Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.
Regardless of whether it was the right call to make, the situation displays the challenges an enterprise faces whenever it wants to evaluate the information security performance of a vendor, partner or other third party. Vendors may not agree to intrusive vulnerability scans, penetration tests or other assessment methods, making it difficult for organizations to verify the security postures of third parties. With vendor risk management models moving towards a “trust but verify” approach, we take a look at the vendor risk management tools organizations have to assess third parties in this challenging environment.
Vulnerability scans are a broad-reaching way to discover the potential weaknesses that exist within a network. When third parties allow you to scan their networks, you get an in-depth look at the level of cyber risk they are exposing to your company. However, it’s not out of the ordinary for a large company to have thousands of vendors in its extended ecosystem, and due to the high costs of vulnerability scans, it would not be an effective solution to scan every network.
If you want to evaluate a network’s information security performance, a penetration test is an method you can use to your advantage. After discovering a vulnerability, a pen test will challenge your network’s tolerance for an attack through that weakness. Unfortunately, like vulnerability scans, pen tests are expensive and require permission from the third party to carry out.
Questionnaires & Audits
It can be helpful to see a qualitative view of an enterprise’s performance, and a questionnaire accomplishes that goal. Questionnaires assess what information security controls are in place. The issue with this type of assessment is that there’s often a bias between a vendor’s belief and what’s actually the case. You can also get very different results from different assessors, because the audits aren’t always conducted the same.
Continuous Monitoring & Security Ratings
Continuous monitoring solutions, like BitSight Security Ratings, offer an evidence-based assessment using data sources from all over the internet to see what activity is coming from a given network. These solutions do not require any investment of time or permission from the network being observed. They are used most effectively when combined with other assessment tools. Today, many organizations are using Security Ratings to augment their vendor risk programs with ongoing monitoring.
While no single tool shows the whole picture, using them in combination with each other can augment your visibility into third parties’ information security and help you trust AND verify vendor security performance.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...