The 3 Lifecycle Stages of Vendor Security Risk Management: Ongoing Monitoring
Ongoing Security Monitoring has Become a Must
Too often organizations conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant) and fail to monitor security throughout the lifecycle of the relationship. Ongoing security monitoring throughout a relationship is critical to protect the organizations.
Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.
A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today.
This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.
Five Necessities of Security Monitoring
Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes:
- Ongoing/continuous external scanning. Organizations should have established processes to conduct regular, and even continuous, security scans of third parties, particularly those that have connections and electronic data of the organization. This is to ensure their environment, from an Internet perspective, is secure and does not pose a threat due to security gaps of the third party. Organizations and technology is constantly changing, a server on the Internet may be misconfigured or critical patches not applied.
- Periodic attestations. Every third party, that poses a security threat to the organizations networks and/or information, should be required to review the security policies and controls required in the contract and provide attestation they are understood and in place and operational. This can include the requirement to provide regular evidence of security certifications and tests that are conducted internally at the third party. Some organizations are even requiring that each individual that has access to the organization’s information and networks provide individual attestation (and possibly be required to go through security awareness training) of their adherence.
- Reputation monitoring. Organizations should regularly monitor news and social media in context of their third parties to look for red flags that raise concerns of security in their third party relationships.
- Issue reporting and management. The best laid plans of mice and men will go astray. The best relationships with the right security controls and processes may still encounter security incidents involving the organizations data and systems. It could be as simple as a lost laptop or tablet that had the organization’s data on it, a hacker that compromised the third party or a rogue employee was doing unlawful things. It is critical that processes be put in place for third parties to report issues and incidents to work collaboratively with the organization on their resolution. However, third parties will often not report issues even if they are contractually bound to do so. In this case it is necessary that controls be in place to inform the organization of issues and incidents. The organization should have defined processes to work collaboratively with third parties but also have incident response procedures to have prepared steps to take when an issue does arise (e.g., severing network communications).
- Security audits and onsite inspections. Every contract typically has a right to audit clause in them to go onsite and validate an organizations adherence to the contractual controls and requirements. It is unfortunate that most organizations have not committed resources to doing this. To address this, the organization should define internal resources, or contract with a service provider, that can conduct third party audits and inspections. I often recommend grouping third parties into three areas that follow a stoplight: high-risk/red, medium-risk/yellow, and low-risk/green. An organization can then require onsite audits/inspection/validation of high-risk third parties every year, conduct validation/inspections on medium-risk third parties every two years, and each year do a random audit of perhaps 5% of their green/low-risk third parties. This may be a lot for many organizations, that is why organizations look to security rating companies to get assurance of the range of third parties they are working with.
Coming Up Next: Offboarding
It is critical that organizations have these defined processes in place to manage security throughout the lifecycle of a relationship. The level of diligence and monitoring does vary on the risk each third party brings to the table. However, the digital world is finding that more and more that third parties are bringing security risk into the relationship, a risk that did not exist in such scale several years back.
In our next and final blog in this series we will look at the security steps in offboarding/terminating a third party relationship.
About Michael Rasmussen
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management. With 25+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.