How to best vet third-party vendors

Security requirements for cloud vendors are exhaustive, but their clients should still vet them extensively before moving forward

4 cloud

How many third- or fourth-party vendors are in your supply chain? Given that a cloud service is often comprised of multiple vendors, where does your supply chain begin or end? How can you best vet your vendors to minimize risks to your enterprise?

More and more security practitioners are having these conversations as they have seen the cold, hard evidence that many breaches are the result of a third-party vulnerability.

According to ProcessUnity, a cloud technology provider, it is increasingly significant for companies to have a firm grasp on their vendor relationships with the number of supply chain partners extending well into the thousands. Many, though, don't know the right questions to ask to best vet their vendors. 

Todd Boehler, vice president of product strategy at ProcessUnity, offered some insight to guide enterprises through the vetting process. Of course, the different flare ups enterprises see depends largely upon the size of the company and the specific risks each is dealing with, but "From an overall perspective we have seen an increase in scrutiny by examiners for fourth-party risk," said Boehler.

As they have looked at what companies are doing to make sure they know where their data is all the way down the chain, ProcessUnity has found that some have received MRAs for deeper layered parties.

"What do we put in our contracts to have more control?" asked Boehler. "Many are creating fourth party risk departments. There is still a lot of figuring out what’s going on in that area, so the organization has to be asking how to better protect themselves with either their own management and assessment or through contract language."

The mortgage service industry, said Boehler, is feeling this pressure tremendously due to Consumer Financial Protection Bureau (CFPB) regulations. "CFPB compliance and overall regulation compliance crackdown has increased the pressure for lenders to vet their vendors," he said. 

Aware of the pressure to demonstrate compliance, vendors are looking for reverse due diligence. "Vendors are looking for better ways to manage the customers’ vetting process. They are asking, What can we do better as a vendor to reduce our cost/risk in answering those questions?" said Boehler.

While there are generic standards, they are merely shared assessments that offer a set of review questions that standardize the vetting process. These questions were made fairly generic to be used across industries.

"A shared assessment connector reduces the time it takes to share information and score it correctly. Outside of the shared assessment, there are service specific due diligence areas (for banks or pharmaceuticals). These cover different domain areas and the questions depend on the type of service," said Boehler.

On the rise are private exchanges within a consortium-related environment where the members agree to have a single vetting process within the exchange. "Then the vendors consume that information. We are seeing an increased interest in doing that to alleviate the cost on both ends of the spectrum. They get information scored appropriately based on each customer’s risk appetite," said Boehler.

Because the landscape has completely changed, there are many facets to consider when vetting a vendor. "Back up files, what’s your process? Where do they go? Are they recovered? Do you have a GEO remote recovery process? Is it far enough away from disruption? Encryption key options? For more complex services, there are more methods, like 'bring your own key' encryption to give customers more ownership within that cloud," Boehler explained.

Look to see that the vendor has had penetration testing, that they use secure coding principles, how their applications and data are protected, and what their cyber security posture entails.

"Ask How are you approaching security? What do you do for vulnerability testing? There are a lot of different areas that a cloud provider needs to have in its arsenal to let customers know they have the right policies in place to make customers feel comfortable that their data is secure," Boehler said.

Copyright © 2016 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.