounts, etc).
- Business Continuity (Review of DR, BCP plans / procedures, notification processes, etc)
- Data Security (use of encryption and data security during processing transmission and storage)
- Network Security (Review of network topology and security controls, Anti-virus configurations, Penetration Testing, Security Monitoring capabilities, etc).
- Application Development Security (When applicable, review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc).
- Physical Security (When applicable, review of security cameras, badge access, etc).
Privacy Impact Assessment (PIA)
With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and State Privacy Regulations. Our Privacy Impact Assessment includes review of:
- GDPR Core Information Context (Review and discovery of Controller and Processor responsibilities)
- Data in the System (Review data collected, sources, technologies, etc)
- Data use and accuracy (Review of uses and collection practices)
- Sharing practices (Review of how data shared and transmitted)
- Notification of use (Review of notice practices, use of out-in/out, use of consent)
- Access to data (Review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc)
Business Impact Analysis (BIA)
What’s the worst that could happen? Our analysts outline the business impact from:
- Confidentiality Assessment (review of consequences of unauthorized or unintended disclosure of information, i.e. loss of confidentiality)
- Integrity Assessment (review consequences of unauthorized or unintended disclosure of information, i.e. loss of integrity)
- Availability Assessment (review consequences of prolonged outage of the system or application, i.e. loss of availability.)
Many organizations use this information to start to shape their business continuity plan (BCP) recovery time objective (RTO) and recovery point objective (RPO).
Recent Blog Posts
By Paul Dusini, Information Assurance Manager In a recent blog Less is More: Focusing Your Third-Party Vendor Risk Assessments on the Basics we provided guidance for developing the list of questions to use when assessing the security posture of your third-party...
By: Paul Dusini, Security Manager CISOs, CIOs, and Risk Managers often understand the importance of vendor information security assessments but don’t know where to begin. I manage a team of analysts who perform vendor assessments, and we have experience making this...
Three variations of Vendor Assessments
Outside the Firewall
- Checks for external security posture using publicly available info.
- Gives each vendor a security score from a “hackers view”.
- GDPR readiness rating.
- Gives vendors a list of vulnerabilities to remediate.
Inside the Firewall
- Internal review/audit of vendor security posture
- Review of security posture (policies, testing, processes, etc.)
- Review of privacy posture (Privacy Impact Assessment – GDPR, State Privacy, etc.
- Review of business continuity (Business Impact Analysis)
Continuous Vendor Monitoring
- Corrective Action Remediation
- Vendor follow up to make sure they’re remediating security/privacy risks
- Periodic check for high-risk vendors in at established intervals
- Continuous Vendor Supply Chain Risk Program Management
Managed Service Deliverables
of all vendors in your security risk management program
Monthly Status Reports
include assessment progress, dashboards of overall risk levels, and key deliverables
Annual Risk Level Report
provides your management team or board members with a 20,000 foot view of your vendor risk
Why Conduct An Assessment?
Compliance HIPAA, PCI, 23 NYCRR, IRS 1075, MARS-E, etc
Identify potential risk you are inheriting from vendors
Accountability Use assessment results to improve your third party service providers’ accountability
Evaluate potential partners earlier in your relationship and make better business decisions
Minimize inherited risk from potential and existing partners
Transparency provide metrics and reporting on vendor security risk to your executive team
“NuHarbor assessments give visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.”
We Can Also Help With…
Take a test drive. Try a single vendor assessment.
Do you need an assessment questionnaire or process specific to your business needs? For example: security frameworks, project requirements, compliance, and industry best practices are metrics our analysts can utilize.
Identifying Quality Partners
Our Risk Assessment Team can inquire into potential partners. We detail the processes and data involved to gauge risk.
Need to track certain metrics or risk areas? We can work with you to meet your business’s reporting requirements.
Yearly review of complementary user controls
Why Outsource Vendor Risk Assessments?
Analyze Trends and track security risk for all partners in your vendor security risk management program
Benchmark vendors to see if they are complying with best security practices
Measure risk posture of your partners over time
Adjust Contracts based on your vendors’ risk levels.
Scalable quickly onboard new vendors into your vendor management program