Integrating External and Internal Assessments for a Complete Risk Score
Many organizations have well-defined processes to assess the security posture and business risk presented by their largest vendors. Some of these large vendors may actually have the tools to provide their own risk assessment results.
Unfortunately, those processes may not be sufficient to properly assess every vendor— more specifically, most tools and processes fall short when it comes to extending third-party vendor risk assessments to handle smaller vendors and consultants. Size-based filters and a simple outside-in approach are not sufficient.
Two Primary Methods Generate a Set of Indicators of Posture
External assessments provide an initial view into how an organization approaches its information security program from a public-facing perspective—similar to what an external adversary might see if they were to probe to uncover the vendor’s security posture to see if they might be a “ripe” target:
- Are available services associated with a domain configured securely?
- Are applications up-to-date?
- How is the vendor website configured?
- Is the vendor’s email configured to reduce SPAM?
- Is the email hosting provider reputable?
- If the vendor provides web services, how are they configured
- What does the vendor spend on cybersecurity?
These assessments are often initiated with a questionnaire where the vendor is presented with a checklist and asked to describe its security posture through a self-evaluation of their data-sharing relationship, information security practices, policies and enforcement:
- How do they view their digital relationship with you?
- What protections and policies do they believe they have in place to protect your systems and data?
- Does the vendor have policies defined for user management, password management, access control, patch management and endpoint protection?
- Are these policies enforced and are security technologies properly implemented?
- Has the vendor assessed its entire organization—or just the systems they believe are in good working order?
Want to learn more?
DatumSec Third-Party Vendor Assessment Study Results
Small and Medium Vendors
Click images to enlarge
Security Risk Baseline Factors In Both Internal and External Scores
DatumSec recommends establishing a third-party risk baseline comprising both internal and external indicators of posture. In other words, define and assess your vendors based on what is acceptable and what is not acceptable for your own risk management program.
Once you develop the third-party assessment baselines, you can spot your risk at a glance through a simple score that can be compared to the rest of your vendors—where vendors pass and fail, and where they need to improve. Automated assessments reduce the burden on your smaller vendors and helps manage your risk, which will improve your overall security posture.
DatumSec can help you develop baseline risk assessments that align specifically to your business. We also provide tools and services to help perform vendor classification, external assessments, questionnaires, and ad-hoc or automated internal risk assessments for the rest of your vendor’s IT systems.