Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/19/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Fine-Tune Vendor Risk Management in a Virtual World

Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.

Vendor risk management is nothing new to most security and privacy professionals. Programs for managing vendors are typically well-established and have run like clockwork for quite some time — with many firms requiring their critical vendors to allow access for periodic on-site assessments of privacy, security, and other controls. But as with so many things this year, the coronavirus pandemic has brought well-oiled vendor risk management processes to a screeching halt. Now, without the ability to conduct on-site audits, many organizations lack their usual visibility to assess risk factors and validate whether their providers are doing all they have agreed to in their contracts and service-level agreements (SLAs). 

This is particularly concerning given that vendors and third-party providers are a prime source of breaches in security, privacy and/or compliance. Risk Based Security reported that the incidence of breaches, "involving companies handling sensitive data for business partners and other clients," rose by 35% from 2017 to 2019 and exposed 4.8 billion records last year. 

Related Content:

7 Cool Cyberattack and Audit Tools to be Highlighted at Black Hat Europe

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

Security and privacy professionals are well aware of the potential for exposure among their outside partners, which is why most follow the best practice of ranking their vendors on a hierarchy spanning low risk to high risk, with close attention, auditing, and on-site visits paid to the highest risk vendors. Even without on-site access, organizations still face the same risk management and regulatory obligations to monitor and ensure third parties are protecting their information. But obtaining a high level of assurance without seeing items firsthand is tricky. Organizations must now take their previous assessment plans and modify the testing steps to enable virtual assessments.

Here are some key considerations for making those adjustments. 

Start With a Review of Risk Rankings for All Third Parties
This will help determine if their rankings have changed as a result of the pandemic. Have any vendors missed SLA obligations? If so, a safe bet would be to increase their risk rating until there's visibility into the root causes for those slips in service. This step also includes examining the countries in which each vendor operates and how those countries have been affected by the events of this year. This may require engaging internal stakeholders that represent the user group to understand any service disruptions they have seen.

Update Previous Assessment Criteria
Updates will focus on additional or elevated risks that may have been introduced by remote workers at your organization, or your vendors' remote workers. Work-from-home conditions and supply chain impacts are two areas that should be looked at closely in today's risk assessments. Work-from-home conditions should focus on what measures the third party has put in place to ensure a secure work from home environment, including training on protecting sensitive information and security requirements for connecting to the network. Vendor resiliency — i.e., what third parties have done to stabilize their operations during the pandemic and what lessons they've learned along the way — should also be added to assessment criteria. 

Leverage Existing and Past Reports 
Everything from SOC 2 and other audits will help you understand where to focus scrutiny during assessments. Likewise, if you completed an assessment on a vendor within the past couple of years, it is likely many of the controls observed are still in place. While this does not remove the need to test the controls, it can provide a higher level of assurance for controls that can't be validated remotely.

Use Collaboration Tools
Collaboration tools will let you verify controls and how training systems are managed and tracked. Live demos of key systems and video tours of critical areas and materials can provide sufficient alternatives to in-person visits. Ask your vendor to provide you with insight into its change management tools, including ticketing systems, and use secure portals for sharing policy documents and evidence, so you can gain a more comprehensive picture of the vendor's internal procedures. 

Establish Ongoing Monitoring for Key Service and Compliance Metrics
Pay close attention to red flags, including SLAs as well as data breaches and any gaps in vendors' business continuity. 

Increase Sample Sizes 
It's especially useful to look at broader time frames for higher-risk areas. This will help ensure the process or control being evaluated has been in place and is operating effectively and consistently for an extended duration — particularly during the pandemic. 

Someday, we'll return to a version of life as we knew it, and in-person visits will resume. But until then, remember that risk of a business and/or vendor failure is higher in our current environment than it is in typical circumstances. Organizations need a contingency plan for various scenarios, including exposure due to third-party actions (or inactions) and in the event that a high-risk third party fails. Be ahead of and prepared for these scenarios by establishing strong incident response, developing plans for moving systems in-house or to alternate providers as needed, and maintaining continuity for ongoing and robust risk assessments. 

Ryan Smyth, Managing Director, FTI TechnologyRyan Smyth is a Managing Director in FTI Consulting's Technology segment. He advises clients on a wide range of regulatory and compliance issues, with a specific focus on privacy, information security, data governance and business ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...