How to Address Major Gaps in Third-Party Risk Management Programs

September 05, 2017, Mike Stankiewicz, CISSP, CRISC, Senior Consultant, Healthcare, Coalfire

While securing the organizational environment, it’s easy to focus on the enterprise assets without thinking as much about the vendor ecosystem. However, that extended ecosystem and how it interacts with the organization is a potential significant risk if not secured properly.

As a security professional with a focus on third-party vendor cybersecurity due diligence, I have seen a number of key gaps within vendor security management, including least privilege access and scope of service. If these gaps aren’t addressed, opportunities are ripe for misuse by nation-state attackers, targeted hackers and insiders.

The first gap can frequently be seen between points of contact working at a company and its vendors.  Organizations may not ask vendors pertinent or probing questions to help flesh out the vendor’s services and business requirements, which negatively impacts their ability to assess the vendor. To exacerbate this problem, many organizations vet vendors in a silo and as such, don’t have the expertise available during the vendor selection process to ask the right questions that could identify potential issues with their security controls environment.

The next gap happens in part because of the process just described. The point of contact selects a vendor or list of vendors to evaluate, but the organization fails to adequately define and assess the synergy between business requirements and technical configurations. For example, in late 2013 the retailer Target experienced a significant breach that was later traced back to a connected HVAC vendor. My initial question was why did an HVAC vendor have access to networks/systems that contained payment card and customer information? From a network administrator perspective, it is difficult to understand why this level of access was provisioned, because it was clear that the scope of service related to managing the HVAC system did not include processing or analysis of financial transactions. 

Another gap commonly found in vendor risk management programs is rooted in the measurement and management of vendor adherence to security policies and service/availability requirements. Specifically, companies that rely on vendors for the delivery of services critical to their business should assess vendors for both performance and security metrics. Every company that outsources services to a vendor should be able to respond to the question, “how are you continuously monitoring your vendors for compliance?”  Compliance is a broad term, and while it includes measuring vendors against pre-defined SLAs or financial metrics, the real risks and threats originate with the vendor’s ability to safeguard critical/non-public information from unauthorized access and tampering. In a best-practice scenario, the vendor shares many of the same security goals, controls and processes and will prioritize information security at a level commensurate with their customers.

Ignoring these gaps in a vendor risk management program causes threats such as the use of stolen credentials, system or application misconfigurations, and access and credential misuse, which are only some of the ways vendor-provisioned access can be misused for unauthorized access and use. Risk managers can’t always speak the same language as a network or database administrator, so ensuring that the following things have been addressed can help bridge a communication gap:

  • What systems / infrastructure does the vendor need access to and why?
  • What systems / infrastructure will the vendor obtain access to and why?
  • Is access to sensitive or non-public information required within the vendor’s scope of service?
    • If not, will access be provisioned to limit access to sensitive or non-public information?
    • If so, how will access be provisioned to limit the vendor’s access to sensitive or non-public information?
  • What controls exist to prevent unauthorized access or excess access, and ensure vendor security requirements align with the customer organization?
  • How does an organization determine/confirm that vendors have controls to prevent unauthorized access or excess access, and ensure vendor security requirements align with theirs?

If an organization has collected and documented this information, the ability to measure the effectiveness of their vendors’ security programs will be greater. Completing a vendor-specific risk analysis can also help and should be completed before engaging or selecting a vendor. Finally, provisioning all vendor access with least privilege front and center and allowing vendors the access level required to support their business are fundamental best practices. Vendor-posed threats are in many cases overlooked or underestimated, but they’re a common cause of network infiltration and unauthorized access to highly sensitive or critical information. Organizations need to protect themselves from a variety of threats, and having a comprehensive understanding of their suppliers’ controls is a key element in a proactive, comprehensive security program.

Mike Stankiewicz

Author

Mike Stankiewicz — CISSP, CRISC, Senior Consultant, Healthcare, Coalfire

Recent Posts

Post Topics

Archives

Tags