By: Paul Dusini, Information Assurance Manager
There are a growing number of vendor risk assessment services on the market today. These services can be divided into two categories – ones that assess risks outside of the vendor’s firewall and those that assess risks inside the firewall. It’s critical to understand the differences in these approaches to determine which one best meets your risk management and compliance needs.
External (Outside of the firewall) Vendor Assessments
Vendor assessments that focus on evidence outside of the vendor firewall are assessments that rely on publicly available external data. This data may include information about:
- Open ports
- TLS certificates
- Web application headers
- Exposed credentials on known malicious sites or on the dark web
- Public breach disclosures from vendors
While publicly available, some of this data requires technical expertise to collect and review. Using proprietary algorithms, each vendor is assigned a risk score. Depending on the assessor, may be a letter grade or numeric score as there is not an accepted standard scoring scale at this time.
Internal (Inside the firewall) Vendor Assessments
Assessments focused on evidence inside the firewall collect and review non-public evidence about security controls implemented by the vendor. This is generally a focused version of a NIST controls assessment and may include review of the following.
- Policies and Procedures
- Employee Background Checks
- Security Awareness Training
- Disaster Recovery Plans and Testing
- Encryption of Data and Key Management
- Physical Security of Systems
- Logical Access Controls
- Privileged Account Management
- Risk Assessment Management
- Application Development Controls
- Security Event Monitoring
- Incident Response Procedures
This evidence is generally collected via questionnaires, documentation review, onsite visits, and conference calls with vendors. After evidence is collected and reviewed, risk findings are detailed, and an overall vendor risk rating is determined. This risk rating should consider your organization’s use case for the vendor’s solution. The risk associated with a vendor may be very different for organizations who implement the solution in different manners. Those differences can only be identified through the review of internal non-public information.
Key Considerations When Choosing an Assessment Method
Which of these methodologies is best for you? The choice may not be self-evident. Both provide a risk rating of your key vendors. These two methodologies look at completely difference evidence for determining a vendor’s risk, so the solution could involve a combination of both methodologies.
If you have compliance requirements, you will want to perform an internal controls assessment of your key vendors. Your auditors will look for this due diligence confirming your vendor has appropriate controls in place. For instance, 23 NYCRR 500 (New York State’s Cybersecurity Requirements for Financial Services Companies) requires that high risk third-party vendors are encrypting data at rest. This can’t be confirmed using external data sources – it can only be confirmed by review of non-public information.
Some of your key vendors may not have any external data available to use for determining risk. I recently assessed a potential HVAC vendor for a client. The vendor would have remote access to the client’s network. The vendor doesn’t perform criminal background checks on employees, and their employees all use the same unchanging password to access servers on customer networks. None of this information is publicly available. The 2013 Target breach was caused by a lack of controls with a HVAC vendor.
If you need an internal controls assessment for due diligence and compliance requirements what advantages can a service that only reviews external public data provide? An external rating service might add value to the monitoring of your highest risk vendors. Since the specific evidence reviewed and the rating algorithms are proprietary, the benefit is difficult to quantify. Certainly, knowing if your vendor appears to have sensitive information posted on malicious sites is useful information. Review of external risk might be considered as an additional service you purchase for your highest risk vendors. This would give you both internal control and external activity assessments for these key partners.
When choosing which type of assessment would be the best fit for your company, remember that the two methods assess different evidence. Because of this, the ratings generated by the two methods reflect different risk. Consider adding a second (external) viewpoint for your riskiest vendors – but don’t ignore the assessment of internal controls. Assessment of internal controls confirms that your vendor is taking the appropriate steps to protect your data and can confirm regulatory compliance.