Cyber security assessments are key to understanding the cyber risk that your vendors may pose whether you’re onboarding them or re-evaluating during an audit period.
Knowing that resources are often stretched and the pressure from management to quickly complete cyber security assessments is intense, we compiled five best practices that can help streamline the process and yield better risk reduction.
When it comes to your third-party cyber security assessments, there’s no need to reinvent the wheel. Consider borrowing from widely adopted assessment methodologies such as the SANS Top 20 Critical Security Controls or the NIST Framework for Improving Critical Infrastructure Cybersecurity. Both combine best practices and standards for reducing cyber risk that can be applied to your vendors. Alternatively, there’s Shared Assessments, a trusted source in third-party risk management that develops security risk assessment questionnaires for use by its members.
No two vendors are the same, so why assess them in the same way? Using the same assessments for all vendors can be a drain on resources and increases the time and cost of completing the process. Instead, consider grouping vendors by criticality and tailoring your assessments accordingly.
A “critical” vendor may be one who has access to sensitive data or provides an important service, such as a payroll provider. They present a much higher level of risk than an office supply company that doesn’t have direct access to your network or employee data. Tiering vendors in this way can help you determine whether they need a more in-depth cyber security assessment. This way you’ll make better use of your resources, allocating them where more due diligence is required.
You can also go beyond your initial tiering and use data from BitSight Security Ratings to compare vendors’ security profiles side-by-side. From here you can further prioritize which vendors need the most attention. Higher scores have been correlated with better security postures and perhaps indicate the need for a less rigorous cyber security assessment.
Once you have tiered and prioritized your vendors, it’s important to customize your security assessment questions for each. But it’s not enough to ask for incident reports and network protection status; you need to dive deeper into your vendors’ processes and policies. To help you do this, we’ve compiled a list of the 40 Questions You Should Have in Your Vendor Security Assessment.
This useful guide includes common questions that can help focus your discovery efforts. For instance, does the vendor plan and train for cyber incidents? How are those incidents reported? How frequently are employees trained on IT security policies? How does the vendor monitor remote or wireless networks?
Rather than taking your vendors’ word for it, use security ratings to validate certain responses. For example, the BitSight platform can identify if a vendor has experienced a security incident since their last cyber security assessment and factor this into their rating.
You also can use security ratings to establish acceptable risk thresholds and develop language to ensure that your entire third-party network meets the established requirements. For example, you might consult with your legal and finance teams to put extra contractual controls in place based on the security rating of a vendor. Those with lower ratings may require more stringent controls to ensure they meet your acceptable risk threshold, or you might even choose to go with a different vendor if their rating is below your accepted threshold.
Contract language can also be used to enforce compliance throughout the life of your contracts. If a vendor dips below that threshold, work with them to develop a remediation plan.
One of the biggest concerns for security and risk managers is that threats are constantly evolving – especially from third parties. Cyber security assessments are a powerful tool, but traditionally they have only captured a single point-in-time. In between assessments, vulnerabilities or changes to your vendors’ security postures can emerge without your knowledge and put your business at risk.
A better approach is to continuously monitor your third parties in near real-time throughout the life of your relationships. By looking at movements against risk thresholds, such as vendors’ security ratings, or changes to risk vectors, you can determine whether another assessment is needed – even if the last assessment was just a few months ago. Ratings can also validate your vendors’ responses, particularly around security incidents, allowing you to “trust, but verify” that the companies you’re working with are as committed to sound security as they say they are.
Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...