• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

The Ultimate Vendor Risk Management Checklist

05/09/2018

Digital transformation increases the number of vendors that your organization incorporates into its IT ecosystem. Each third-party, however, increases your company’s cybersecurity risk. What used to be considered “trust but verify” has now become “verify then maybe trust.”

Vendor due diligence is one of the primary requirements common to most cybersecurity regulations and industry standards. With companies increasingly responsible for monitoring and managing their vendors’ cybersecurity posture, you need to know everything you can about your business partners before you contract with them.

The weakest spots in cybersecurity management

Before we provide due diligence and vetting steps that your company can take prior to working with a new vendor, a brief review of two often-overlooked aspects of IT security defense is in order.

1. Awareness is not security

According to a recent study from Tessian, 43% of respondents admitted to making mistakes at work that compromise security, explaining why phishing remains one of the most successful cyberattack methods. According to the Ponemon Cost of a Data Breach Report 2020, phishing accounted for 14% of malicious data breaches.

While you might be able to provide oversight for your own employees, you can’t do the same with vendor workforce members. To protect your organization, you need to ensure that vendors’ cybersecurity posture aligns with your own.

2. Proactive defense-in-depth works

You can’t sit around waiting for a security incident to occur. You need to be proactive, not reactive, about protecting your information and ensuring your vendors are also proactive. Problematically, you can’t control your vendors’ security monitoring any better than you can maintain their employee cybersecurity awareness.

While you need to document vendors’ answers to security checklists, you also need to make sure that they are layering their defensive security mechanisms and continuously monitoring those mechanisms for weaknesses.

The risk assessment checklist: vet your vendors’ cybersecurity management

Vetting means executing due diligence by checking a vendor’s systems, policies, and procedures for security weaknesses. This means running through a risk assessment checklist to make sure that the vendor adheres to the same security standards that protect your company from attack. You must ensure that security leaks are plugged in terms of both the vendor’s computers and its people.

Your company can adopt different standards and vendor risk management plans to help mitigate risk. Then there are OCC and HIPAA rules if required by your industry. All of these plans and standards tend to be written at a high level. So, here are 15 rules that you can use as a vendor risk management checklist written in a simpler manner:

1. Cloud services configurations

Cloud misconfigurations accounted for 19% of the data breaches reported in the Cost of a Data Breach Report. Misconfigurations for cloud assets such as serverless functions and databases can increase your data breach risk. Before signing the contract, you want to make sure that all cloud assets are configured appropriately and that the vendor does not store non-public information in plain text.

2. Application security

Moving to the cloud means that your employees are accessing your vendor using a web application. Whether it’s your enterprise resource planning (ERP) or human resources applications, you need to make sure that the portal your employees use to access the vendor is secure and protects against Cross-site Scripting (XSS) and SQL injection attacks.

3. Encryption

If your vendor collects, stores, or transmits any of your employees’ or customers’ non-public personal information, you want to make sure that the data is encrypted using Advanced Encryption Standard (AES) best practices. You need to make sure that all data – both at-rest and in-transit – is encrypted appropriately so that even if attackers steal it, they can’t read it.

4. Incident response

As part of a proactive approach to managing vendor cybersecurity, you need to know how your vendor handles identified incidents. This includes knowing how they monitor their environment, how they receive and prioritize alerts, and how rapidly they respond to alerts.

5. Certification

This means reviewing documentation that proves the vendor’s employees are only accessing the resources they need to complete job functions. Procedures should exist on how often managers review user access and whether the periodic access reviews are done purposefully. The vendor should be maintaining segregation of duties (SoD) by ensuring that users’ access does not create a conflict of interest such as a person in charge of accounts payables also having access to accounts receivables.

6. Log monitoring

Not every company is going to be sophisticated enough to use Splunk or ELK to monitor logs with advanced analytics to flag security incidents. In such cases, the vendor should ideally use a Managed Services Security Provider to monitor its logs and network traffic.

7. Password policies

Companies should stop using password-only sign-on and add Multi-Factor Authentication (MFA). MFA means that the organization requires users to provide something they know (a password) and supplement it with either something they are (fingerprint, face scan, other biometric) or something they have (token, key) or a combination of all three.

A common problem with TFA is service accounts – shared logins used by multiple administrators or outsiders. Since organizations often overlook the need to change default passwords, service accounts are a common way for hackers to gain access to a system. Their passwords must be changed frequently to decrease cybersecurity risk. Despite the inconveniences this poses, such as downtime and the risk that a system might not start up again when connecting to other systems after a password change, frequent changes are a very necessary security step.

8. Security awareness training for employees

Vendors should be able to provide documentation proving that they train employees annually on security and provide training programs for new hires. They should make their employees aware of cybersecurity risks and provide them with risk management best practices that they can follow.

9. Bring-your-own-device (BYOD) policies

The increased number of employees working remotely makes BYOD more important than ever. Employee-owned laptops, smartphones, and tablets pose security risks because the organization can’t control how and where users access cloud resources. For example, remote employees use their home wifi networks which can be a data security risk. When reviewing your vendors’ security posture, you need to know how employees can access the vendor’s systems, software, and networks as well as what controls are required to prevent man-in-the-middle attacks from public or personal wifi.

10. VPN

Remote access to your company’s network, apps, and servers should be via VPN or Windows Remote Desktop. The connection from the vendor to the client company should be via IPsec VPN. Don’t just whitelist an IP range.

11. Physical security

Your vendor needs to have some policies to prevent, for example, a hacker from simply walking into the data center and removing a drive from a storage array. Or walking into Accounting during lunch and walking out with a whole PC.

12. Email spam software

Since phishing is still the number one attack vector, every company needs reliable anti-spam software. Defense in depth is wise; your vendor should scan at the mail server level as well as at endpoints.

13. Antivirus

Vendors should have antimalware and anti-ransomware software installed on all devices that connect to their networks. Cybercriminals often drop malware into phishing emails, and the malware installs itself as part of a successful attack. Antimalware software can help mitigate these risks.

14. Decommissioning services

Vendors must have procedures for disconnecting old devices from the network when they are no longer. For example, if an end-of-life device remains connected to the network, the device manufacturer is likely not supporting additional security patches, and the vendor is likely not monitoring the device’s connection which offers cybercriminals a way to get into the network.

15. Patching policies

Microsoft, Adobe, and other companies send out patches almost daily. So your vendor needs a risk management system to make sure these are applied daily to protect against zero-day attacks. The days of waiting for Patch Tuesday are behind us; continuous updates must be a priority.

SecurityScorecard for robust vendor risk management

These are only some of the items that your company can do to make sure that your vendors adhere to cybersecurity best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.

SecurityScorecard’s security ratings platform continuously monitors your vendors’ cybersecurity posture across ten categories of risk factors, including IP reputation, DNS health, endpoint security, patching cadence, and network security. Our easy-to-read A-F rating scale provides at-a-glance visibility into the effectiveness of your vendors’ security controls so that you can continuously validate and verify their security posture.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube