We know your organization is more than likely investing in their cybersecurity program to take precautions and prevent unnecessary breaches, but are your third and fourth party vendors?
It’s important to understand the vendor’s cybersecurity posture. After reviewing the cybersecurity posture of hundreds of vendors, we’ve found these are the top areas of concern to focus on.
- Security Testing – Your vendors should be performing security tests on vendors, especially all medium, high and critical risk vendors. If a vendor processes, stores or transmits your data, they bring risk and should be performing annual security testing. Annual testing should include:
- Internal and External Vulnerability Testing
- Penetration Testing
- Social Engineering
- Sensitive Data Security – Sensitive data is information that needs to be protected against unintended disclosure. It’s imperative to understand how your vendors secure your data at rest and in transit. Your vendor should be securing your sensitive data in ways such as:
- Data Retention and Destruction Policies
- Data Classification and Privacy Policies
- Employee, Contractor and Vendor Management – Your vendor should be ensuring their employees, contractors and their vendors, your fourth parties, understand how and are prepared to protect data. Ways they should be accomplishing this include:
- Company and Employee Non-Disclosure Agreement (NDA) Clauses
- Employee Background Checks
- Annual Security Training
- Access Management Policies
- Oversight of Vendors
- Incident Detection and Response – When an incident occurs your vendor should have a plan in place to address the issue. You should understand how they handle incident detection and response. Your organization can set yourself up for a good understanding by doing the following:
- Include a legal obligation in the contract to notify you in an event of an incident
- Review their Incident Management Plan (IMP) to ensure it’s comprehensive and includes intrusion protection tools, firewalls, anti-malware products, a patch management program and details for their incident response timeline and process.
- Verify the vendor has cybersecurity insurance coverage
Want to learn more about a vendor’s information security posture? Check out our infographic on the CIA Information Security Triad and what it means for you and your vendors. Download here.