RSI Security

Blog

  • Do You Need a Third-Party Risk Assessment Checklist?

    Do You Need a Third-Party Risk Assessment Checklist?

    Third-party risk assessment checklists are growing more necessary with the expansion of digital transformation. Organizations of all sizes are vulnerable to back-door attacks in ways that they weren’t a decade ago.

    Imagine that your company spent thousands of dollars and hundreds of work hours meeting compliance standards. You invested in risk assessments, penetration testing, and you have a strong policy for software patching and employee phishing training. And after all you’ve done, your network is compromised thanks to lax cybersecurity on the part of one of your third-party vendors.

    Unfortunately, the scenario above was true for over half of the security breaches in 2018, and the number of back-door hacks through third-party vendors is rising. It’s for this reason that your organization may require a third-party vendor management checklist.

     

    What is a Third-Party Vendor Risk Assessment Checklist?

    A vendor risk assessment checklist is an internal document that your cybersecurity team can use to ensure that you are safe from cyber attacks through third party vendor vulnerabilities. Typically, your vendor risk management checklist is one piece of a broader vendor management cybersecurity policy.

    The purpose of this guide is to discuss whether or not your organization needs a third-party vendor management checklist. If it does, then we’ve outlined a working checklist to get you started on establishing a sustainable third-party risk management strategy.

     

    How Do You Know if Your Business Needs a Third-Party Vendor Management Checklist?

    It’s true that not every organization needs a third-party vendor management checklist. If your operation is small and doesn’t manage sensitive data – like consumer personally identifiable information (PII), employee, or proprietary information – then a vendor risk management checklist may not be necessary.

    Also, if you do not allow any vendors access to sensitive information, you may not need a vendor risk assessment checklist. However, you may need to have one if you intend to share sensitive information or grant network access to a third-party in the near future. Here are three reasons that your business may need a vendor management checklist.

     

    [su_button url=”https://www.rsisecurity.com/request-demo/” target=”blank” style=”flat” size=”11″]Assess your Third Party Risk Management[/su_button]

     

    If Any Third Party Vendor has Access to Your Network or Data

    Most businesses partner with a third-party to serve clients. If any vendor has access to your network or data, then there’s a good chance that your business needs a vendor management checklist. This access could include remote access or vendor employees that visit your campus to fulfill their contracted services.

    If Your Business Must Meet Data Security or Consumer Data Privacy Compliance Standards

    Organizations that collect, manage, and share consumer data are accountable to at least one – usually more than one – set of consumer data privacy laws. Those organizations managing medical data must meet strict compliance standards relating to consumer data privacy and cybersecurity measures. If your business is one of those organizations and partners with vendors in any capacity, you will most surely need a vendor management checklist.

     

    If the Value of the Data Exceeds Prevention Costs

    Your business and client information holds a certain amount of monetary value. Should you lose the data, you should know the financial loss associated with that lost/stolen data. If those costs exceed the cost of preventative measures – such as cybersecurity, third-party vendor management policies, penetration testing, etc. – then you must make sure that your vendors do not compromise that security.

     

    What is Included in a Vendor Risk Assessment Checklist?

    If you’ve determined that your organization needs a third-party vendor management checklist, then the following set of questions will help you establish a third-party management program.

    It’s important to keep in mind that this questionnaire is by no means exhaustive. Your checklist may need to be more or less detailed depending upon your industry and the nature of your business.

     

    Is your organization compliant?

    This should go without saying. However, a surprising number of organizations concerned with third-party risk fail to meet minimum cybersecurity standards themselves. Investing in your own cybersecurity by ensuring compliance, training staff, and maintaining patching/updates is the first critical step in securing your network.

     

    Have you created a vendor management cybersecurity policy?

    If you work with or plan to work with third-party vendors, then company decision-makers should have a clear third-party management cybersecurity policy. The policy should outline how you determine if a vendor is a good choice, as well as how you engage your vendors on security controls. Your vendor risk assessment checklist forms only a piece of your overall vendor management policy.

     

    Do you have an accurate, up-to-date data map?

    Your data map shows all information that flows in and out of your organization. As you onboard new vendors, you should have a clear picture of which vendor will have access to what data.

     

    Did you perform due diligence on the third-party vendor to validate their credibility?

    Your vendors should have valid articles of incorporation, business licenses, proof of relevant compliance, physical locations in accordance with relevant compliance standards, and a list of credible references. You should also check to see if the vendor is on any watch lists (including a global sanctions list), has hired any legally-suspect key staff, or is currently undergoing criminal or civil litigation.

    ADA

    Is the third party vendor in any kind of financial duress?

    It is appropriate to examine available financial statements and tax documents from your third- party vendors. Financial vulnerabilities often translate into mismanaged security.

     

    Does the vendor have a history of security breaches?

    Vendors with a history of security breaches could indicate poor security policies and procedures. If they have endured a breach in the past, they should provide proof that they’ve performed the necessary updates and penance projects to secure their and their clients’ networks.

     

    Have you reviewed the vendor’s cybersecurity policies and procedures?

    Examining your vendors’ cybersecurity policies and procedures is a great indicator of how seriously they take their security and the security of their clients.

     

    Have you reviewed the vendor’s incident response plan?

    It’s critical that your vendor have a process for dealing with security incidents, no matter how small. Breach attempts often signal vulnerabilities. Organizations that monitor those attempts and patch software weaknesses are in a good position to protect their and your data.

     

    Does the vendor contract clearly state security expectations?

