Controlling third-party vendor security

As the saying goes, you are only as strong as your weakest link. In the security industry that means your company’s security is only as strong as your weakest third-party vendor’s security.

Almost without exception, a third-party vendor or affiliate is involved in data breaches.

These third-party vendors open up “doors” into your company so they can provide their service, but they could also be letting hackers in.

Preventing a third-party data breach

For most companies, 100% in-house security is not an option; most of us need third-party security vendors to help us keep our businesses secure, but it is up to you to make sure they are doing their jobs. From application assessment to contract improvements, here are three ways you can improve third-party vendor security:

Evaluate application integrity

Don’t be shy when it comes to fact-checking a vendor’s claims. If you are at all concerned, bypass the sales person and ask to talk with someone who directly handles security. Here are a few topics to get the conversation started:

• Certification & compliance: Do they have the coverage you find satisfactory? If it is a custom application, make sure they adhere to a formal secure development lifecycle.
• Controls: First, ask what – specific – layer controls they have in place. Then, ask what other measures they have to protect against data leakage.
• Pen testing: Of course you want to know if they are regularly pen-testing, but really test their confidence by asking if you can test the code.
• Audit: User account activity, patch levels and AV updates need to be tracked, but ask about the other metrics that are important to you.

Assess security functionality

Now we are back to our quote from the beginning – an application is only as strong as it’s weakest functionality protocol. You need to be concerned about authentication and authorization. On a basic level, you need to have roles set up – everyone should not have admin rights. You also need to make sure there are both vertical and horizontal privilege controls and that you understand the access inheritance model.

Pay close attention to the contract

Experts recommend that your Business Associate Agreements (BAA) should require third-party contractors to, “comply with the same security framework imposed within the company,” and, “where appropriate, companies should secure the right to audit their third party contractors and then actually complete such audits.”

In addition, at a minimum, contracts should address:

• Information security;
• Information privacy;
• Threat and risk analysis;
• Compliance obligation range;
• Enforcement mechanisms;
• Internal audit access and disclosure requirements;
• Foreign corrupt practices management.

Preventing a third-party data breach requires you do your due diligence. You have worked hard to secure your business – don’t let that investment be compromised by poor third-party vendor security.