CISO Forum Summary- Best Practices for 3rd Party Security Assessments

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed the best practices around 3rd Party Security Assessments.

Suggested Best Practices:  The security leaders on the forum outlined several steps to establishing a vendor assessment program.

Step 1:  Develop criteria to classify vendors into tiers.

  1. Tier 1:  Critical Vendors – Those connected and with access to PII.  (ex. HR SaaS vendor, Cloud data provider)
  2. Tier 2: High-Value Vendors – Either a critical vendor which does not have PII access, or a replaceable vendor that does have access to PII.  (ex.  Critical supply chain vendor, or benefits provider)
  3. Tier 3:  Mid-Level Vendor – Could impact business, but lower probability. (ex. Components required for manufacturing your product).
  4. Tier 4:  Lowest Priority Vendors – Easily replaceable vendors with no access to PII (ex. Office supplies or Coffee vendor) 

Step 2:  Define the process for assessing each vendor – example below:

  1. Tier 1:  These get the most risk & cyber questions (50 to 100) and then a personal follow-up on those questions.
  2. Tier 2:  Smaller assessment (10-15 questions) with a personal follow-up.
  3. Tier 3:  Insert an appropriate Security Addendum (see below) into contracts
  4. Tier 4:  No assessment required.

Step 3:  Work with the business leaders/owners to slot each vendor into a tier.

Step 4:  Decide a frequency for assessments for each tier.

  1. Initial contract
  2. Annual
  3. If they are breached.

Step 5:  Develop a process:

  1. Develop a consistent process throughout the whole assessment so every vendor has the same experience.  This valuable side-to-side comparison can be leveraged to establish targets with leadership which can also lead to establishing budgets to achieve those targets.
  2. Consider using a 3rd party tool to reduce the workload and help to focus on scoring the high-priority issues. 

Note: Cyber Insurance provider, Lockton, is releasing an extensive 39-page assessment in 2023 which asks the percentage of completion for certain controls.  

The downside of Vendor Security Assessments (VSA):

  1. Questions are usually very broad and they often don’t ask the right questions to really determine the level of security. 
  2. It only measures a point in time.  
  3. Issues with chasing down vendors to complete it.
  4. How do you ensure a knowledgeable person is entering the data?  This could impact the validity of the assessment.  
  5. Often the quality of results are low at best, but it is a checkbox to prove the questions were asked.
  6. If a firm is going to do business with a company no matter what the assessment says, then completing the assessment is only done to CYA.

Note:  If security risks are identified and the business still wants to use them, write the business owner a letter warning them of the risk.  This will provide some CYA and transfer that decision back to the business owner. 

3rd Party Evaluation Services:

  1. Bitsight  – Active 3rd party monitoring – Ratings Can Give You Crucial Visibility Into Your Digital Ecosystem.
  2. SecurityScoreCard – Outside-In View Of Your Organization’s Network Security Across 10 Risk Factors.
  3. RiskRecon – Rates & profiles risks around CVEs, hostname, IP address, asset value, issue severity, and computing architecture.

Issues with 3rd Party Evaluation Services

  1. These are considered ‘a necessary evil’ for public companies because analysts and the BOD see the ratings and judge the security team by them.  
  2. They don’t have much useful data and often have erroneous data like old domains. 
  3. They only measure what is exposed on the internet but do not grasp what is exposed within the infrastructure.  
  4. One leader likened it to a “Drive by appraisal of your house.” 

Use a Security Addendum to Off-Load Vendor Risk to Legal 

Another leader discussed how he off-loaded security risk by developing a Security Addendum which was included in the vendor contracts.

The Security Addendum can include language to: 

  1. Require critical vendors to complete an Annual Vendor Security Assessment (VSA) or provide details on their annual security assessment (ex. SOC2 Type 2)
  2. Notify them of a breach within 48 hours. 
  3. Provide an incident response contact person.
  4. Protect data & provide evidence as required.
  5. Require software vendors to escrow code and backup data in case they go insolvent so you can still get access to that code and data.  

Adding a Security Addendum transfers the liability from Security to Legal.  If the vendor is immature and redlines parts of the security addendum in the contract, then the general counsel has to get involved. The GC is risk-averse and often has more influence than a security leader.  This enables the legal team to be the enforcement arm of your vendor assessments. 

The Security Addendum can be leveraged to improve cyber insurance, and compliance with GDPR, SOX, and HIPAA. 

Is SOC2 enough?  

The Leaders agreed that if a firm has completed a satisfactory SOC 2 Type 2 assessment, it would often be accepted in lieu of a VSA.  

International 3rd Vendors:

For International vendors, evidence of security is very limited, therefore, it is recommended to look for any type of evidence to help show you took the best possible path for due diligence to protect yourself in case an event occurs.  Ultimately, the question arises, “Would a jury of your peers agree that you did the best you could do in that situation?

Security vs. Risk Management

Security is not the risk assessment group. That’s up to Risk or Legal.  

Regulators are often open to the idea of running risks through a Risk Management Framework and then discussing whether your firm is willing to accept that amount of risk. 

Is it right to hand over all your cyber stuff when someone asks, “Send me all your security policies and scans?”

  1. Qualify if they have anyone qualified to read and understand what would be reviewed.
  2. Define how they will be securing your data which may have proprietary data which could lead to exposing vulnerabilities.
  3. Offer an on-site review only. 

Note:  Be careful about what is published on the internet and intranet.  Are there policies that might expose vulnerabilities about internal processes, IP addresses, or an incident response plan if it got into the wrong hands? 

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your security program.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments

In addition, he has a passion for helping CISOs develop Higher Performing Teams through staffing, coaching, CISO Forums, and improving their team culture.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.