Vendor or 3rd party related breaches are at a all time high. Several of the high profile breaches like Uber, Amazon, British Airways & more has been caused due to 3rd party. Most of the major security related framework, guidelines, compliance and regulations has made 3rd party risk management a mandatory part of overall security program. Following are the key steps for building an effective Vendor risk management program.
Create a list of your Third Party / Vendors
Vendor identification is one the hardest problem. You can get the list of the 3rd party and vendors in use from the procurement but the harder problem is to know the vendors which are being used by the engineering team, free tools being used by marketing. You must definitely ask for the list of vendors from all the key stakeholders in the organization. Even if you get the response (which will take a lot of time and sometime it shall tend to infinity) don’t be happy.. Here’s the second tough problem.
Identify the Unknown 3rd Party
Well, here’s the bigger problem. Your engineering team may have used third party libraries, APIs without informing the procurement or even the engineering head. You need to use tools like SCA (Software composition analysis) to identify those. Your marketing team or business team may have provided your customer or user information to integration partners for conducting free POC/trials. These will not be part of the vendor list. You need to use Attack Surface Analysis tools which can automatically discover any data leaked by such third party. Ideally this needs to be done continuously.
Bucket Vendors by Business Criticality
Once you have got the list of the vendors (almost impossible to get all of them if you are a large company) you can congratulate yourself and then start the next step. Bucket the vendors into 3 groups (High, Medium, Low) based on the business criticality like what kind of data are you sharing? Can their downtime cause serious business disruption for you. Choose your own model but keep it simple.
Define the type of Vendor Risk Assessments
Next step is to create tiers of assessment that you would like to conduct for the vendors. You may start with Automated OSINT based Continuous Vendor risk monitoring or monitoring by Security Rating tools. You may add Self Assessment Questionnaire or manual audits along with it.
Build Vendor Risk Assessment Program Definition
As a next step you need to map you critical vendors to a specific frequency of the automated audits and questionnaire based audits. Ideally you should continuously monitor all vendors using tools and conduct periodic self assessment and onsite audits where the periodicity and depth of audits can be determined as a function of business criticality. You can find more details of the type of assessments below.
Continuous Vendor Risk Risk Monitoring
It is possible to assess the security health of your third party or vendor passively and continuous based on various security parameters which are visible from the internet. As an example you may be able to know if their IPs are blacklisted or have generated malware, you can know about their web security posture, data leakage and various other parameters. FireCompass is one such tools which can help you to monitor your vendors.
Continuous Vendor data Breach Monitoring
The same class of tools as in the previous paragraph can be used to keep an eye if any of the vendors have exposed any database which has data related to your organization. You can also detect if they have exposed code related to your organization or more. Such kind of continuous vendor data breach monitoring has become a must for organizations who cannot take such risks.
Self Assessment Questionnaire and Audits
You may also use the age old model of sending questionnaire. This has its own flaws since the vendors may not share all their gaps overtly to you. However it is still an important factor since you may be able to pass on the liabilities for mis-representation in case of a breach. It also keeps your vendors on their toes. Here’s a list of free vendor risk assessment questionnaire that you may use.
Perioding Vendor Awareness Training Program
All of the above are great. However as genuine well wisher of your vendors for your own safety, you may take another additional step. You may choose to send them periodic emails. Share with them Threat Intel Feeds that you may have access to. Give them access to data that you get from Continuous Third Party Monitoring Tools. Conduct online and offline training. You should treat them as a partner in your journey to build an effective Third Party Risk Management Program.
Did I miss anything? Please share your thoughts in comments !