CyberSecOp.com

View Original

Top 14 Cyber Security Vendor Due Diligence Questions

What is a cybersecurity vendor due diligence questionnaire? Vendor cyber security due diligence questionnaire is a prewritten assessment gain visibility into supplier or vendor cybersecurity posture. Vendor cyber security due diligence questionnaire assist organizations with identify potential risks before onboarding vendors/suppliers.

CyberSecOp vendor management program supports multiple compliance requirement. The following four and other regulations are set forth by different regulatory bodies across the globe for various purposes, including the protection of financial, personal, and healthcare information.

  • PCI DSS (The Payment Card Industry Data Security Standard). This is the information security standard for organizations handling branded credit cards.
  • GDPR (The General Data Protection Regulation). This legal framework sets guidelines for the collection and processing of personal information for those living in the European Union (EU).
  • HIPPA (Health Insurance Portability and Accountability Act of 1996). This U.S. legislation provides data privacy and security for safeguarding all medical information.
  • OCC (The Office of the Comptroller of the Currency). This federal agency oversees the execution of laws for national banks, and functions to regulate and supervise banks in the United States.

Reputation Risk

Reputation risk refers to negative public opinion or customer perception that stems from irresponsible vendor practices. Unsecure vendor remote access can lead to a number of problems that may destroy customer relationships and harm your company's reputation, including:

  • Customer complaints
  • Dissatisfied customers
  • Interactions inconsistent with company policies
  • Security breaches resulting in the disclosure of customer information
  • Violations of laws and regulations

Operational Risk

Operational risk results from internal breaches, processes, and system failures. Third-party vendors are increasing as an extension of operational risk since they are closely tied to operational processes and business practices. Operational risks may be caused by:

  • Employee error
  • Failure to adhere to internal policies
  • Internal and external fraud or criminal activity
  • System failures

Top 14 Cybersecurity Vendor Due Diligence Questionnaire

  1. they have a security contact or chief information security officer in place? If a third party deploys dedicated resources to manage risks and safeguard its critical information, it shows they take their security posture with the utmost seriousness.

  2. Do they have industry certification, or are they aligned with an industry framework such as NIST/ISO? While industry certification may not necessarily indicate the effectiveness of third-party security controls, it does provide additional assurance about the vendor's commitment to protecting their systems and customers' information.

  3. Are penetration tests performed by a qualified third-party vendor? If so, how often are they performed and when was the last test performed? Ensuring your vendor has regularly scheduled penetration tests performed by a third party is essential in knowing how secure their environment is and where the weaknesses are so they can be secured before they’re exploited by an attacker.

  4. Is there a formal information security program in place? A security program provides the framework for keeping a company at a desired security level by assessing the risks that are faced, deciding how those risks will be mitigated and planning for how to keep the program and security practices current.

  5. Do they have a mature threat management and intelligence program in place? It's important to ascertain the effectiveness of their security controls. This can be done by reviewing independent security audit reports to assess the vendor's vulnerability management, secure software development processes and threat management programs, such as cyber intelligence.

  6. Is there a formal logical access review process? Having regularly scheduled access reviews of users is essential in knowing who should have access to your system and who no longer needs access. Failures in logical access review procedures are the top reason for exceptions in SOC reports.

  7. How has your vendor implemented the principle of least privilege? Role-based access privileges are vital in only allowing employees to have access to data they need while denying access to data they don’t need to perform their job.

  8. How is data protected in transit between the vendor and the client as well as between the vendor and the end-user? How is data protected at rest on servers and backup media? Encryption of data in both in-transit and at-rest stages is extremely important to keeping it safe from unauthorized access.

  9. How is retired media (hard drives, flash drives, CDs, documents, etc.) sanitized? Physical and electronic data should be disposed of in a secure manner when no longer needed to keep information from falling into the wrong hands. This has become more difficult with the adoption of public cloud services as data may move across multiple physical systems and reside on shared resources.

  10. Are employees and contractors required to attend security training? Providing security awareness education to users of all systems is an important step in limiting user errors that could harm your IT infrastructure and information.

  11. What due diligence is performed on contractors and vendors prior to and post contract? Completing due diligence over your vendor’s third party (your fourth party) is important especially if they have access to your data. You want to make sure they have a secure environment to help keep your information secure.

  12. Do they have a good cyber score? It is prudent to ascertain exposure of an organization at the surface web, deep web and dark web to predict the likelihood of a potential breach due to their exposure. There are several organizations that provide cyber scoring for vendors and also allow you to benchmark them against similar vendors.

  13. Is there a formal incident management program in place? Proper incident handling procedures allow situations to be analyzed and prioritized so that the next appropriate course of action can be taken to address the problem. Breach notification, a key component of incident management, is now included within multiple regulations with emphasis on vendor reporting.

  14. Does your vendor describe technical prevention measures in place? Utilizing various security tools such as firewalls, anti-virus products and intrusion detection and prevention systems allow you to help secure your network from adversaries.

Strategic risk is created from failed business decisions, or the inability to implement strategies consistent with the organizational goals. Third-party vendors that are not aligned with your company’s practices may threaten operations or your ability to effectively execute business strategies. It may take some time to fully build and/or review a comprehensive cybersecurity questionnaire, but it could save you a lot of time and risk exposure in the future. It’s an invaluable questionnaire that provides a lot of insight.