Reliability of Questionnaires & How to Validate Answers

Risk assessment questionnaires play an important role in an organization’s vendor governance program. Questionnaires based due diligence is essential to understanding how your third-party vendors manage cybersecurity risks as well as the investments they have made to mitigate exposure across people, processes, and technology.

Yet for all their value, questionnaires can have shortcomings. They are often open for interpretation, and create questions of their own. In addition, there is always the question that do the answers reflect the reality. How do you know the answers given are accurate and helpful?

ComplyScore performs thousands of third party vendor risk assessments every year. Based on our experience and discussions we have had with industry experts, here are what we consider to be the best practices to enhance your third-party risk management strategy while getting the most value from your organization’s vendor risk assessment questionnaires.

How Reliable are Vendor Risk Questionnaires?

Third-party vendor management programs rely on trust and verification. Questionnaires play a big role in establishing both but assessing third-party risk does have some challenges.

It is our belief that asking the right questions is the start to getting the right answers. Just like no two organizations are alike, each vendor comes with their own environment and risks. When creating questionnaires it’s important to:

•    Know the scope of what’s being asked. A good questionnaire is thorough but intentional. That means only asking questions you need to be answered.

•    Factor in inherent bias. Because questionnaires are answered by the vendor being assessed, the responses will never be fully objective.

•    Customize to get better results. Generic questionnaires that ask questions irrelevant to the vendor relationship frustrate the vendor and waste your time. Drilling down on the specifics of the risks associated with environments particular to the vendor ensures getting the best picture of potential risks.

Validation Best Practices

To ensure accuracy, organizations should establish assessment processes and guidelines on how to gather data, review answers, and remedy pending issues. Specific controls should be used to evaluate the vendors’ environments. For example, if your third-party vendor hosts on AWS, AWS-related best practices questions should be asked instead of generic cloud ones. For vendors who use multiple operating environments, each system should have its own set of questions.

ComplyScore uses proven practices to evaluate and verify the accuracy of vendor responses. Questions are separated by asset types such as datacenter network, corporate network, and log management for different device types. To gain clear direct insights into the specifics, questions are kept simple and direct, and clubbing multiple questions into a single question is avoided.

Once you are confident that you are asking the right questions thus enabling the right answers, it is time to move on to other techniques to validate the answers.

The practices used to validate answers include:

•    Documentation review

- Verifying the scope of security-related certifications like ISO 27001 and SOC2 and ensuring they are properly renewed.

- Checking the quality of documentation, verifying consistency of style across documents, and cross-checking for consistent policies.

- We find that documents that have not been deployed in practice, lack specificity and generally have a different style than mature documents

- It’s a good idea to drill down on these documents if they address critical areas of info security

•    Discovering, mapping, and scoring a vendor’s digital footprint to identify threat models and defend against fraud.

- Digital review of a sample of the vendor’s online assets reveals if the documents are put in practice.

- Multiple open-source tools can be used for this purpose.

- Areas that you can analyze are the existence of malware, patching cadence, previous history spam/ virus originating from the vendor & social standing

•    Assessing a vendor’s website to discern company health, GDPR and other regulatory compliance, and security patch level.

- The overall rating of the website will reveal things like commitment to details, compliance with regulations, adequacy of resources, and general security related culture.

•    Conducting a quick 10 to 15-minute interviews at the start of the vendor assessment process reveals the level of security talent heading the infosec program, the confidence of the vendor in their program, openness, and other key traits. We have found these personal interactions reveal a significant amount of information leading to the inference of the infosec program maturity.

Trust and Verify

Information security, aka InfoSec questionnaires provide valuable insight into a third-party vendor’s risk and security culture. To get the most out of a questionnaire, it is important to ask precise questions of each vendor. Empowering vendors to provide specific answers reduces ambiguity and improves the validation process. ComplyScore’s vendor risk management solutions are designed to streamline the validation process and help you get the most from your vendor questionnaires.

For more information or an evaluation of your company’s questionnaires, don’t hesitate to contact us here.

This blog was originally posted on https://complyscore.com/blog/reliability-of-questionnaires-how-to-validate-answers/

Value of a Third-Party InfoSec Assessment Program

Background:

Information Security (InfoSec) professionals realize that their infosec program is only as strong as the weakest link. 3P (Third Party) vendors with access to sensitive data are generally regarded as the weak link, hence the focus on securing the 3P. However, given the scope and possible costs on securing this link, and the doubts regarding the assessment methodology, it is easy to doubt the value of the third party vendor risk management (TPRM) program. InfoSec managers are often challenged by their seniors to prove the value of the TPRM program.

As a leading vendor risk management company, at ComplyScore we manage thousands of assessments annually and are asked to assist in showing the value of the program. Here are some points that I would like to share with you.

