Vendor security has been a hot topic in 2016. Organizations are taking a holistic approach to security, going beyond reviewing their own security practices to evaluate and monitor their vendors’ security practices as well. In March, Google open-sourced their vendor security review tool in the hope that it will help other companies improve their own vendor security programs. More recently, several tech leaders have come together to create the Vendor Security Alliance with the goal of improving Internet security by standardizing the way vendor security and compliance is assessed. On October 1, they published a questionnaire to help organizations assess and benchmark third party product and service risk, taking a risk-based, service-oriented, and integrated approach to vendor security assessment.
These developments are a welcome step in the right direction; but there is much more to be done.
- Questionnaire-based systems rely on vendors’ self-reporting of their IT security practices. Security policies and processes built on an honor system cannot be robust enough to meet organizational security needs.
- Assessing vendor security once a year fails to address the rapidity with which the threat landscape or the business needs change.
- Finally, evaluating a vendor’s security status based on their answers to these questions is not a simple or straightforward task.
Ideally, organizations should have a tool to assess and monitor a vendor’s security in an automated and continuous manner. Until such a tool becomes available, organizations can follow a few simple tips, described below, to effectively manage and monitor 3rd party vendor risk:
- Get together with internal stakeholders to agree on acceptable vendor security standards. Establish controls that 3rd party vendors must meet before they can be deployed in the organization.
- Communicate the security standards to the vendors. Educate vendors, answer their questions, and get their commitment to meeting the standards. Establish a timeline to get them in compliance, if they are not already compliant.
- Periodically review vendor security standards and vendors’ compliance to those standards.
Figure: Simple steps for 3rd party vendor security certification.
WhiteHat Security has begun to address this challenge in the application security space. The WhiteHat Security Index (WSI) is a way to measure an application’s security status or risk based on many factors — including past vulnerability history, the remediation rates, scanning frequency, site complexity, and more. WSI measures application security risk for a site in much the same way that a FICO score measures credit-worthiness for an individual. Taking a similar approach to assessing vendor security — including factors such as application security, infrastructure security, physical and data center security, and data protection policies to calculate a security rating— would begin to mitigate the challenges currently faced by anyone evaluating risk associated with a third-party product or service. Certainly, security is a rapidly evolving field, and we hope that vendor security assessments will evolve to become more accurate, more consistent, and more effective over time.