Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/19/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Fine-Tune Vendor Risk Management in a Virtual World

Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.

Vendor risk management is nothing new to most security and privacy professionals. Programs for managing vendors are typically well-established and have run like clockwork for quite some time — with many firms requiring their critical vendors to allow access for periodic on-site assessments of privacy, security, and other controls. But as with so many things this year, the coronavirus pandemic has brought well-oiled vendor risk management processes to a screeching halt. Now, without the ability to conduct on-site audits, many organizations lack their usual visibility to assess risk factors and validate whether their providers are doing all they have agreed to in their contracts and service-level agreements (SLAs). 

This is particularly concerning given that vendors and third-party providers are a prime source of breaches in security, privacy and/or compliance. Risk Based Security reported that the incidence of breaches, "involving companies handling sensitive data for business partners and other clients," rose by 35% from 2017 to 2019 and exposed 4.8 billion records last year. 

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Security and privacy professionals are well aware of the potential for exposure among their outside partners, which is why most follow the best practice of ranking their vendors on a hierarchy spanning low risk to high risk, with close attention, auditing, and on-site visits paid to the highest risk vendors. Even without on-site access, organizations still face the same risk management and regulatory obligations to monitor and ensure third parties are protecting their information. But obtaining a high level of assurance without seeing items firsthand is tricky. Organizations must now take their previous assessment plans and modify the testing steps to enable virtual assessments.

Here are some key considerations for making those adjustments. 

Start With a Review of Risk Rankings for All Third Parties
This will help determine if their rankings have changed as a result of the pandemic. Have any vendors missed SLA obligations? If so, a safe bet would be to increase their risk rating until there's visibility into the root causes for those slips in service. This step also includes examining the countries in which each vendor operates and how those countries have been affected by the events of this year. This may require engaging internal stakeholders that represent the user group to understand any service disruptions they have seen.

Update Previous Assessment Criteria
Updates will focus on additional or elevated risks that may have been introduced by remote workers at your organization, or your vendors' remote workers. Work-from-home conditions and supply chain impacts are two areas that should be looked at closely in today's risk assessments. Work-from-home conditions should focus on what measures the third party has put in place to ensure a secure work from home environment, including training on protecting sensitive information and security requirements for connecting to the network. Vendor resiliency — i.e., what third parties have done to stabilize their operations during the pandemic and what lessons they've learned along the way — should also be added to assessment criteria. 

Leverage Existing and Past Reports 
Everything from SOC 2 and other audits will help you understand where to focus scrutiny during assessments. Likewise, if you completed an assessment on a vendor within the past couple of years, it is likely many of the controls observed are still in place. While this does not remove the need to test the controls, it can provide a higher level of assurance for controls that can't be validated remotely.

Use Collaboration Tools
Collaboration tools will let you verify controls and how training systems are managed and tracked. Live demos of key systems and video tours of critical areas and materials can provide sufficient alternatives to in-person visits. Ask your vendor to provide you with insight into its change management tools, including ticketing systems, and use secure portals for sharing policy documents and evidence, so you can gain a more comprehensive picture of the vendor's internal procedures. 

Establish Ongoing Monitoring for Key Service and Compliance Metrics
Pay close attention to red flags, including SLAs as well as data breaches and any gaps in vendors' business continuity. 

Increase Sample Sizes 
It's especially useful to look at broader time frames for higher-risk areas. This will help ensure the process or control being evaluated has been in place and is operating effectively and consistently for an extended duration — particularly during the pandemic. 

Someday, we'll return to a version of life as we knew it, and in-person visits will resume. But until then, remember that risk of a business and/or vendor failure is higher in our current environment than it is in typical circumstances. Organizations need a contingency plan for various scenarios, including exposure due to third-party actions (or inactions) and in the event that a high-risk third party fails. Be ahead of and prepared for these scenarios by establishing strong incident response, developing plans for moving systems in-house or to alternate providers as needed, and maintaining continuity for ongoing and robust risk assessments. 

Ryan Smyth, Managing Director, FTI TechnologyRyan Smyth is a Managing Director in FTI Consulting's Technology segment. He advises clients on a wide range of regulatory and compliance issues, with a specific focus on privacy, information security, data governance and business ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24913
PUBLISHED: 2021-03-04
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
CVE-2020-24914
PUBLISHED: 2021-03-04
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
CVE-2020-24036
PUBLISHED: 2021-03-04
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
CVE-2020-24912
PUBLISHED: 2021-03-04
A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.
CVE-2019-18629
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...