0

I wonder what a small startup would typically do concerning third-party compliance?

Are you expected to send third-party vendors a security questionnaire? Do you need to do that regularly?

sk904861
  • 101

3 Answers3

1

It depends on your risks and if you need a certain level of assurance in order to keep your risks to an acceptable level.

Questionnaires are standard, but you need a security person who can understand the responses.

Most 3rd parties get assurance from 3rd party auditing and certification. That's where SOC 2 Type 2 reports come in handy, ISO 27k certification, etc.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank you for your answer. Certificates sure are a great thing that makes things easy and I would have loved to see that we (by accident) only use services that are SOC 2 certified. But there are pretty large companies who publish (almost) nothing. From my experience with privacy-related inquiries, I would be surprised to receive a profound reply from them if we sent them a questionnaire. – sk904861 Jun 07 '21 at 14:41
  • You normally put a requirement for questionnaires in the contract. But it sounds like you have a specific situation you are in and that you need to explain your context/details. – schroeder Jun 07 '21 at 14:45
  • If I could wish for something, I would find a way to retrospectively formalize a security review that was informally already in place, e.g. because all services we use are SOC 2 certified. But some larger companies like Onesignal or Sendinblue just don't talk about security on their websites. – sk904861 Jun 07 '21 at 14:50
  • 1
    Then contact their security heads to ask what assurance you can get as a customer. – schroeder Jun 07 '21 at 15:18
1

I'd expect a small startup to, generally, do the same things as a large corporation when it comes to compliance of the third-party products and services that they use.

First, I'd expect the organization to perform a risk assessment. Not all products and services provided by third parties are created equally. Generally, this is based on what would happen if a risk materializes. Based on the risk to the organization, different levels of security controls and compliance standards may be required before going forward.

Regardless of the risk, I'd expect minimally an open-source intelligence gathering effort. This would provide information that the product or service meets requirements and that the vendor is stable. Terms of use and privacy policies, along with any documented security practices are good starting points.

As the risk level increases, I'd expect more information to be required. Third-party audits are generally useful, especially for a startup that may not have enough people with the right background to audit vendors. This is why there are certifications against the Trust Services Criteria and ISO 27001. Depending on your industry and needs, there are also assessments and audits for other standards that could be relevant.

The specific audit reports may not be available for review. Some reports may be limited in distribution, and unless you're a prospective or current customer of the audited party, you may not be able to obtain them. You also may not be able to share them with your clients or customers.

In most cases outside of the most critical systems, the audits and assessments against recognized standards should be sufficient for most organizations. However, if the risk assessment determines that it is necessary (either because of a lack of audits or because of the criticality of the vendor's product), then a questionnaire for or audit of the vendor would be appropriate.

The problem with questionnaires or audits is that they require sophistication on the part of the auditor. This could be harder if you're a small startup - even if you have the right skills to assess vendors, you may not have the time or money to appropriately assess all vendors. You may be in a position where you need to accept the risk of selecting a vendor that doesn't have certifications because their product does what you need at a cost you can afford.

In my experience, vendor assessments are reviewed annually. This would include an update to the risk assessment of the vendor and a review of the vendor's certifications, a revised questionnaire, or an audit. Known changes to the vendor's product and its use may trigger an earlier review.

Thomas Owens
  • 1,022
  • 8
  • 9
0

To add to what others have said...

There are tools out there - like UpGuard CyberRisk - that'll help, but policy and process are the first cabs off the rank. Firstly, I would suggest that the first step in a risk assessment for a third party saas vendor (which is what I assume you're talking about) involves understanding what data they're storing or processing on your behalf and where it sits in your data classification scheme.

I take the view that if they have SOC2 or ISO27001 certification they've had the health of their infosec lives assessed better than I'll be able to with a questionnaire, so if they can provide this they're off the hook for answering reams of questions. (Bitter experience also makes me make clear at this point that a satisfactory 3rd party review does not constitute a whole-hearted approval of whatever engineering solution is proposed...)

We're just starting to wrestle with periodically redoing our vendor assessments - just getting them onboarded (and that there is a process for this communicated through the business) has been enough of a challenge up until now. We settled on a three-yearly review cycle in general ... but we also mark those vendors with high-risk data / certification to provide evidence of soc 2 / iso etc remaining current.

We use UpGuard, and that does make some of the challenges a bit easier, although there's still a bunch of work involved. If I was forced into reinventing this myself with excel or something, I'd say...just having a repository of all your 3rd party vendors security contacts outside someone's Outlook is a pretty good first artifact to generate...

Good luck!

D0gfather
  • 71
  • 4