    Third-party vendor contracts should reflect your vendor management expectations as stated in your vendor management cybersecurity policy.

     

    Does the vendor contract allow you to terminate the work agreement if the vendor fails to meet security standards?

    Should it become apparent that one of your vendors is negligent or dishonest about their security policies and procedures, you must be free to take your business elsewhere.

     

    Is the vendor willing/able to disclose cybersecurity risk assessment results?

    A risk assessment is one of the best ways to quantify cybersecurity risk in real dollars and cents. Reviewing a vendor’s assessment results will give you a clear picture of your third-party risk.

     

    Is the vendor willing/able to complete third-party risk assessment questionnaires as needed?

    Most vendor management policies include recurring security questionnaires. How your vendors answer these questionnaires is also a valid way to assess your vendor risk.

     

    Is the vendor willing/able to provide penetration testing results?

    If your vendors are serious about cybersecurity, they’ve likely invested in penetration testing. Reviewing those pen test results will help you further measure up your vendor’s security policies and procedures.

     

    Do you have someone assigned to manage your third-party risk?

    The most important part of your vendor management cybersecurity policy is assigning a person or team to monitoring third-party risk. Outlining vendor management responsibilities ensures that your vendors don’t compromise your data or network.

     

    Key Takeaways

    If your organization manages sensitive information and hires third-party vendors to handle certain tasks, you more than likely need a vendor management cybersecurity policy and a third- party vendor management checklist.

    At RSI Security, we assist small and medium-sized businesses with affordable and reliable cybersecurity support. Our third-party risk management services oversee all matters pertaining to vendor risk management and back-door cyber attacks.

     

    [su_button url=”https://www.rsisecurity.com/request-demo/” target=”blank” style=”flat” size=”11″ center=”yes”]Speak with a Third Party Risk Management expert today![/su_button]

     

  • Implementing the ITIL Incident Management Workflow

    Implementing the ITIL Incident Management Workflow

    In today’s digital landscape, it’s important to have contingency plans in place in the event of a cyberattack. This is where ITIL incident management workflow comes in, which is a set of protocols businesses need to follow should an incident occur. But what are they, exactly? And how are they implemented?

    (more…)

  • What Is The NIST Small Business Cybersecurity Act?

    What Is The NIST Small Business Cybersecurity Act?

    Responding to new cybersecurity attacks and breaches The National Institute of Standards and Technology (NIST) passed the NIST small business cybersecurity act in 2018. What the act means for small businesses, is that NIST is required to provide support to small and medium-sized companies in their efforts to prevent cybersecurity breaches and attacks.

    (more…)

  • What’s Included in a Security Incident Management Plan?

    What’s Included in a Security Incident Management Plan?

    Cyberattacks occur daily. Because of this, keeping digital transactions, as well as other types of online information and data, safe is an ever-growing problem.That’s why a security incident management plan is so important.

    (more…)

  • Your HITRUST Self-Assessment Checklist

    Your HITRUST Self-Assessment Checklist

    What with the constant and evolving threat of cybercrime, it’s become more crucial than ever for organizations to protect their proprietary and customer data. Over the past year, the average cost of cybercrime for an organization has increased from $1.4 million to $13.0 million, and the average number of security breaches rose by 11 percent, from 130 to 145. Knowing this threat, HITRUST self-assessments are one of the most important ways you can prevent security breaches and maintain HIPAA compliance.

    (more…)

  • 4 Things Law Firms Should Look for in Cybersecurity Partner

    4 Things Law Firms Should Look for in Cybersecurity Partner

    Cybersecurity is essential for every kind of business, across every industry. Many companies  have no choice but to shore up their cyberdefenses, with legal mandates and penalties applied for noncompliance. And, while cybersecurity requirements for law firms are relatively lax in comparison to other industries, lawyers still have an obligation to keep their clients safe. For many firms, partnering with a cybersecurity provider is the best way to do so.

    (more…)

  • Top Five Benefits of HITRUST Certification

    Top Five Benefits of HITRUST Certification

    Businesses in the healthcare sector are attractive targets for cybercrime. Storing millions of clients’ sensitive medical and financial records makes an accidental or targeted data breach extremely harmful for consumers. Plus, attackers can also target companies’ own abundant assets via direct theft, fraud, and ransom scams, causing short- and long-term damage. Given all this risk, the benefits of HITRUST certification are undeniable for all healthcare and adjacent businesses.

    (more…)

  • What’s the Difference Between HITRUST and NIST?

    What’s the Difference Between HITRUST and NIST?

    Are you looking for a way to ensure that your organization is maintaining HIPAA compliance? If so, NIST and HITRUST are security frameworks that can help you uphold compliance, prevent breaches, and avoid non compliance penalties. But many companies get caught up in the debate of HITRUST vs NIST.

    Do you have to stick to one or the other? Are they compatible together?

    (more…)

  • How InfoSec Executives Should Prepare for PCI 4.0

    How InfoSec Executives Should Prepare for PCI 4.0

    Credit cards make the digital world go round. These days, businesses need to process credit card payments to maximize their consumer base and make purchasing as easy as possible for clients. But credit cards and related records are incredibly vulnerable to cybersecurity attacks. So, it’s important for all C-level executives in the information suite of your company to know what the new PCI Requirement 4.0 will entail.

    (more…)

  •  Third-Party Risk Management Regulations You Need to Know

     Third-Party Risk Management Regulations You Need to Know

    To protect companies from threats, a keen understanding of third-party risk management regulations is essential. It can help decision-makers make fully informed choices for the welfare of the company.

    (more…)