Jump to content
How do you assess the security of third-party vendors or partners, and what measures do you take to mitigate risks associated with them?

Recommended Comments

4.9 (278)
  • Programming & Tech

Posted (edited)

By enforcing a supplier relation policy which triggers a risk assessment. Unlike traditional approach which is based on certification, we found that discussion with vendor duty holders provides much more valuable insight not only what certifications and frameworks they utilise, but more important - how deep they actually understand them. More often than not - such interview reveal important security measures are present formally but not applied fundamentally. This is among upper level risks, as it would otherwise provide false sense of security.

If supplier demonstrate a reasonable threshold to be considered as low to medium risk for specific data categories being exchanged, various models are applied to protect business from security incidents. Some of them are:

  • Data minimisation. - Ensuring only the data required to complete the lifecycle of product / service is being shared with supplier.
  • Data Pseudonymization - if supplier can operate based on pseudominised data, we would model the process to disassemble data and provide generated psdueonimised content, which is assembled back upon supplier processing operation.
  • Ensuring what we can control security measures are in place. Encryption in transit is something we can observe. Encryption at rest and data retention policy is something that requires periodic checks by human. We usually set a periods in which we ask the supplier to provide us with all data they have. From there it's evaluated if there are records stored for the longer periods of time - than initially communicated.
  • Periodic evaluation. We trigger PIA at least yearly or in event of significant change - whichever comes first.
  • Obtaining approval from supplier to conduct independent audits. While this is a least resort measure, in general, a supplier who is confident in their best practices when it comes to security would have no issue to allow independent review. Failure to comply / approve such request may come as a consequence of non-security related matters too, such as industry espionage, however we are not willing to take a risk of not being able to hire an independent third party auditor if we need too.

Finally, and most important, trust built over time. Security incidents happens. Establishing a relation based on ethical values and trust comes as equally important as technical and tactical measures. Keeping in touch and exchanging knowledge in regards to up-to-date security practices and opinions benefits both the supplier and our business and raise awareness, as well point to potential risks that could not be found utilising traditional methods - such as non-technical business logic vulnerabilities and frauds. 

Edited by Stefan C
adding more content
×
×
  • Create New...