Before clicking I Accept, I Agree or signing a contract, it’s imperative to understand the risk being assumed. The first consideration is, “What?” What information will the vendor have access to? Will data be stored by the vendor? What processes will the vendor be performing on my behalf? These questions help define security, privacy, confidentiality and availability requirements.
Below are the primary steps when evaluating vendor security:
- Identify critical risk factors associated with the vendor related process, as well as the controls you expect to be in place. For example, if the vendor is going to have access to personnel records, you would expect restricted access to personally identifiable information and social security numbers to be encrypted. If the vendor is a colocation housing all your servers and file shares, availability would be a critical factor (along with many others.) Include the primary process owners, IT, Risk, Compliance and/or Legal as deemed necessary to ensure a complete list is generated.
- Request and review the vendor’s SSAE18 Type2 SOC report – This is a report on control policies and procedures placed utilized by the vendor organization. The reports are prepared by independent audit firms and include an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months. A SOC1 report would be appropriate for vendors providing a process (such as payroll), whereas a SOC2 is appropriate for software as a service providers and colocations. The purpose of a SOC2 is to evaluate an organization’s information systems relevant to security , availability, processing, integrity, confidentiality, and privacy.
- Verify controls are in place and properly functioning to mitigate the critical risk factors identified in number 1 above. If you are reviewing the SSAE18 SOC report, verify such controls are included in the report were deemed effective based on testing. If a SSAE18 SOC report is not available, create a questionnaire based on the critical risk factors.
- Verify in the event of a disaster, such as ransomware, company data can be recovered. Data is often replicated to support availability; however viruses and malware can also be replicated. At least one copy of data back-ups should be stored so they cannot be impacted by ransomware.
- Access to data should be restricted on a least privilege basis and should support segregation of duties. This means access is only granted to sensitive data and processes required to complete one’s job requirements. Administrative privileges and elevated system rights are a primary source of concern. These accounts should be protected by multifactor authentication.
- End-point protection and Vulnerability Management – Virtual platforms, software as a service and networks require protection from malware, monitoring and escalation procedures in the event of an incident and a system development lifecycle to prevent flaws, detect vulnerabilities and to remediate issues timely without creating new issues.
While this is not a comprehensive list, it should give you a great start. If you are interested in earning continued professional education hours while learning more, the following webinar is available: https://www.illumeo.com/courses/auditing-third-party-service-providers-cloud-environments
