How can a vendor risk assessment help enterprise security?

Hiring third-party vendors and contractors is a necessity in today's business world, but that brings many security risks. The general consensus is a CSO should be in charge of vendor risk assessments, as well as managing third-party security risks. As a CSO, I'm not sure where to start. What are a few of the most important third-party vendor security risks I should protect my company against?

Some of the worst data breaches in 2015 were due to third-party vendors and service providers, and their being hacked had a detrimental effect on customers. In the U.S., the most newsworthy of these breaches were Target and Neiman Marcus. The CSO is most likely in the best position to complete vendor risk assessments and manage third-party contractor security, since the responsibility to protect company assets rests there. But the CSO needs to be equipped and positioned to take on the task of vendor management.

Company executives and management should understand the importance of managing security risks of third-party vendors.

An enterprise might have a fully functional vendor management program, but unless they have security and risk specialists, they should engage the CSO to vet, approve and manage security risks of third-party vendors. This means, if during a vendor risk assessment, the CSO finds a particular vendor is a high security risk, he or she should be empowered to place a hold on finalizing an agreement or payment to vendor.

Under the CSO, an organization's vendor management program should cover specific things before and during engagement of third-party vendors, including:

• Ensuring contractual vendor agreements include the right-to-audit clause. This means the enterprise, if deemed necessary or by course, has the right to audit vendor security as it relates to agreed-upon services;
• Ensuring contractual vendor agreements include a termination clause, with or without cause, and a limitation of liability clause;
• Ensuring all vendors provide an annual independent security assessment by certified and qualified security assessors. This is currently requirement 12.8 in PCI DSS -- however, if the organization is not subject to PCI DSS, an SSAE-16 Type II, ISO 27002 certification, HIPAA certification, FISMA audit or equivalents should be provided before vendor agreement is signed;
• Requiring all vendors to provide proof or attest to employee security training, certifications, employee bonding and background checks are performed for those third-party employees working on the enterprise engagement;
• Requiring all vendors to provide proof of sufficient liability insurance before an agreement is signed;
• Requiring all vendors to attest in writing that they will abide by the enterprise security baseline standards, PCI DSS, ISO 27001, NIST Cybersecurity Framework or other industry best practice frameworks in the protection of enterprise data and assets;
• Ensuring all enterprise business units, support groups and technology units require management -- including the CSO -- approval of any vendor procurements;
• Establishing strong change control procedures and testing in applying vendor updates;
• Restricting vendor access, especially remote access, based on the principle of least privilege and ensure all vendor access is logged and closely monitored; and
• Developing a vendor management certification and ongoing vulnerability management process for monitoring new and existing vendor relationships. This process could be tracked on a simple spreadsheet or an automated governance, risk, compliance IT vendor risk management tool.

Company executives and management should understand the importance of managing security risks of third-party vendors and the value of a proper vendor risk assessment. In the event of a breach, customers and partners will not consider the enterprise less liable, even if the breach was due to vendor vulnerabilities.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)