Evaluating security controls of smaller vendors

Question

In the IT Security team where I work, we currently use the Standarized Information Gathering or SIG tool to evaluate IT security posture of prospective 3rd party vendors. What I like about the SIG is the questions are standarized and depending on responses, only relevant follow up questions are asked.

At very small vendors though that may not have a dedicated IT or IT security function, a lot of the SIG questions may not apply. Currently, we are evaluating a smaller vendor providing a niche service and we are not comfortable with giving due diligence sign off due to the very limited responses provided on SIG questionnaire completed by such vendor. A lot of the controls and best practices on the SIG simply are not applicable due to vendor size. Furthermore, vendor will have remote access to our company infrastructure.

Question: what alternative approaches are viable for risk assessment of very small vendors in which market size is also small and competitors are of approximately same size, so switching vendors is not feasible?

Answer 1

I have used different approaches (and sometimes combined them) in my work based upon what it is from the vendor that my company is consuming. We have small vendors that provide us with SaaS services which they leverage AWS to host, or it could be that they are proviing services (where we give them data and they perform either analysis or other services), or they could be staff augmentation, etc.

For each type of engagement:

• I outlined 10 areas (loosely aligned with NIST 800-171) where we would have Risk and some standard questions for the provider to answer that allowed us to assess risk.

• If the provider is themselves using a third party to host their services or similar, I ask for SOC 1 reports from them.

• In the contract for service, I have worked with procurement team to ensure that we put in the ability to audit and validate the existence of controls as indicated in the Questionnaire

• I ensure that there is an addendum that provides for incident reporting from the vendor to us in a prompt manner.

Quite frankly, small shops that cannot do the basic security due diligence for contracts should not be providing you services. Depending upon your area of business, you are putting yourself at a huge level of risk if the vendor is unprepared for security issues. At the very least, GDPR's requirements and the fines that the EU has levied should remind you to not take this lightly.

Answer 2

Look at NIST 800–171, requirements list in chapter 3. If you convert this list into a questionnaire for 3rd party vendor, you will get very practical results.

Answer 3

There are various security assessment frameworks that are used by different organizations depending on their business needs, for example, ISO 27001, SIG, COBIT, COSO, HITRUST, NIST, CIS, etc. If we are starting we can devise a framework/checklist based on ISO 27001, which will be easy to implement and interpret by both the parties. Going further the checklist can be improved referring to frameworks like COBIT, COSO, etc.

Answer 4

Question: what alternative approaches are viable for risk assessment of very small vendors in which market size is also small and competitors are of approximately same size, so switching vendors is not feasible?

Oh my, that is very deep question. Risk Assesment is a very complicated thing which differs from environment to environment, so needless to say what can be ok for one company, can be absolutely unacceptable to other.

Since the third party vendor does not have a dedicated IT Security team, then it falls to your team to evaluate the risks with giving them access to a remote connection to your environment. But since they do not have IT security team, then the risk will be huge, because the vendor simply does not have mechanisms to protect and\or give guarantee that it will protect sensitive information that will be exposed to them (such as for example remote connection credentials\connection properties).

Because, any framework that is there (NIST, ISO, PA DSS) have a several things in common, such as separation of duties, mandatory ITsec policy, having regular vulnerability scans, and so on, which a company without dedicated ITSEC team simply will not be compliant.

Your company have only 1 option to conduct business with them:

Sign a RAM (Risk Acceptance Memo) and provide maximum security to remote environment that they will be accessing (traffic monitoring, one time remote environment, staging environment) and hope that nothing bad happens.