How to Address Major Gaps in Third-Party Risk Management Programs

Mike Stankiewicz, CISSP, CRISC, Senior Consultant, Healthcare, Coalfire

While securing the organizational environment, it’s easy to focus on the enterprise assets without thinking as much about the vendor ecosystem. However, that extended ecosystem and how it interacts with the organization is a potential significant risk if not secured properly.

As a security professional with a focus on third-party vendor cybersecurity due diligence, I have seen a number of key gaps within vendor security management, including least privilege access and scope of service. If these gaps aren’t addressed, opportunities are ripe for misuse by nation-state attackers, targeted hackers and insiders.

The first gap can frequently be seen between points of contact working at a company and its vendors.  Organizations may not ask vendors pertinent or probing questions to help flesh out the vendor’s services and business requirements, which negatively impacts their ability to assess the vendor. To exacerbate this problem, many organizations vet vendors in a silo and as such, don’t have the expertise available during the vendor selection process to ask the right questions that could identify potential issues with their security controls environment.

The next gap happens in part because of the process just described. The point of contact selects a vendor or list of vendors to evaluate, but the organization fails to adequately define and assess the synergy between business requirements and technical configurations. For example, in late 2013 the retailer Target experienced a significant breach that was later traced back to a connected HVAC vendor. My initial question was why did an HVAC vendor have access to networks/systems that contained payment card and customer information? From a network administrator perspective, it is difficult to understand why this level of access was provisioned, because it was clear that the scope of service related to managing the HVAC system did not include processing or analysis of financial transactions. 

Another gap commonly found in vendor risk management programs is rooted in the measurement and management of vendor adherence to security policies and service/availability requirements. Specifically, companies that rely on vendors for the delivery of services critical to their business should assess vendors for both performance and security metrics. Every company that outsources services to a vendor should be able to respond to the question, “how are you continuously monitoring your vendors for compliance?”  Compliance is a broad term, and while it includes measuring vendors against pre-defined SLAs or financial metrics, the real risks and threats originate with the vendor’s ability to safeguard critical/non-public information from unauthorized access and tampering. In a best-practice scenario, the vendor shares many of the same security goals, controls and processes and will prioritize information security at a level commensurate with their customers.

Ignoring these gaps in a vendor risk management program causes threats such as the use of stolen credentials, system or application misconfigurations, and access and credential misuse, which are only some of the ways vendor-provisioned access can be misused for unauthorized access and use. Risk managers can’t always speak the same language as a network or database administrator, so ensuring that the following things have been addressed can help bridge a communication gap:

  • What systems / infrastructure does the vendor need access to and why?
  • What systems / infrastructure will the vendor obtain access to and why?
  • Is access to sensitive or non-public information required within the vendor’s scope of service?
    • If not, will access be provisioned to limit access to sensitive or non-public information?
    • If so, how will access be provisioned to limit the vendor’s access to sensitive or non-public information?
  • What controls exist to prevent unauthorized access or excess access, and ensure vendor security requirements align with the customer organization?
  • How does an organization determine/confirm that vendors have controls to prevent unauthorized access or excess access, and ensure vendor security requirements align with theirs?

If an organization has collected and documented this information, the ability to measure the effectiveness of their vendors’ security programs will be greater. Completing a vendor-specific risk analysis can also help and should be completed before engaging or selecting a vendor. Finally, provisioning all vendor access with least privilege front and center and allowing vendors the access level required to support their business are fundamental best practices. Vendor-posed threats are in many cases overlooked or underestimated, but they’re a common cause of network infiltration and unauthorized access to highly sensitive or critical information. Organizations need to protect themselves from a variety of threats, and having a comprehensive understanding of their suppliers’ controls is a key element in a proactive, comprehensive security program.

Mike Stankiewicz


Mike Stankiewicz — CISSP, CRISC, Senior Consultant, Healthcare, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS