A new vendor-neutral security baseline called the Minimum Viable Secure Product (MVSP) is designed to list minimum acceptable security requirements for B2B software and business process outsourcing suppliers. MVSP was developed and backed by tech companies including Google, Salesforce, Slack, and Okta.
"Our goal is to increase the minimum bar for security across the industry while simplifying the vetting process," states Royal Hansen, vice president of security at Google, in a blog post. He cites an Opus and Ponemon Institute study that found 59% of companies have experienced a breach caused by one of their vendors or a third party.
Organizations have traditionally had to design and implement their own security baselines for vendors according to their risk posture; however, this creates an "impossible situation" for vendors and enterprises as they try to accommodate thousands of different requirements.
The MVSP aims to lessen the complexity of procurement, RFP, and vendor security assessment with a checklist of minimum acceptable baselines to verify a product's security posture and understand its security gaps.
"Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture," officials say at the top of the document.
All companies building B2B software or handling sensitive information "under its broadest definition" are advised to implement the controls.
Read more details here.