Let us first consider what happens if you don’t have a strong it vendor management program. Let us look at instances where companies suffered because of their vendors.

Visser Precision: In Feb of 2020, a data breach at Visser compromised contract data, pricing and other highly sensitive details of companies like Tesla, Lockheed Martin and SpaceX.

LabCorp: In august 2018, a data breach at LabCorp’s vendor American Medical Collection Agency (AMCA) compromised data of almost 7.7 million patients

Home Depot: In 2014, a data breach compromised credit card details of almost 56 million customers. Hackers used stolen credentials from third party vendors to gain access.

Target: In 2013, almost 40 million customer credit and debit card details were compromised during a breach. The culprit? Again, a third party that had privileged access.

These are just a few of the reported incidents I have used as an example. The above examples demonstrate that even though there is an increasing awareness regarding cybersecurity and even though companies are spending a huge amount of money on security, third party breach is still one of the weakest links.

Now, let us look at the impact of these incidents.

Visser has taken a hit in reputation with this breach. The magnitude and the details are still being assessed but sensitive contract details like pricing and manufacturing details are compromised.

LabCorp spent almost $2.5 million after the breach to ramp up their security. A class-action lawsuit is pending

Target- $18.5 million in lawsuits. CEO had to resign

Home Depot – $25 million in settlement.

On average (from what I have read, it is $3.92 million), companies have spent over $ 4 Million in settlements. Additionally, there is the damage to the reputation, customer confidence, countless hours spent in investigations and lawsuits and even forced resignation of the CEO.

That is a steep price to pay.

These incidents remind us about the potential impact if you do not have a methodical approach to TPRM.

General Consensus

A recent survey published in Allianz Risk Barometer 2019, consistently ranked cyber incidents as the top 3 areas of concern. Another interesting insight comes from Deloitte. In the survey conducted by Deloitte between March - July 2018 with respondents from 94 financial institutes around the world, almost 67% of the respondents named cybersecurity as one of the top 3 challenges they will face and a risk that they feel is only going to increase in nature. The more interesting fact is that the Deloitte survey showed that respondents felt more confident in being able to handle breaches due to disruptive attacks, financial loss, and loss of data by customers. But they did not feel as confident if the breaches occurred due to nation states and risks from third party providers. The survey along with the examples shows that we need to be proactive in addressing the issue and we need to be proactive NOW.

Now that we have enough data to convince the leadership that TPRM is essential as part of a robust vendor management system, and needs to be done, let us talk about the cost and ROI. In short, let’s talk numbers:

With data breaches, the losses are generally in millions of dollars. Companies take a hit in their reputation; some have had to file for bankruptcy. Now if we compare the cost, they would have incurred had they been proactive. Assessments are proportional to the level of risks. ComplyScore does vendor risk assessments for as little as $200 per assessment. So if you spend between $250K to $500K, you can assess and secure a major part of your supply chain and de-risk your company to a great extent. Now that’s a significant ROI.

Value of assessments

You might ask “How reliable are the questionnaire-based approach?” I have seen that a lot of clients are initially apprehensive about the process and reliability. For those with questions and apprehensions, these are ways and means that you can use to ensure that the assessments are answered honestly. The security rating agencies add value as well. ComplyScore will cover the topic on the value and reliability of the questionnaires and how to validate the answers in our upcoming blog.

I hope that I have been able to cover some talking points that you can use to address the benefit of TPRM with your leadership. Cyber incidents are only going to be more frequently seen in the future. You need to secure your organization by diligently including TPRM and supplier risk management in your organization’s vendor governance program. Address it now, contact us and request your demo today.

This blog was originally posted on https://complyscore.com/value-of-a-third-party-infosec-assessment-program/

Enterprise Vendor Risk Management: Is Your Organization Proactive Or Reactive?

Organizations often fail to anticipate the risks associated with 3rd party vendors. The threats they have exposed their own data to, and possibly their customers’ data, are realized, on many occasions, only after the breach has happened and all they can do at that point is damage control.

Without a proactive approach to vendor risk management, your organization can open itself up to increased levels of risk that can have a negative impact on its financial standing, compliance posture, and overall ability to serve its customers. If you want to drive competitive advantage and sustain future growth, the focus must be on vendor risk management that is proactive, not merely reactive.

Proactive Vendor Risk Management

While anticipating and assessing all potential vendor risks may be tedious and even seem impossible, proactive vendor risk management is really a discipline that must be integrated into your organization’s overall risk management culture.

Traditional IT vendor management solutions take a reactive approach, using programs that assess, report, and mitigate risks after they happen. The emphasis is placed on reducing fallout and minimizing damage to the business. This focus on events that have occurred instead of leveraging predictive digital tools such as AI, data analytics, and process automation can be compared to the proverbial barn door that’s closed after the horse escapes.

