CISO Forum Summary – 3rd Party Evaluation & Monitoring
Suggested Best Practices:
- Risk Ranking and tiering vendors. Deﬁning the perceived risk factors for each vendor.
- Deﬁne Critical Vendors – If a breach occurred with them, would it result in loss of PII or a signiﬁcant business interruption to your business?
- Deﬁne the likelihood for a 3rd party breach that would impact your organization – Externally facing systems, user counts, system connectivity, etc.
- Bring on other Business Units to evaluate 3rd party vendors such as Legal, Accounting, Sales, Marketing and Operations, etc. as all BU’s can introduce vendors who increase exposure risks.
- Gaining eﬃciencies to evaluate vendors so that it is not just the top tier vendors. Some of the smaller vendors (mid to lower tier) might be opportunistic targets for hackers, therefore, gaining greater awareness with smaller vendors may identify where additional controls may be required for those vendors such as encryption, tokenization, etc.
- Asking the vendor security team to ﬁll out assessments instead of the sales team.
Responding to 3rd party vendor requests:
- In regulated industries like the Banking or Health Care industries, the approach 3rd party assessments diﬀerently because responses may be required by regulations.
One CISO recommend not to share:
- Internal system level data (i.e. processes, settings, scans, potential ﬁndings, etc.) that is the footprint of your company and could lead to an opportunity for breach if it gets into the wrong hands.
- Client or Personally identiﬁable information (PII) which is any data that could be used to identify a particular client or person.
- Best to provide internally developed 3rd party assessment which has been screened for PII or conﬁdential corporate data.
- If a party requests a deeper analysis than your standard report then, try to push back with a Statement of Work and fees to produce the customize report or data.
- It is best to create a mutually trusted and sharing relationship with vendors, i.e. “Show me yours and I’ll show you mine.” The best relationships are give and take.
How do you manage and send out 3rd party assessments:
Tools to push out 3rd party assessments:
- Out of the box 3rd Party Assessment Tools
- Security Studio – My personal favorite – Easy for vendors to use so they actually complete it. Plus, they oﬀer many free personnel (www.s2me.io) and organization assessment tools.
- Security Scorecard
Workﬂow / Survey Automation Tools to develop your own custom assessment tool:
Use a 3rd Party to evaluate 3rd Parties:
- How much time do you want to spend evaluating systems of vendors? Therefore, the trend may be to use a 3rd party to evaluate your 3rd parties.
- If a vendor has a Hi-Trust Certiﬁcation, some will use that report in lieu of an assessment.
- A SOCII compliance can be used as an assessment if the ﬁndings are evaluated and acceptable.
3rd Party Evaluation Services:
- Y3P – For ﬁnancial industry: Crowd sourced platform – Large overlap across banks, they provide a monitoring and validation service of ﬁnancial vendors.
- Bitsight – Active 3rd party monitoring – Bitsight might be antagonistic because there are errors which need to be resolved.
- iTrust – 3rd party assessment certiﬁcation.
Frequency of 3rd Party Reviews or triggers for new reviews:
- At time of signing up a New Vendor or a Contract Renewal
- Any major upgrade
- When vendor in the news or pop up in a threat feed.
- Per SOC II requirement and/or Regulatory requirements
- Semiannually or Annually for new or mission critical vendors. Need to be more vigilant with newer partners.
- Established trusted vendors could be less frequent
- If a critical new vendor, conduct an onsite visit (if possible)
Impacted by SolarWinds?
- Only one CISO out of 11 was impacted by the SolarWinds hack.
- 30% were using SolarWinds but those others were on diﬀerent versions.
- Regulators asked about SolarWinds exposure through 3rd parties, so had to poll vendors to see if data was separated from any exposure they had..
- If impacted, here are recommendations from CISA: See Appendix B for recommendations: https://www.cisa.gov/emergency-directive-21-01
How quickly do you implement upgrades and updates?
- Who can you trust? Therefore, some leaders are dedicating an entire product team to evaluate solution tools to better understand any technology threats that might be introduced by updates or upgrades.
- Is it time to move security programs from more of a traditional passive approach to a more cautious, threat-hunting approach?
- Same leaders have all updates or upgrades to critical systems go to the lab and have tools run against them.(i.e. internal testing and sandboxing of patches, upgrades, etc.) This does result in longer lead times before it hits production. In some cases it could take 6 to 10 months before a major upgrade is validated before it goes into production.
- Unless a patch is deemed critical, it would go through this process.
- Move to a rigorous change management process using this ‘burn-in’ before applying new changes – even to a proven solution.
- Move towards a “No Trust” environment.
Tools to help evaluate 3rd party web, software, patches, & upgrades:
- Virus Total – Analyze so ware, upgrades, patches:
- Manage Engine – Gets complete inventory, user activities, mandates reboots for updates.
- AlgoSec – To manage ﬁrewall rules.
- Medigate – To monitor medical devices.
- Cy ware – Virtual Cyber Fusion Center
- DarkTrace – AI cyber defense platform.
- Vetra – AI-driven network detection and response
- Trinity Cyber – Man-in-the-middle threat protection service
Involving Security in the vendor agreement process:
- For all new vendor services involving tech, the cyber team should be involved in the contracting process to embed security clauses into the agreements.
- If vendors are reluctant to fully disclose all their details, use contract language to cover liabilities
- For critical vendors, build in performance and cyber SLA’s into contracts.
- Contracts may be able to reduce Cyber insurance if the liability is transferred, however, evaluate business outage costs even if liability is transferred.
- Start working on renewing contracts early with large critical vendors to allow a time to fully vet contracts. It may require hiring attorneys and contract negotiators to ensure the proper terms and SLA’s are built in.
What to do when a Vendor doesn’t pass an established level of scrutiny?
- Establish a governance council who makes the ﬁnal business decision.
- Security does not make the decision – just the review and recommend process.
- Business must agree on the risk level and they decide if the risk is acceptable.
- Track it & Document it.
Do you help raise the level of competency of vendors?
- Share what is required, but do not coach them or prescribe a solution on how to remediate. If so, you would accept the liability.
- A vendor need to right size a solution for their business not adopt your solution.
- 3rd party assessments are ﬁnally getting some executive exposure and support.
- Leveraging Enterprise Risk to apply quantitative risk management models to quantify actual ﬁnancial impact. Some BU’s have very robust quantitative risk management numbers but need to do a better job on quantifying technology vendor risks.
- More use of 3rd party ﬁrms to validate 3rd parties.
- Bringing in a speciﬁc compliance person to handle vendor evaluation so the security team stays focused.
- Build in-house capability to analyze all new technologies by upgrading the SOC with tier three threat hunters and AI tools to monitor all updates and systems.
- Newer technologies coming online like internet connected AI, surgical robots, remote evaluation tools, will continue to provide new challenges for security departments.
Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.
If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.
About Tim Howard
Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments.
In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward