May 12, 2021
Four Essential Components of Third-Party Risk Management
Zero is the number of managed service providers (MSPs) that asked Datto if we, or any of our key vendors, were impacted by the Microsoft Exchange ProxyLogon vulnerabilities. Houston, we have a problem!
Security considerations do not stop at the perimeter of our networks. We must take into account the posture of vendors who process our data, integrate with our systems, or those who we rely on in our day-to-day operations. After all, an organization's security posture is only as strong as its weakest link, and whether we want to believe it or not, vendors have become an integral supply chain supporting our business operations.
As MSPs, the concept of outsourcing a responsibility, process, or function is second nature. This is the core foundation of the services you provide to your clients, but how secure is the portfolio of vendors you’ve partnered with? Are they protecting the confidentiality, integrity, and availability of data and access in the same way you would? Most importantly, do you understand the security gaps and risks that your vendor relationships expose you to over time? If you don’t have a quick answer to all of these questions then chances are you are neglecting an essential component of your organization's cyber resilience strategy.
Do you inventory your vendors?
Let's start with the basics. Any IT or security practitioner could tell you that the foundational step to any good initiative is knowing thyself, which means understanding your posture. Hardware and software asset inventories are essential components of the Identification functional capability area in most MSP-adopted cybersecurity frameworks, so why not inventory your vendors as well?
How can you effectively manage a problem without collecting and understanding its parameters? Without a general understanding of what vendors are used in your organization, chances are you will not be able to identify the actual vulnerable points in your third-party risk portfolio. The taxonomy of your procurements plays an important role here. Every vendor coming in or going out should be accounted for, and properly identified in a system of record based on the type of service and relationship. That system of record can be in technology too, or a simple spreadsheet. The key here is simply developing processes and maintaining them.
Centrally managing a vendor portfolio has many advantages, only some of which are security- and risk-based. With a good understanding of what exists you can now evaluate redundancies and unnecessary relationships in a single place. Not to mention, once the vendors have been centralized into a single place, you can start prioritizing your diligence based on the criticality of the vendor to your organizational operations.
Who’s who in the vendor zoo?
Not all vendors are created equal, and it can be difficult to explore the depths of each vendor in your vendor portfolio, especially when dealing with limited security resources. So, in a world where risk management is a luxury, prioritize our efforts to those vendors whose compromise could introduce the greatest damage to our organization or cause a significant disturbance to our operational tempo.
The prioritization, or the tiering of vendors, can be used to guide a series of processes in the vendor management cycle:
- Set a cadence for vendor diligence across the enterprise
- Define specific requirements for vendors at each tier
- Fast track the procurement processes for low-risk vendors
- Allow prioritization of investigation into high tier vendors
The table below takes into account some key criteria that should be considered when tiering your vendors.
Ex. AWS, GitHub, ADP, Salesforce, Okta, Slack
Ex. Gardner, Lucid Charts, etc
Ex. Office Supplies, Commodities, etc
What type of data does the vendor store, process, or handles on your behalf?
Critical Data Proprietary Data
Business Operations or Private Data
Public Data Marketing Data Administrative
Does the vendor have read/write access to your environment? Are they embedded into your networks, enterprise applications, or business processes?
Do they have access and visibility into these processes but are not directly integrated?
They have no integration to our environment or products
Operational impact if the service is interrupted
Loss stops organizational progress
Loss slows an organization down
Loss has a negligible impact
Transition cost / effort
Does this vendor or their product interact with your customers? Or your products? Do you white label this hardware or re-sell it?
One checklist too many: Properly assessing your vendors
As the complexity of vendor relationships evolves, so should the methods by which we assess them. The era of the standardized checklist has come and gone and yet many organizations continue to rely solely on a checklist's ability to gauge complex security processes. This is like trying to quantify a three-dimensional problem with a two-dimensional approach.
Now that you have developed criteria for identifying your most critical vendors, you can take a step back and develop a proper way to assess them–one that measures vendors in a way that mirrors your internal requirements. In most cases, those Tier 1 vendors should be treated as an extension of your organization, and thus, you should ensure they have similar or better policies, procedures, processes, and capabilities than those you have set for your organization.
It becomes imperative to ask yourself if this particular vendor were to be breached, what would be the impact on our operations and those of our customers? Assess the vendor against those priorities. If availability concerns you, build firm SLAs into the contract and ensure they have an adequate response plan in the event of an incident. Be sure their business continuity plans are built and tested to withstand the unforeseen, not just comply with a requirement. If your concerns are primarily around data, then be sure the proper access controls are built into their environment, peel a layer, verify encryption standards are adopted, ensure audit trail logs are reviewed, etc.
The scenarios could go on forever, but the important thing is not to overlook gaps in the vendor’s processes and orient your assessment based on a firm understanding of what they do for you and how it impacts your resilience. It's very easy to take credit for the existence of a process, but proving its effectiveness and efficiency through documentation is much harder to do. So be sure to investigate further, ask questions, meet with the right representatives, and document their plans to address any issues or concerns. Remember, you’ve prioritized a handful of these vendors as critical, it's time you start treating them that way.
If such plans do not exist, then work with them to develop a plan of action with milestones. This will help them track progress to meet the desired solution. If this option is not on the table, be sure you have a system in place to transfer the risk back onto the vendor or establish compliance via contractual language. Best practices and assurances can no longer be expected, they should be delivered as requirements when entering a vendor relationship, if not upheld, all or part of the damage should be assumed by the vendor.
Contractual security language will not only protect you by having vendors abide by best practices, but it will set the cadence for the relationship. It will bind both parties to the standards that should be met in the event of an incident. Things like incident response, data retrieval, data ownership, rights to an assessment, etc. should all be termed upfront in these relationships. These may seem like basic requirements, but when push comes to shove, you’ll be glad your legal team can call upon these clauses to expedite a response or an action from the vendor.
Third-party risk management ≄ One-time security review
The conclusion of a security review does not mark the end of third-party risk management processes. If your program is tracking the actions this far, chances are you’ve identified some gaps in a few vendor’s processes. Don't just document the deficiencies and send them on their way, you have to follow up. It's important to keep some of these vendor relationships alive and well. There are mutual benefits to keeping a vendor honest, your organization has a horse in this race. Major deficiencies should be documented on both ends and followed up on based on the set milestones. Additionally, when there are major documented vulnerabilities, you should be asking ALL of your vendors if they are impacted as that will have a downstream effect on your resilience.
MSPs must create the capability to hold their most critical vendors accountable for quality security outcomes and preparedness. You can do this by implementing the four essential components to managing third party risk:
- IDENTIFY: Understand your vendors and how they impact your cyber resilience
- PRIORITIZE: Tier them in terms of their importance to your operations and potential to adversely impact them in the event of a breach
- EVALUATE: Develop a process to evaluate that fits the vendor and your needs
- PERSIST: Managing your vendors is a continuous process, not a one-time event
Next time there is a major vulnerability in a common piece of technology that is experiencing automated compromise, ask your vendors’ partners if they, or any of their critical vendors, were impacted and what they are doing about it. Until then, take a vendor inventory, prioritize them, evaluate them, and persist in these processes.