For most businesses, 24/7 coverage of IT systems is not financially feasible. It is advisable to partner with a vendor risk management company that:

•    Provides end to end services including distribution, completion, and evaluation of assessments

•    Creates customized assessments based on the company’s exclusive vendor profiles

•    Immediately identifies potential issues before they turn into critical security breaches

Working with a managed service provider to move from reactive to proactive enterprise vendor risk management helps ensure that your vendors have the right controls in place to properly serve your organization. It also allows your business to improve compliance with regulatory demands, prepare for unexpected risk events, and maintain its reputation.

Putting Proactive Vendor Risk Management to Work

Adopting a vendor risk management strategy that uses the right tools to evaluate vendors and their processes improves your company’s ability to manage and/or avoid existing and emerging risks. Internal IT staff can also adapt more quickly to unwanted events or crises while building an understanding of how to assess and mitigate risks. Your organization then has a better view of potential future risks, how they might impact your business, and how to keep those risks at bay.

ComplyScore’s managed third party vendor risk assessment solutions help your organization approach risk management and vendor governance proactively and effectively at the enterprise level. By using a more forward-looking approach to vendor risk management, your business avoids unexpected events and expenses. That, in turn, results in improved compliance, a greater business value, and ensured sustainability. The bottom line? When choosing an MSP for your organization’s unique vendor risk management needs, look for one that can maintain a proactive approach that evolves as your organization’s vendor landscape unfolds and grows.

This blog was originally posted on https://complyscore.com/blog/enterprise-vendor-risk-management-is-your-organization-proactive-or-reactive/

AWS Security: Best Practices for Third Party (3P) InfoSec Risk Assessments

An effective vendor risk assessment is the cornerstone of every successful third-party risk management program. While the essential elements of an assessment should, in theory, be easily determined, the ever-evolving IT security landscape and threats is making the process more complex.

Addressing Platform-Specific Risks

Some recent incidents have shown that even respected security solution providers are not immune to breaches in information security. One such recent misstep by a well-known cybersecurity leader resulted in exposed Amazon Web Services (AWS) credentials. This allowed hackers to steal information on customers who used its Cloud Web Application Firewall (WAF) product. This incident underlined the importance of drilling down on the specifics of the platforms used by the 3rd party vendors during the security evaluation.

Organizations focused on good vendor governance need a thorough understanding of each vendor’s security posture to mitigate and manage risks from exposure. Most 3rd party providers host and maintain core tech infrastructure in the cloud. While existing third party assessments all focus on governance, processes, and security controls, the questionnaires employed do not adequately address platform-specific risks. Since the majority of 3rd party providers build on AWS and/or Azure, we believe it's in our clients' best interests to be able to drill down and address controls that are unique to the platform used.

Best Practices for AWS Security

AWS offers multiple tools that allow organizations to effectively manage security. Identifying the tools a third-party vendor uses gives a good indication of that vendor’s security posture. For example, does the vendor create VPC flow logs to capture IP traffic information? Is Trusted Advisor used to optimize the AWS environment for performance, cost, and fault tolerance? Are malicious and/or unauthorized activities continually monitored with AWS GuardDuty?

For successful vendor risk management for our clients, we’ve developed a list of best practices for vendors who host on AWS.

Five risk mitigation best practices for vendors who host on AWS include:

1.    Security of the root account including disabling API access, alert set-up for root access use, and activating MFA (multi-factor authentication). 

2.    Access management techniques that include using groups to assign permissions, quarterly rotation of access keys, enabling MFA for accounts that have console access, and assigning unique IAM (identity and access management) usernames for each user. 

3.    Network restrictions that include using security groups to control inbound and outbound traffic.

4.    Monitoring, encryption, and other controls that help build resilient IT architecture. This includes 24/7 monitoring of AWS account activity, conducting risk assessments of the AWS environment, and enabling server-side encryption (SSE), VPC flow logging, S3 Bucket access logging, AWS configuration in all regions, and logging for all resources.

5.    Metric and composite alarms for events such as configuration changes, unauthorized API calls, non-MFA management console sign-in, storage policy changes, and changes to Network Access Controls Lists and network gateways.

Information gleaned on whether third-party vendors implement these best practices helps identify and measure 3rd party risks while delivering highly accurate risk intelligence that enables an organization to make more informed IT vendor management decisions.

Based on the above best practices, our vendor risk assessment questionnaires assess the 3rd party vendors utilizing AWS solutions, against a checklist of controls. This checklist is designed to make the process of assessing the security posture of these vendors simpler and more agile, and in the interest of minimizing breaches, we are making this list publicly available.

Check out the list here, and do not forget to contact us for any clarification!

Stay tuned for the best practices based checklist for Azure coming soon.

This blog was originally posted on https://complyscore.com/blog/aws-security-best-practices-for-third-party-3p-infosec-risk-assessments/