(270) 506-5140 CONTACT US

4 Important Areas of Vendor Cybersecurity to Understand

Mar 14, 2018 by Lisa-Mae Hill, CTPRP

We know your organization is more than likely investing in their cybersecurity program to take precautions and prevent unnecessary breaches, but are your third and fourth party vendors?

It’s important to understand the vendor’s cybersecurity posture. After reviewing the cybersecurity posture of hundreds of vendors, we’ve found these are the top areas of concern to focus on.

  1. Security Testing – Your vendors should be performing security tests on vendors, especially all medium, high and critical risk vendors. If a vendor processes, stores or transmits your data, they bring risk and should be performing annual security testing. Annual testing should include:
    • Internal and External Vulnerability Testing
    • Penetration Testing
    • Social Engineering

  1. Sensitive Data Security – Sensitive data is information that needs to be protected against unintended disclosure. It’s imperative to understand how your vendors secure your data at rest and in transit. Your vendor should be securing your sensitive data in ways such as:
    • Encryption
    • Data Retention and Destruction Policies
    • Data Classification and Privacy Policies

  2. Employee, Contractor and Vendor Management – Your vendor should be ensuring their employees, contractors and their vendors, your fourth parties, understand how and are prepared to protect data. Ways they should be accomplishing this include:
    • Company and Employee Non-Disclosure Agreement (NDA) Clauses
    • Employee Background Checks
    • Annual Security Training
    • Access Management Policies
    • Oversight of Vendors

  1. Incident Detection and Response – When an incident occurs your vendor should have a plan in place to address the issue. You should understand how they handle incident detection and response. Your organization can set yourself up for a good understanding by doing the following:
    • Include a legal obligation in the contract to notify you in an event of an incident
    • Review their Incident Management Plan (IMP) to ensure it’s comprehensive and includes intrusion protection tools, firewalls, anti-malware products, a patch management program and details for their incident response timeline and process.
    • Verify the vendor has cybersecurity insurance coverage

Want to learn more about a vendor’s information security posture? Check out our infographic on the CIA Information Security Triad and what it means for you and your vendors. Download here.

Creating an Effective Vendor Contract Management System eBook

Lisa-Mae Hill, CTPRP

Written by Lisa-Mae Hill, CTPRP

Lisa-Mae is an experienced cybersecurity analyst with experience in both the private and public sectors. She has held the role of Subject Matter Expert and Information System Security Officer for a government based contractor and has extensive experience in Certification & Accreditation, CIS Critical Control Implementation and Auditing, Security Assessments and cybersecurity Policy. She has a Bachelor’s degree in Information Technology Management from State University of New York Delhi paired with many hours of additional cybersecurity and industry related training. She is also a Certified Third Party Risk Professional (CTPRP).

Follow Lisa-Mae Hill, CTPRP

Subscribe to the Venminder Blog