Vendor Security Risk Assessment Q3

Follow these steps when conducting a Vendor Security Risk Assessment (SRA)-This is an actual process used by a commercial entity.

  1. Understand the scope of the engagement that the business area has with the vendor (i.e., what service(s) the vendor is providing to the organization).Identify the data classification
  2. Request the vendor to fill out the Standardized Information Gathering (SIG) Questionnaire that encompasses all areas of the ISO 27002 Security Standards
  3. Request a copy of the Vendor’s SOC report and any of their data center service providers’ SOC reports. (SOC 2 reports are preferred)
  4. Request the following documentation from the vendor to validate the answers provided from the vendor’s SIG Questionnaire responses (taken from SIG Documentation tab):
    1. Information Security Policies and Procedures. This should include the following (if not, provide the individual documents as necessary):
      1. Hiring policies and practices and employment application
      1. User Account administration policy and procedures for all supported platforms where scoped systems and data are processed and network/LAN access
      1. Supporting documentation to indicate completion of User Entitlement reviews
      1. Employee Non-­‐disclosure agreement document
      1. Information Security Incident Report Policy and procedures, including all contract information
      1. Copy of visitor policy and procedures
      1. Security Log Review Policy and Procedures

b) Copy of internal or external information security audit report

c) Information technology and security organization charts (including where) information security resides in the organization and the composition of any information security steering committees). Note – Actual names of employee is not required

d) Physical Security policy and procedures (building and / or restricted access)

e) Third-­‐party security reviews/assessments/penetration tests

f) Legal clauses and confidential templates for third parties

g) Topics covered in the security training program

h) Security incident handling and reporting process

  1. Network configuration diagrams for internal and external networks defined in scope. Note – sanitized versions of the network diagram are acceptable

j) System and network configuration standards

k)System backup policy and procedures

l) Offsite storage policy and procedures

m) Vulnerability and threat management scan policy and procedures.

n) Application security policy

o) Change control policy/procedures

p) Problem management policy/procedures

q) Certification of proprietary encryption algorithms

r) Internal vulnerability assessments of systems, applications, and networks

s) System development and lifecycle (SDLC) process document

t) Business continuity plan (BCP) and / or Disaster recovery plan

u) Most recent BCP/DR test dates and results

v) Most recent SOC report

w) Privacy policies (internal, external, web)

5. Request additional documentation from the vendor if necessary

6. The SRA Analyst will look through the documentation and report on the following areas:

  • Risk Management
  • Security Policy
  • Organizational Security
  • Asset Management
  • Human Resource Security
  • Physical and Environment

7. During the assessment process, if the SRA Analyst identifies a risk it will be reported along with a recommended remediation activity to fix the issue.

8. Upon completion of the initial assessment, the SRA will set up a peer review meeting to vet the results of  the risk  assessment.  Any issues found within the report are noted and corrected prior to completing the report and submitting it for signature

9. After the SRA Manager approves the Vendor SRA, the SRA analyst emails the latest SRA draft  to  Vendor  Risk Management  (VRM),  who  is  responsible  for finalizing  the  VRM  aggregated  report  from  Information  Security,  Privacy  and Enterprise Business Continuity.

  1. If the Vendor SRA is being conducted without VRM’s involvement, then the SRA Analyst will follow the normal SRA process, i.e., by conducting their own closing meeting with all appropriate stakeholders involved, following the SRA Remediation process, etc.

10.VRM will conduct a final close-­‐out meeting occurs with the vendor and the assessment is closed.

error: Content is protected !!