Third-Party Security Considerations
The Information Security practice has a pivotal role in guarding an organisation’s critical assets, ensuring business functions are performed securely. One of the significant areas of information security is Risk Management, which is the baseline of assessing, implementing and strengthening security controls.
Whenever a risk assessment activity is not performed holistically, it leaves multiple unwanted security loopholes and several blind-spots, which threat actors typically identify and exploit. Studies have showed that one domain that is usually ignored during risk assessment, or not taken fully under consideration, is vendor risk management. Vendor risk management focuses on risks that originate from third-party relationships.
The security controls related to vendor risk management process, depicted here, can cause major incidents that may also lead to data loss if not implemented correctly.
Figure 1 – Steps to manage third-party risks.
The diagram above depicts the four stages of managing Third-Party Risk. Below, the four stages are discussed in more detail in order to further elaborate and understand the respective requirements.
The first step of any vendor onboarding process is to get a contract signed between the two parties. The contract is a critical document that binds the vendor to agreed services, agreed timeline to resolve issues, service quality, and multiple information security requirements. Hence the contract must be comprehensive up to the point that it covers all business, security, regulatory and privacy requirements.
Figure 2 – Controls pertaining to vendor contract.
The figure above shows the number of controls in each standard (UAE IA, NIST and ISO 27001), relevant to third-party security. In comparison, UAE IA provides a more detailed approach towards vendor management with multiple controls to ensure all relevant controls are identified and managed according to the well-established framework.
Following table provides descriptions of controls covered in UAE IA which are relevant to vendor contracts:
|Control Number||Control Description|
|T126.96.36.199||The security requirements shall be included in the statement of business and technical requirements.|
|T188.8.131.52||The entity shall require the developer to include training provisions in the relevant service delivery agreement.|
|T184.108.40.206||The entity shall include in the software acquisition contract a clause to oblige third part to be compliant to Entity secure coding policy, to align to Entity QA process; contract shall also include the possibility to conduct audit on the third party.|
|T220.127.116.11||The entity shall specify in the software development contract any requirement and information security functionality.|
|T18.104.22.168||Each service delivery agreement for Cloud services shall include provisions for understanding and maintaining awareness of where information with applicable restrictions will be stored or transmitted in the Cloud environment.|
|T22.214.171.124||Each service delivery agreement for cloud services shall include provisions for ensuring appropriate information migration plans at the end of the service period.|
|T126.96.36.199||Each service delivery agreement for cloud services shall include provisions for ensuring all other Cloud security requirements determined relevant by the entity are included in the service delivery agreement.|
Vendor Risk Management
Once the contractual agreement is signed with the vendor, the next step is to develop a vendor risk register as part of the vendor management framework. Vendor performance then must be measured on their service and impact provided during a disaster.
Figure 3 Vendor’s impact classification criteria.
- Regulatory - systematic approach to identify and assess impacts of applicable regulations associated with the service provided by the vendor.
- Reputation - negative or adverse media coverage with significant damage to the brand in case of information leakage with vendor service delivery.
- Financial – loss of liabilities due to the incident with vendor service delivery.
- Compliance – non-compliance to applicable security standards.
This process will enable the entity to identify the vendor’s criticality as per business need.
Vendor Due-Diligence and Assessment
Vendor due diligence and assessments can be considered as the most important aspect, which governs each third-party service.
Thorough due diligence must be conducted before onboarding a particular vendor, either remotely through an interview/workshop or thorough a checklist that the vendor needs to fill-in the requested information. Both the interview and checklist must cover essential points such as detailed understanding of vendor’s organisation, such as but not limited to client history, security standards implemented, investment in security controls, risk appetite, etc.
When vendor assessment needs to be conducted after it has been onboarded, a vendor’s criticality can change in the risk register, and further steps need to be taken. In fact, depending on the internal process, additional assessments may need to be conducted. The frequency of assessing a vendor might also be altered. Vendor assessment enables trust by underscoring the effectiveness of security controls implemented at the vendor’s end.
Keep in mind, it’s crucial that security teams do a meticulous job when it comes to vendor due diligence. They request evidence of security assessments conducted and how effective and efficient the vendor is in remediating any emerging issues.
To ensure that vendor offboarding is conducted securely, entities must develop a vendor offboarding checklist. The checklist must cover questions on important points, such as:
- Data Deletion from Vendor’s systems.
- Data Migration (if applicable).
- Need to retain Data (if applicable due to legal or regulatory requirement).
- Disable and remove any type of access to any data and/or systems shared with the vendor (if applicable)
In addition, if the data stored by the vendor is deemed critical/sensitive, then a visit to the vendor’s premises should be arranged to oversee the data deletion (migration) process.
With increasing cyber security risks, it is deemed necessary to establish control over vendor services. Any third-party services can potentially be exploited as an entry point for cybercriminals to access critical assets. Therefore, you must avoid over dependence on vendor services without the appropriate due diligence and oversight via a robust framework.