1-800-917-5719

Vendor (3rd Party) Security Assessments

We understand the importance of maintaining good business relationships.

You rely on business partners to provide critical services. It’s no wonder third parties are a growing cause of data breaches. Understanding your exposure is the first step in mitigating risk. We have tested and fine-tuned our risk assessment methodology over many years and thousands of assessments.

Our Methodolgy

Partner Trust Assessment (PTA)

Our analysts ask questions from relevant security questions to assess the hygiene of your vendors.  All evidence provided by your partners is reviewed and assessed. The Partner Trust Assessment includes:

  • Operational Security (Review of SOC2s, ISO 27001 documentation, Policies, Procedures, Risk Management Cadences, Background checks, etc)
  • System Security (Review of Patching processes, hardening processes, role based access control, management of privileged accounts, etc).
  • Business Continuity (Review of DR, BCP plans / procedures, notification processes, etc)
  • Data Security (use of encryption and data security during processing transmission and storage)
  • Network Security (Review of network topology and security controls, Anti-virus configurations, Penetration Testing, Security Monitoring capabilities, etc).
  • Application Development Security (When applicable, review of secure code training, review of secure-SDLC processes, use of a web application firewall, code scanning process, etc).
  • Physical Security (When applicable, review of security cameras, badge access, etc).

Privacy Impact Assessment (PIA)

With your vendors’ answers in hand, an analyst evaluates data privacy, access, and governance risks. This part of the assessment addresses privacy controls aligned with Generally Accepted Privacy Principles (GAPP), GDPR, and State Privacy Regulations. Our Privacy Impact Assessment includes review of:

  • GDPR Core Information Context (Review and discovery of Controller and Processor responsibilities)
  • Data in the System (Review data collected, sources, technologies, etc)
  • Data use and accuracy (Review of uses and collection practices)
  • Sharing practices (Review of how data shared and transmitted)
  • Notification of use (Review of notice practices, use of out-in/out, use of consent)
  • Access to data (Review of retention schedules, disposal procedures, privacy training, access to the system, access controls, etc)

Business Impact Analysis (BIA)

What’s the worst that could happen? Our analysts outline the business impact from:

  • Confidentiality Assessment (review of consequences of unauthorized or unintended disclosure of information, i.e. loss of confidentiality)
  • Integrity Assessment (review consequences of unauthorized or unintended disclosure of information, i.e. loss of integrity)
  • Availability Assessment (review consequences of prolonged outage of the system or application, i.e. loss of availability.)

Many organizations use this information to start to shape their business continuity plan (BCP) recovery time objective (RTO) and recovery point objective (RPO).

Recent Blog Posts

Three variations of Vendor Assessments

Outside the Firewall

  • Checks for external security posture using publicly available info.
  • Gives each vendor a security score from a “hackers view”.
  • GDPR readiness rating.
  • Gives vendors a list of vulnerabilities to remediate.

Inside the Firewall

  • Internal review/audit of vendor security posture
  • Review of security posture (policies, testing, processes, etc.)
  • Review of privacy posture (Privacy Impact Assessment – GDPR, State Privacy, etc.
  • Review of business continuity (Business Impact Analysis)

Continuous Vendor Monitoring

  • Corrective Action Remediation
  • Vendor follow up to make sure they’re remediating security/privacy risks
  • Periodic check for high-risk vendors in at established intervals
  • Continuous Vendor Supply Chain Risk Program Management

Managed Service Deliverables

Yearly Assessments

of all vendors in your security risk management program

Monthly Status Reports

include assessment progress, dashboards of overall risk levels, and key deliverables

Annual Risk Level Report

provides your management team or board members with a 20,000 foot view of your vendor risk

Why Conduct An Assessment?

N

Compliance HIPAA, PCI, 23 NYCRR, IRS 1075, MARS-E, etc

N

Identify potential risk you are inheriting from vendors

N

Accountability Use assessment results to improve your third party service providers’ accountability

N

Evaluate potential partners earlier in your relationship and make better business decisions

N

Minimize inherited risk from potential and existing partners

N

Transparency  provide metrics and reporting on vendor security risk to your executive team

“NuHarbor assessments give visibility into our third-party risk exposure. We don’t have the internal resources to conduct yearly assessments of our 40+ vendors. These valuable insights inform the decisions we make when choosing and managing partnerships.”

CIO, Insurance Company

We Can Also Help With…

Single-Serve Assessments

Take a test drive. Try a single vendor assessment.

l

Tailored Assessments

Do you need an assessment questionnaire or process specific to your business needs? For example: security frameworks, project  requirements, compliance, and industry best practices are metrics our analysts can utilize.

Identifying Quality Partners

Our Risk Assessment Team can inquire into potential partners. We detail the processes and data involved to gauge risk.

e

Customized Reporting

Need to track certain metrics or risk areas? We can work with you to meet your business’s reporting requirements.

User Controls

Yearly review of complementary user controls

Why Outsource Vendor Risk Assessments?

N

Analyze Trends and track security risk for all partners in your vendor security risk management program

N

Benchmark vendors to see if they are complying with best security practices

N

Measure risk posture of your partners over time

N

Adjust Contracts based on your vendors’ risk levels.

N

Scalable quickly onboard new vendors into your vendor management program

Need Vendor Assessments?

Pin It on Pinterest