More and more organizations are continuing to outsource and fulfill needed services with third-party partners and cloud services providers. Unfortunately, this increasing reliance on third-parties can also increase the organizations’ exposure to risk, and we continue to see more breaches of third-party systems. Attackers are targeting technology providers with direct access to multiple customers, versus trying to compromise customer systems individually.
While you may be outsourcing services and related responsibilities, the responsibility for the associated risk will always remain with your organization. Therefore it is critical to carefully vet all vendors to ensure they are not creating privacy or security risks that can lead to the exposure of your organization’s sensitive data. Ransomware has become the most common attack method against third-party vendors, initiating 27% of the third-party breaches in 2021 (up from 15% in 2020). This is followed by unauthorized network access and unsecured servers and databases. How can you ensure your third-party partners aren’t next on the data breach list?
A successful and holistic vendor management program can help ensure you are not investing in new technologies that lead to new problems. At a high level, your vendor management program should be addressing the following:
1) Vendor Inventory
The first step in your program should be to identify and document all proposed and existing third-party relationships. Ensuring departments and employees understand that all vendors must be evaluated and approved by the appropriate teams is critical so that you are able to centrally review, document, manage, and monitor these relationships. Ensure that all newly proposed vendors are reviewed as soon as possible in the procurement process so that roles, responsibilities, risks, and expectations can be clearly identified and defined within the contracts.
2) Data Classification
Be sure to identify the types of information you are sharing with third-parties and document the data each individual vendor has access to. Often following a data breach, organizations admit they were unaware of the full scope of the third-party relationship and how much data was being shared and why. This data classification effort will determine the necessary security controls that must be in place before access to information is granted, as well as acceptable methods of data access. This should also allow you to categorize vendors from highest to lowest risk based on their access.
3) Compliance Requirements
The Payment Card Industry Data Security Standard (PCI DSS) requires merchants to collect compliance documentation from third-party service providers annually. FERPA requires the execution of a written agreement with certain data protection elements that must be met. HIPAA mandates that a written contract exists between HIPAA covered entities and any business associates requiring the business associates to implement appropriate safeguards that protect against the unauthorized use or disclosure of Protected Health Information (PHI). Based on the data classification effort mentioned above, a key component to your program will be to collect any necessary compliance documentation from third-parties on an ongoing basis.
4) Data Security
Agreements should also identify and require information security controls that specifically address the external parties access to the organization’s information and ensure they have implemented the appropriate administrative, technical, and physical safeguards. Verify you have data sharing agreements and contract language in-place that clearly outline responsibilities for protecting sensitive information. The review of controls is also a good time to confirm the service availability and the vendor’s disaster recovery/business continuity processes.
5) Incident Management
Within the contract agreement, there should also be defined terms around the incident notification process in the event of a breach or compromise, as well as responsibilities for notifying impacted individuals, breach costs, etc. Take into consideration State data breach notification laws, as well as federal reporting requirements for specific data types.
Supplier agreements should be established early and fully documented to ensure there are no misunderstandings regarding each party’s obligations to fulfill relevant security, legal, and/or regulatory requirements.
Following the initial review/approval, develop a lifecycle process that includes ongoing performance monitoring and periodic re-assessments of the vendor’s compliance and verification of security controls. Your contracts should outline your organization’s right to audit, or ability to assess and validate information security practices.
Based on the assigned level of risk and data classification effort, the organization can plan for how often third-party information security re-assessments need to occur. With COVID-19, so many organizations had to adjust their current business practices, send staff home to work remotely, etc. Vendors were making those same adjustments, so it is critical that your organization can confirm their new environments are also secure and have not opened up any possible security gaps. A re-assessment will uncover what has changed, what might need a closer review, or identify inconsistencies with the initial security review.
Whether your organization is utilizing the Higher Education Community Vendor Assessment Tool (HECVAT), or if you have customized a vendor security questionnaire that focuses on more specific risks for your organization, asking the vendor to provide an updated version of this information is typically the first step. This should give you a clear picture of their current cybersecurity efforts and security programs, and how data is being protected in transit, at rest, etc. It will address physical security, application security, network security, vulnerability management, incident management and response practices, awareness training, etc.
From there, you may need to meet with or interview staff from within your organization that are the end users of the third-party solutions or applications and confirm what data is being shared, how information is being accessed, any additional services or functionality that has been added since the initial implementation, etc. It may also be necessary to schedule time with the vendor representative to clarify their responses on the security questionnaire or get more in-depth information about the controls that are in place. Armed with this information, your teams can then re-approve the use of the solution or recommend any additional controls that may need to be implemented.
Unfortunately, many organizations struggle with a lack of resources to implement formal vendor management programs. It can be difficult to keep track of all vendor relationships across the organization, set reminders for assessment timelines, identify the appropriate contacts or resources, and collect updated security questionnaires, let alone perform the actual reviews. However, prioritizing this re-assessment effort for existing vendors is important in preventing any unwanted exposure of organizational information.
If your organization has questions about how best to manage your third-party service providers, contact us.
Additional guidance from the Security Advisor Team below:
[Lewis]: Out of sight, out of mind is what often happens with third-party vendor management. The day-to-day tasks can take your attention away from the very important but less visible responsibilities. Much like documentation for IT professionals, third-party vendor management is one of those less-desirable tasks. A good practice is for the business to include vendor management as part of their procedures or monthly activities. Keeping the lines of communication open with the vendors is another good practice. If SLA reports are given by the vendor, use the report to ask if there are any security issues related to the report content. Staying engaged with the vendors can facilitate a better response all around if a security issue arises or a data breach occurs.
Cloud service providers have a convenient business model but they are not immune to security requirements or protecting your data. Starting with classifying your organization’s data will bring clarity to the impact of potential threats. Depending on your organization’s data classifications, there might be sensitive data exposed that you weren’t aware of until an assessment occurs. After data classification occurs, compliance and governance enter the picture in the form of ITAR, GDPR, FERPA, PCI, GLBA, HIPAA and others. Compliance is where gaps might appear with third-party vendors.
The bottom line is security is everybody’s responsibility. Assuming a third-party is properly handling your data is a false assumption. Accidents occur and security is a constant effort, but vendor security assessments will reduce the risk to your organization and possibly prevent future incidents.