7 Steps to Reviewing Your Vendor’s Information Security Policy

Vendor's information security policy
When reviewing your vendor’s information security policy, there are many factors that need to be reviewed and understood. This can seem like a daunting task, but there are key items I look for in any security program.
When evaluating, I first look to see if the organization has an External certification as this could save you lots of time evaluating the seven items below. Most certifications, such as SOC 2, ISO27001, FISMA, CMMC, or others, review these controls and make a determination on them so you do not have to. When looking at a certification make sure you understand the scope of the certification, if it is currently valid and if it covers the organization and not just its external resources, such as host centers.

If the organization does not have external certifications, this is not necessarily a bad thing. It just means you need to understand what controls they have in place and how they are implemented. Controls can be Administrative (policies and procedures), Technical (firewalls, encryption, network segmentation, etc.) or Physical (swipe cards, cameras, etc.) When evaluating vendors, I focus on these seven below.

  1. Formalized policies and procedure – Without a documented and communicated set of rules, the organization will not have a cohesive security program. Understanding from top to bottom of what is expected and how process should be done, is critical for a security program to run smoothly. Acceptable Use Policy and Change Management are some of the key documented processes that should exist in any program.
  2. Access Control and review – How users are granted access to the system is a key administrative and technical control for any system. The biggest things I am concerned with is how privileged users, those with elevated system rights, are granted access, how often they are reviewed and how they are offboarded.
  3. Third Party management – If the organization uses third parties for a large portion of the work, are those vendors required to have the same security controls in place as the prime? Understanding the security roles of all parties across the supply chain is important.
  4. Security around the offering – Depending on what the vendor is offering; you need to understand how they protect that offering. If they provide a SaaS solution or software product, evaluating their secure software development lifecycle (S-SDLC) should be an area of focus. If they are a hosting provider, understanding how they handle secure provisioning of system or platforms is important. How and where is encryption is utilized is another aspect of securing the offering.
  5. Vulnerability Management – A product or service from a vendor has potential vulnerabilities. Software, platforms, and other dynamic systems are constantly changing and needs a defined method for identifying and mitigating vulnerabilities.
  6. Anomaly Processing – This is a broad category and includes log management, incident handling and business continuity. Each of these could be a separate category, but understanding how your vendor deals with these will provide insight into how well they can respond when the unexpected happens.
  7. Awareness and Training – I am a major proponent on training. No matter how well writing your policies are or how strong your technical controls are if the end-user does not understand the purpose of these policies or how the controls work, they become ineffective. The statistics on malware, including ransomware, infecting systems by user’s downloading files or clicking on bad links are upwards of 80%. Regular and effective training needs to be a part of any security program.

These areas are not an inclusive list, but represent the foundation of a good security program. When I evaluate a security program, I look at these first. These provide a level of confidence in the vendor’s overall security program. If these items do not look good to you, then the other aspects of a security program will most likely follow suit. Understanding your vendor’s security posture and how it impacts your organization is key to your overall security program.

Pat Osborne
Author:

Job Title: Principal | Executive Consultant - Information Technology, Security and Compliance
Organization: Outhaul Consulting, LLC

Pat Osborne, Outhaul Consulting’s Principal, is a CISSP and certified in ISO 27001 and ISO Certified Lead Auditor. Pat has a broad knowledge in multiple facets of the information technology space and extensive experience in information security and compliance, including FISMA, HIPAA, ISO, CMMC and PCI. Strong experience helping organizations develop their security programs and security training.

Contact us