Posted on Aug 23, 2015

The Vendor Risk Checklist You Need Before Signing a Contract

Validate Vendor Risk Management with a Security Checklist

We've compiled a checklist of items that your company can use to protect its infrastructure whenever it starts working with a new vendor, as part of routine vendor risk management processes. A vendor’s systems can be a threat to you  when both parties’ systems are connected together. This can be via an application interface, a remote connection, or the vendor’s employees connecting to the customer’s network when its employees walk in the door.

A vendor’s systems can be the vector by which a company is hacked. Case in point: Target.

The details of  the Target data breach have finally been relayed to security researchers and the media. Target was attacked by computers at Fazion Mechnical, a company that maintains the refrigerators for the giant retailer. The two companies’ networks are connected, since Fazion Mechnical needs to monitor those refrigerators.   

The Weakest Spots in Security

Before we provide due diligence and vetting steps that your company can take prior to working with a new vendor, a brief review of two often-overlooked aspects of IT security defense is in order.  

Employees are the Main Problem  

Someone working on the inside can obviously steal data, but the main risk is lack of employee security awareness training. Phishing remains the #1 attack vector. Therefore, your employees need to be reminded of the dangers of clicking on links in emails.  

Your Company Must Maintain a Defensive Posture

If the military and the world’s largest banks have been hacked, it is reasonable to assume that any company can be hacked. A corollary is that security software does not work all the time. Thus, a company must always work from the posture that it has already been attacked which could mean having a forensics partner in place and being ready with a communication strategy to notify affected customers and partners in case of a data breach.

The Checklist: Vet Your Vendors

Vetting means executing due diligence by checking a vendor’s systems, policies, and procedures for security weaknesses.  This means running through a checklist to make sure that the vendor adheres to the same security standards that protect your company from attack. You must ensure that security leaks are plugged in terms of both the vendor’s computers and its people.  

Your company can adopt different standards and risk management plans to help mitigate risk. Then there are OCC and HIPAA rules, if required by your industry. All of these plans and standards tend to be written at a high level, so here are some specific items to check that your IT person will understand:   

Certification  

This means documenting access to machines. Procedures should exist for granting employees access and taking it away when their roles change or they leave the company. This can be done through the IAM system and workflow. The certification procedure needs to be connected to the log monitoring system so it knows when someone is using an expired account or when someone has been granted elevated privileges without proper certification.  

Log Monitoring

Not every company is going to be sophisticated enough to use Splunk or ELK to monitor logs with advanced analytics to flag security incidents. In such cases, the vendor should ideally use a Managed Services Security Provider to monitor its logs and network traffic.

Password Policies  

Companies should stop using completely internal passwords and add Two-Factor Authentication (TFA). Companies that maintain this is too difficult to implement for existing apps can use an app like OKTA to front-end their systems. One problem with TFA is service accounts.  It is usually not possible to enter a token for those accounts since the systems that require tokens are started by others and then left alone. Yet service accounts, in particular those with default passwords, are a common way for hackers to gain access to a system. So their passwords need to be changed with some frequency. Despite the inconveniences this poses, such as downtime and the risk that a system might not start up again when connecting to other systems after a password change, frequent changes are a very necessary security step.

Security Awareness Training for Employees

Companies should train employees annually on security and provide training program for new hires.

BYOD Policies  

Employee-owned smartphones and tablets pose less risk than laptops because they are less riddled with security weaknesses than Microsoft Windows.  Still, some rules should be in place to protect even these company assets, like making sure that screens lock after a certain number of seconds of inactivity. One problem with Android, in particular, is that apps often request access to user contacts even when they do not need them.  This is true for popular and supposedly honest apps like Twitter, so users become accustomed to it.  However, in the case of hacker apps, that weakness can be exploited to rob contacts for phishing purposes. Employees should be instructed to be careful about what they install on their own devices.

VPN  

Access to your company’s network should be via VPN or Windows Remote Desktop.  The connection from the vendor to the client company should be via IPsec VPN.

Physical Security  

Your company needs to have some policies to prevent, for example, a hacker from simply walking into the data center and removing a drive from a storage array.

Email Spam Software  

Since phishing is still the number-one attack vector, every company needs good anti-spam software.  

Antivirus

Security experts will tell you that antivirus is not as effective as it once was in the past. Still, any CIO would have a hard time explaining why his or her company does not use it.

Decommissioning Devices

Your company must have a procedure for disconnecting old devices from the network when they are no longer needed.

Patching Policies  

Microsoft, Adobe, and other companies send out patches almost daily. So your vendor needs a system to make sure these are applied daily to protect against zero-day attacks. These are only some of the items that your company can add to a checklist to make sure that the vendors it works with adhere to security best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.

These are only some of the items that your company can add to a checklist to make sure that the vendors it works with adhere to security best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.


Concerned about the frequency and timing of your vendors patching practices? Patching Cadence is one of ten security risk categories and factors included in SecurityScorecard's benchmarking platform.




How SecurityScorecard Works


Security Research in your Inbox

Thanks for siging up for the newsletter!

Our Platform

Learn How It Works

Find out how we use open source intelligence, proprietary and open data feeds, and deep machine learning systems to correlate, attribute, and prioritize risks.

Learn About the Platform

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!