How to Use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to Assess Vendor Security
Your vendors are likely a big part of your business. As partners, vendors provide cloud services, store sensitive data, and deliver other mission-critical services. Unfortunately, vendors can also provide a backdoor for cyber criminals who want to get their hands on your data, and inject their malware into your infrastructure.
Vendor security can be a frustrating subset of cybersecurity; you don’t have the same degree of control over your vendors as you do your own employees. You can’t demand employees or contractors of another company adhere to your security standards. Yet if your customers’ data is exposed because of a third party, that breach is still your responsibility, and it’s likely to cost you more than if your own employees had caused the breach According to IBM’s 2024 Cost of a Data Breach Report, if a third party causes a data breach, the cost spikes by more than $370,000.
For this reason, it’s critical that you do your due diligence when assessing your vendor’s data security controls.
What is Vendor Due Diligence?
Vendor due diligence is the process of ensuring that your third parties aren’t a source of unwarranted risk. Essentially, it’s an audit. that covers all types of risk — business, legal, financial, and cyber risk.
When it comes to cyber risk, you’re determining that your third parties’ security controls are on par with your own and that they’re not providing cyber criminals with easy access to your networks, systems, or data. If your vendor is specifically providing IT services, you’ll have to undertake additional due diligence. Because they’ll be handling your data, you should have the right to audit their data security measures. You should also know how they plan to respond to breaches and if they’ve experienced breaches in the past.
When you request information about a vendor’s controls, they often respond with a SSAE 16 (Statement on Standards for Attestation Engagements) report, which is delivered in the form of a Service Organization Controls (SOC) report. These can be long, and the vendor has discretion over which type of SOC report can be submitted and what can be covered in it.
How can you assess their security posture easily when you have so much information to go through? That’s where NIST’s Cybersecurity Framework comes in.
A Quick Look at the NIST Cybersecurity Framework
The Cybersecurity Framework developed by NIST (National Institute of Standards and Technology) is designed to help organizations of all sizes identify, prevent, and respond to cyber risks. It’s also the foundation for effective NIST vendor management initiatives.
The Framework is structured into five core functions, which form the backbone of most security programs:
1. Identify
Develop an understanding of your organizational environment to manage cybersecurity risk to systems, people, assets, data, and capabilities. This step also includes identifying critical assets and their associated vulnerability levels.
2. Protect
Implement safeguards to ensure the continued delivery of critical services and operations. This may include using updated technology to restrict access, monitor controls, and ensure system hardening.
3. Detect
Establish the ability to identify the occurrence of cybersecurity events in real time or close to real time.
4. Respond
Put appropriate plans in place to take swift and effective action when a cybersecurity incident occurs, especially when addressing any newly discovered vulnerability.
5. Recover
Develop plans for resilience and rapid restoration of capabilities impaired during a cybersecurity event.
Each function is divided into 23 categories, which are further divided into cybersecurity outcomes and security controls. (For example, Risk Assessment is an outcome in the Identify category.)
It’s a structured way to examine cybersecurity risks and controls, and used properly, NIST’s Cybersecurity Framework can be a tool that will help you sort through your SOC reports quickly and easily.
How to Use the NIST Framework to Assess Vendor Security Risk
Normally, when conducting an SSAE 16 review, you look for findings without adequate management responses and provide complementary user entity controls to the system owner or to IT.
This can take time and is not very structured. The Cybersecurity Framework lets you search each report in a structured way.
- Review the description of the vendor’s system described in the report
- Search for “subservice” to find the section where any businesses that your vendor contracts with are described
- Use function, category, or sub-category to ensure your organization’s control objectives are covered
This will let you search the report efficiently, checking the vendor’s reports for response plans, risk assessment, and other necessary risk objectives while making sure you move through the framework in an orderly manner.
How SecurityScorecard Can Help
Vendors are an important part of your business, but when you work with a third party, their risk becomes your risk. To reduce the amount of administrative time and effort spent managing third-party relationships, consider a tool that automates parts of the process.
SecurityScorecard’s Atlas uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your organizations can upload your vendors’ responses to questionnaires.
Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying vendor responses almost immediately.
Our easy-to-read Security Ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.