Understanding Vendor Security Risks

Understanding Vendor Security Risks


Access To Your Sensitive Data 

Companies increasingly use third party vendors to perform key functions. The days of doing everything “in house” are gone, as outsourcing supports growth, saves time and money, and gives access to the latest technology.  

A vendor does not have to provide critical services to be considered a “third party.” The term applies equally to the cleaning services company that maintains a company’s office as the payroll company that has access to employee’s highly sensitive data. The level of access to sensitive data is a more significant factor in third-party risk than the size or role of the vendor. The Target data breach in 2013 was due to an air-conditioning contractor with poor security practices. The HVAC company had the ability to submit invoices electronically across customer’s firewalls, and hackers were able to steal the credit and debit card information of 70 million of Target’s customers.  

Here are some considerations in understanding vendor security risks:

What are the type of data that the third party creates, processes, and/or stores?
It’s important for your company to establish how you will classify data. NIST Publication 800-60 provides guidance on how to classify data based on confidentiality, integrity, and availability impact levels. The US Government 
prescribes a uniform system for classifying national security information using the labels “top secret,” ”secret,” and “confidential.” Information like social security number or credit card information would have a higher sensitivity than data such as home phone/address and customer contracts. 

What is the scope of services provided by the third party?
Your third-party vendors should be prioritized according to the impact that a service disruption or supply chain failure would have to your business. If your company comes to a screeching halt if your vendor experiences a disaster, there should be clear business continuity and disaster recovery policies and procedures in your agreements. 

What information security policies are in place regarding your vendor’s employees?
With the advent of mobile devices and the flexibility of working from opportunities, employees have a significant impact on data security. Does your vendor have an effective policy in place for all devices that access data like laptops, desktops, tablets, and mobile phones? If a laptop with sensitive data was lost or stolen, does the vendor have remote wipe capabilities? As part of the onboarding process, a good practice is for employees to receive information security training and sign an agreement before they have access to any system. Data access should be limited to those who have a “need to know,” and server rooms should grant electronic access to only those employees who need to be there. Procedures should be put in place to modify privileges in the case of a role change or termination. Consequences for non-compliance should be spelled out and enforced. 

Who are your vendor’s vendors, and are they being assessed appropriately?
Your vendors are using third parties for services. It’s important to know how your vendor is assessing these “fourth parties.” Does your vendor’s vendor have access to your data? If so, you should require your third party to a high level of assessment and full disclosure of results. 


Share by: