When it comes to network security and attempting to protect the digital assets of your organization, you’re only as secure as your weakest link. I can’t help but think of Anne Robinson from the corny BBC game show “The Weakest Link” each time I hear this phrase now, but it’s true.
The soft underbelly for many organizations is not their network per se, but the networks of those they’re doing business with. These third party vendors might not be as security conscience as you are, but in the long run, it’s still your network and your (and your customers’) information. The headlines will focus on the data breach and ultimately it’s your fault. In this two-part blog series, we’ll examine some important steps to take for limiting the damage caused by insecure third party vendors (which by the way is an important aspect of PCI-DSS compliance):
- Will the [ENTER COMPANY NAME HERE] data be stored outside the United States of America?
- Does [THIRD PARTY VENDOR] have an incident response program?
- Who has access to [ENTER COMPANY NAME HERE] data? Is it role based and audited?
- Are firewalls, IPS and log management used?
Normally, I’ve seen these checklists broken down by topic with multiple questions entered under each topic. A few of these topics are infrastructure, data governance, system configuration, privacy, compliance, and more. Based off these topics and the questions that you submit under them, you should be able to get a fair understanding of how the potential vendor will treat your data.
Now I know what you’re going to say… what if they just lie and put what you want to see down as an answer to a question? Yes, that’s a concern… and a big one. We initially give vendors this list to see what their posture is, but if they’re lying to us we’ll have no idea. In order to give them a little more skin in the game you can add the checklist to the contract being signed with legal and put in a clause about giving you the right to audit them if you deem it appropriate. I guarantee you that the vendors are going to push back on this request, but if they want to do business with you, it’s a price they’ll have to pay. Plus, by having this added to the contract you can have them responsible if data was lost on their end and they were lying about what they were doing in the checklist. It helps keep people, um, honest.
In my next post, we’ll continue to look at ways to shore up your weakest security links when it comes to third party vendors – from data access to incident response and cybersecurity insurance.
Receive notifications of new posts by email.