Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

How to Fine-Tune Vendor Risk Management in a Virtual World

Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.

Vendor risk management is nothing new to most security and privacy professionals. Programs for managing vendors are typically well-established and have run like clockwork for quite some time — with many firms requiring their critical vendors to allow access for periodic on-site assessments of privacy, security, and other controls. But as with so many things this year, the coronavirus pandemic has brought well-oiled vendor risk management processes to a screeching halt. Now, without the ability to conduct on-site audits, many organizations lack their usual visibility to assess risk factors and validate whether their providers are doing all they have agreed to in their contracts and service-level agreements (SLAs). 

This is particularly concerning given that vendors and third-party providers are a prime source of breaches in security, privacy and/or compliance. Risk Based Security reported that the incidence of breaches, "involving companies handling sensitive data for business partners and other clients," rose by 35% from 2017 to 2019 and exposed 4.8 billion records last year. 

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Security and privacy professionals are well aware of the potential for exposure among their outside partners, which is why most follow the best practice of ranking their vendors on a hierarchy spanning low risk to high risk, with close attention, auditing, and on-site visits paid to the highest risk vendors. Even without on-site access, organizations still face the same risk management and regulatory obligations to monitor and ensure third parties are protecting their information. But obtaining a high level of assurance without seeing items firsthand is tricky. Organizations must now take their previous assessment plans and modify the testing steps to enable virtual assessments.

Here are some key considerations for making those adjustments. 

Start With a Review of Risk Rankings for All Third Parties
This will help determine if their rankings have changed as a result of the pandemic. Have any vendors missed SLA obligations? If so, a safe bet would be to increase their risk rating until there's visibility into the root causes for those slips in service. This step also includes examining the countries in which each vendor operates and how those countries have been affected by the events of this year. This may require engaging internal stakeholders that represent the user group to understand any service disruptions they have seen.

Update Previous Assessment Criteria
Updates will focus on additional or elevated risks that may have been introduced by remote workers at your organization, or your vendors' remote workers. Work-from-home conditions and supply chain impacts are two areas that should be looked at closely in today's risk assessments. Work-from-home conditions should focus on what measures the third party has put in place to ensure a secure work from home environment, including training on protecting sensitive information and security requirements for connecting to the network. Vendor resiliency — i.e., what third parties have done to stabilize their operations during the pandemic and what lessons they've learned along the way — should also be added to assessment criteria. 

Leverage Existing and Past Reports 
Everything from SOC 2 and other audits will help you understand where to focus scrutiny during assessments. Likewise, if you completed an assessment on a vendor within the past couple of years, it is likely many of the controls observed are still in place. While this does not remove the need to test the controls, it can provide a higher level of assurance for controls that can't be validated remotely.

Use Collaboration Tools
Collaboration tools will let you verify controls and how training systems are managed and tracked. Live demos of key systems and video tours of critical areas and materials can provide sufficient alternatives to in-person visits. Ask your vendor to provide you with insight into its change management tools, including ticketing systems, and use secure portals for sharing policy documents and evidence, so you can gain a more comprehensive picture of the vendor's internal procedures. 

Establish Ongoing Monitoring for Key Service and Compliance Metrics
Pay close attention to red flags, including SLAs as well as data breaches and any gaps in vendors' business continuity. 

Increase Sample Sizes 
It's especially useful to look at broader time frames for higher-risk areas. This will help ensure the process or control being evaluated has been in place and is operating effectively and consistently for an extended duration — particularly during the pandemic. 

Someday, we'll return to a version of life as we knew it, and in-person visits will resume. But until then, remember that risk of a business and/or vendor failure is higher in our current environment than it is in typical circumstances. Organizations need a contingency plan for various scenarios, including exposure due to third-party actions (or inactions) and in the event that a high-risk third party fails. Be ahead of and prepared for these scenarios by establishing strong incident response, developing plans for moving systems in-house or to alternate providers as needed, and maintaining continuity for ongoing and robust risk assessments. 

Ryan Smyth, Managing Director, FTI TechnologyRyan Smyth is a Managing Director in FTI Consulting's Technology segment. He advises clients on a wide range of regulatory and compliance issues, with a specific focus on privacy, information security, data governance and business ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...