Ensuring Network Security When Working with Third Party Vendors: Part 1 of 2

When it comes to network security and attempting to protect the digital assets of your organization, you’re only as secure as your weakest link. I can’t help but think of Anne Robinson from the corny BBC game show “The Weakest Link” each time I hear this phrase now, but it’s true.

The soft underbelly for many organizations is not their network per se, but the networks of those they’re doing business with. These third party vendors might not be as security conscience as you are, but in the long run, it’s still your network and your (and your customers’) information. The headlines will focus on the data breach and ultimately it’s your fault. In this two-part blog series, we’ll examine some important steps to take for limiting the damage caused by insecure third party vendors (which by the way is an important aspect of PCI-DSS compliance):

• On-boarding New Vendors
  To start off there needs to be a process of vetting potential vendors. Not every vendor is going to be given the green light to perform business with a company. There needs to be a process of on-boarding new vendors so that your data isn’t being strewn to just any company. The process needs to include your risk management or information security team from the beginning, before the PoC or data sharing, so that they have the appropriate amount of time to research the vendor, contracts, data sharing, etc. If this is done after contracts are signed, you’re playing catch up and it’s difficult to have something removed once it’s put in place.  Having a team responsible for determining the risk of vendors early on in the process is a huge win. This can be added to the legal request or whatever other method that’s used to establish a relationship with new vendors. Once this is established there also needs to be education within all the other departments to understand the new process. It’s not going to work overnight and everyone needs to be on the same page for this to work properly.

• Checklist and Contracts
  Once a third party vendor has been reviewed and you have an understanding of what they do and why they’re needed, you can start with the checklist and contract phase. In order to truly vet a vendor you need to understand what they will be doing with your data. Creating a checklist of questions for the vendor to answer is highly recommended so that you can have a physical copy of what they say they do and how they do it. This checklist should also be signed by both parties involved and saved with the other documentation that’s needed to setup a vendor relationship. A checkout process should be included to keep the most up-to-date copy of this checklist available for review. I’ve seen these checklists be as little as four pages and as long as 30 pages and they provide you with a good understanding of how the third party does things before blindly handing over your data to them. Here are a few questions that I’ve seen in these checklists:

• Will the [ENTER COMPANY NAME HERE] data be stored outside the United States of America?
• Does [THIRD PARTY VENDOR] have an incident response program?
• Who has access to [ENTER COMPANY NAME HERE] data? Is it role based and audited?
• Are firewalls, IPS and log management used?
• Etc.

Normally, I’ve seen these checklists broken down by topic with multiple questions entered under each topic. A few of these topics are infrastructure, data governance, system configuration, privacy, compliance, and more. Based off these topics and the questions that you submit under them, you should be able to get a fair understanding of how the potential vendor will treat your data.

Now I know what you’re going to say… what if they just lie and put what you want to see down as an answer to a question? Yes, that’s a concern… and a big one. We initially give vendors this list to see what their posture is, but if they’re lying to us we’ll have no idea. In order to give them a little more skin in the game you can add the checklist to the contract being signed with legal and put in a clause about giving you the right to audit them if you deem it appropriate. I guarantee you that the vendors are going to push back on this request, but if they want to do business with you, it’s a price they’ll have to pay. Plus, by having this added to the contract you can have them responsible if data was lost on their end and they were lying about what they were doing in the checklist. It helps keep people, um, honest.

In my next post, we’ll continue to look at ways to shore up your weakest security links when it comes to third party vendors – from data access to incident response and cybersecurity insurance.