The Vendor Risk Checklist You Need Before Signing a Contract
Validate Vendor Risk Management with a Security Checklist
We’ve compiled a checklist of items that your company can use to protect its infrastructure whenever it starts working with a new vendor, as part of routine vendor risk management processes. A vendor’s systems can be a threat to you when both parties’ systems are connected together. This can be via an application interface, a remote connection, or the vendor’s employees connecting to the customer’s network when its employees walk in the door.
A vendor’s systems can be the vector by which a company is hacked. Case in point: Target.
The details of the Target data breach have finally been relayed to security researchers and the media. Target was attacked by computers at Fazion Mechnical, a company that maintains the refrigerators for the giant retailer. The two companies’ networks are connected, since Fazion Mechnical needs to monitor those refrigerators.
The Weakest Spots in Security
Before we provide due diligence and vetting steps that your company can take prior to working with a new vendor, a brief review of two often-overlooked aspects of IT security defense is in order.
Employees are the Main Problem
Someone working on the inside can obviously steal data, but the main risk is lack of employee security awareness training. Phishing remains the #1 attack vector. Therefore, your employees need to be reminded of the dangers of clicking on links in emails.
Your Company Must Maintain a Defensive Posture
If the military and the world’s largest banks have been hacked, it is reasonable to assume that any company can be hacked. A corollary is that security software does not work all the time. Thus, a company must always work from the posture that it has already been attacked which could mean having a forensics partner in place and being ready with a communication strategy to notify affected customers and partners in case of a data breach.
The Checklist: Vet Your Vendors
Vetting means executing due diligence by checking a vendor’s systems, policies, and procedures for security weaknesses. This means running through a checklist to make sure that the vendor adheres to the same security standards that protect your company from attack. You must ensure that security leaks are plugged in terms of both the vendor’s computers and its people.
Your company can adopt different standards and risk management plans to help mitigate risk. Then there are OCC and HIPAA rules, if required by your industry. All of these plans and standards tend to be written at a high level, so here are some specific items to check that your IT person will understand:
This means documenting access to machines. Procedures should exist for granting employees access and taking it away when their roles change or they leave the company. This can be done through the IAM system and workflow. The certification procedure needs to be connected to the log monitoring system so it knows when someone is using an expired account or when someone has been granted elevated privileges without proper certification.
Not every company is going to be sophisticated enough to use Splunk or ELK to monitor logs with advanced analytics to flag security incidents. In such cases, the vendor should ideally use a Managed Services Security Provider to monitor its logs and network traffic.
Companies should stop using completely internal passwords and add Two-Factor Authentication (TFA). Companies that maintain this is too difficult to implement for existing apps can use an app like OKTA to front-end their systems. One problem with TFA is service accounts. It is usually not possible to enter a token for those accounts since the systems that require tokens are started by others and then left alone. Yet service accounts, in particular those with default passwords, are a common way for hackers to gain access to a system. So their passwords need to be changed with some frequency. Despite the inconveniences this poses, such as downtime and the risk that a system might not start up again when connecting to other systems after a password change, frequent changes are a very necessary security step.
Security Awareness Training for Employees
Companies should train employees annually on security and provide training program for new hires.
Employee-owned smartphones and tablets pose less risk than laptops because they are less riddled with security weaknesses than Microsoft Windows. Still, some rules should be in place to protect even these company assets, like making sure that screens lock after a certain number of seconds of inactivity. One problem with Android, in particular, is that apps often request access to user contacts even when they do not need them. This is true for popular and supposedly honest apps like Twitter, so users become accustomed to it. However, in the case of hacker apps, that weakness can be exploited to rob contacts for phishing purposes. Employees should be instructed to be careful about what they install on their own devices.
Access to your company’s network should be via VPN or Windows Remote Desktop. The connection from the vendor to the client company should be via IPsec VPN.
Your company needs to have some policies to prevent, for example, a hacker from simply walking into the data center and removing a drive from a storage array.
Email Spam Software
Since phishing is still the number-one attack vector, every company needs good anti-spam software.
Security experts will tell you that antivirus is not as effective as it once was in the past. Still, any CIO would have a hard time explaining why his or her company does not use it.
Your company must have a procedure for disconnecting old devices from the network when they are no longer needed.
Microsoft, Adobe, and other companies send out patches almost daily. So your vendor needs a system to make sure these are applied daily to protect against zero-day attacks. These are only some of the items that your company can add to a checklist to make sure that the vendors it works with adhere to security best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.
These are only some of the items that your company can add to a checklist to make sure that the vendors it works with adhere to security best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.
Concerned about the frequency and timing of your vendors patching practices? Patching Cadence is one of ten security risk categories and factors included in SecurityScorecard’s benchmarking platform.