Third-party vendors can be a huge liability for your company’s IT security. To help ensure that the proper safeguards are in place to have a secure and productive relationship with its third-party IT vendors, companies should consider the following five-point checklist:
1. Become familiar with standardized methodologies.
Existing standards can help you develop your company’s security process. The System Administration, Networking, and Security Institute (SANS) Institute has published a Top 20 Critical Security Controls list and so has the National Institute of Standards and Technology (NIST). They standards range from checking your organization’s inventory of software, to securing configurations for hardware, software and laptops. They also cover topics such as controlled use of administrative privileges, email and web browser protections, wireless access control and more. Becoming familiar with the standards will help you in the next step of the process when you audit your organization’s safeguards.
2. Have your own safeguards in place.
Before you approach third-party vendors, make sure that your own safeguards for company data and systems are in place and you know your company’s IT safety procedures and protocols. Some safety protocols that will most likely affect how third-party vendors perform their job include your encryption, authentication and patch management and endpoint security policies. Sometimes there are no quick fixes for weak points in IT infrastructure but that means organizations need to monitor IT weak points at higher levels. This means that management needs to clearly understand where their data sets are located and which vendors will be able to access those data points and systems.
3. Constantly monitor and be in control of third-party vendors.
With IT protocols, processes and tools in place to monitor employees and outside contractors alike, organizations can keep a close eye on third-party vendors. It is important to understand your own infrastructure and weak points before you bring in a third-party. Using monitoring software allows organizations to restrict access to systems only needed for the third-party to do their job. Additionally, depending on the capabilities of the software you choose, organizations can also have the option of defining when vendors can log into systems and from what locations. Monitoring vendors can also allow you to have the option to only give them access upon manual approval or limit their access within certain applications. In addition, monitoring vendors and keeping records of their access helps mitigate issues by providing the IT with the forensic tools necessary to understand exactly what happened.
4. Do not be afraid to ask hard questions about vendors’ IT safety protocols and reporting after incidents occur.
To determine a vendor’s security experience, a good question to start with is whether or not vendors have experienced any types of IT security incidents. If the answer is yes, it is not necessarily a reason to not take the vendor. The most important factor to pay attention to is to how they dealt with the incident and how quickly they were able to mitigate or eliminate the risk involved. Another important factor is whether or not the vendors uses subcontractors that have not been vetted by your organization. You should also understand how they assess authorized and unauthorized devices, what their standards are for a secure network infrastructure and what their training is like for security incidents. In addition, ask for a list of tools they use and have your IT team review and approve them. When vetting vendors, try to understand what they believe a viable service-level agreement for your organization can be, what their response and availability time is expected to be, how often you can audit them, and make sure they fully understand your expectations for reporting and incident disclosures.
5. Delegate responsibility to have someone manage the third-party and constantly check-in.
Choose someone that deeply understands your company’s networks, infrastructure and general IT landscape to manage the third-party relationship. It is important they know the roles of the vendors, what they should be able to access, and are part of the process when you vet the vendor and ask the hard questions. They need to understand that they are responsible for auditing third parties, and identifying what data leaves the organization and what applications and software come into the organization