How to Use the NIST Cybersecurity Framework to Assess Vendor Security
Your vendors are likely a big part of your business. In fact, vendors are a core part of most organizations — they act as partners, provide cloud services, store sensitive data, and provide other mission-critical services. Unfortunately, vendors also can also provide a backdoor for cyber criminals who want to get their hands on your data, and their malware into your infrastructure.
Vendor security can be a frustrating subset of cybersecurity; you don’t have the same degree of control over your vendors as you do your own employees. You can’t require the employees or contractors of another company to adhere to your security standards. Yet if your customers’ data is exposed because of a third party, that breach is still your responsibility, and it’s likely to cost you more than if your own employees had caused the breach According to Ponemon’s 2019 Cost of a Data Breach Report, if a third party causes a data breach, the cost spikes by more than $370,000.
For this reason, it’s critical that you do your due diligence when assessing your vendor’s security controls.
What is vendor due diligence?
Vendor due diligence is the process of ensuring that your third parties aren’t a source of unwarranted risk – essentially, vendor due diligence is an audit. The process of due diligence covers all types of risk — business, legal, financial, and cyber risk.
When it comes to cyber risk, you’re determining that your third parties’ security controls are on par with your own, and that they’re not providing cyber criminals with easy access to your networks, systems, or data. If your vendor is specifically providing IT services, you’ll have to undertake additional due diligence — because they’ll be handling your data, you should have the right to audit their security measures. You should also know how they plan to respond to breaches and if they’ve experienced breaches in the past.
When you request information about a vendor’s controls, they often respond with a SSAE 16 (Statement on Standards for Attestation Engagements) report, which is delivered in the form of Service Organization Controls (SOC) report. These can be long, and the vendor has discretion over which type of SOC report can be submitted and what can be covered in it.
A quick look at NIST’s Cybersecurity Framework
The Cybersecurity Framework set forth by NIST (National Institute of Standards and Technology) is a system designed to help private companies identify, prevent and respond to cyber risks. Its core material is divided into five major functions:
- Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Each of those functions is divided into a total of 23 categories, which are further broken down into cybersecurity outcomes and security controls. (For example, Risk Assessment is an outcome in the Identify category.)
It’s a structured way to examine cybersecurity risks and controls, and used properly, NIST’s Cybersecurity Framework can be a tool that will help you sort through your SOC reports quickly and easily.
How to use NIST’s Cybersecurity Framework to assess your vendors
Normally, when you’re conducting a SSAE 16 review, you look for findings without adequate management responses, and provide complementary user entity controls to the system owner or to IT.
This can take time, and there’s not a lot of structure to it. The Cybersecurity Framework lets you search each report in a structured way.
- Review the description of the vendor’s system described in the report
- Search for “subservice” to find the section where any businesses that your vendor contracts with are described
- Use function, category, or sub-category to ensure your organization’s control objectives are covered
This will let you search the report efficiently, checking the vendor’s reports for response plans, risk assessment, and other necessary risk objectives, while making sure you move through the framework in an orderly manner.
How SecurityScorecard can help
Vendors are an important part of your business, but when you work with a third party, their risk becomes your risk. To reduce the amount of administrative time and effort spent managing third party relationships, consider a tool that automates parts of the process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your vendors’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately. Our easy-to-read Security Ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.