HBS logo

Best Practices for Third-Party Risk Management

Your risk management strategy isn’t just about what you do. It’s about what your vendors are doing, too. That means a complete information security plan requires following best practices for third-party risk management of the vendors you rely upon. Sometimes you can simply review reports that the third parties send you. Sometimes you have to create custom questionnaires to address your specific concerns. And sometimes you have to ask hard questions to cut through the haze of what your vendors are really saying about their security posture. 

This blog highlights best practices our consultants have identified when performing third-party risk assessments on the businesses that help keep you in business. 

Reports to Request From Your Partners 

To protect all parties, always start by signing a mutual non-disclosure agreement with every vendor before asking them to answer your questions or send you copies of reports on their information security policies. 

Then you can move on to asking for copies of reports provided by outside assessors. Here are some reports that companies commonly request to support a risk assessment on a potential or current vendor. (Of course, each of these won’t be available for every vendor.): 

  • SOC 2® Report – This report issued by a Certified Public Accountant delivers an unbiased opinion on an organization’s security policies (Type I) and their effectiveness over a period of time (Type II). 
  • ISO 27001 certification – This provides an internationally recognized standard for measuring information security. 
  • PCI DSS self-assessment questionnaire/attestation of compliance – The Payment Card Industry (PCI) Data Security Standard (DSS) is intended to ensure that an organization handles credit card data properly. For smaller merchants, this is a self-assessment. 
  • HITRUST certification –This standard from the Health Information Trust Alliance provides a security review matrix recognized throughout the healthcare industry. 
  • Public-facing penetration testing report – Here, a third party provides a high-level report on the number of vulnerabilities they discovered when hired to simulate a hacker’s attack on an organization’s system. Note that penetration tests vary widely in quality and depth, so you should read the report carefully to ensure that it addresses your concerns. (This blog explains what to look for in a quality pen test.) 

Questions to Ask Your Partners 

In addition to the reports above, you may decide that vendors should complete a custom security questionnaire created by your company. Common questions on these questionnaires include: 

  • How do you encrypt data? 
  • How often do you perform vulnerability scans and penetration tests? 
  • What identity and access management policies/tools do you use? 
  • How do you secure your physical facility? 
  • Have you ever suffered a data breach? What happened? 

When to Be Skeptical of the Answers 

Your job isn’t done just because a vendor returned the form you requested. A qualified member of your team needs to review the answers to ensure that the questions were answered thoroughly and that the answers meet your expectations. An experienced reviewer will be able to spot answers that are overly vague, sound misinformed or deflect attention from issues that the vendor doesn’t really want to address. 

This blog provides tips on what you should look for when reviewing a third-party report. 

Don’t be afraid to go back with more questions. Your goal isn’t simply to have a completed questionnaire on file for the vendor. You need assurance that the vendor’s controls are adequate and that risks are managed properly. 

Here are two areas where HBS commonly sees red flags on third-party risk assessments: 

  • The vendor indicates it “does not meet criteria that require a SOC 2® report.” We often hear this from vendors that actually DO provide a service/solution that meets the intent for having a SOC 2® audit performed. 
  • The vendor indicates that their solution utilizes a cloud provider, such as AWS, and then states that AWS has security certifications that mean the vendor is also secure. As the following section explains, counting on AWS or any other cloud provider for security controls usually isn’t sufficient. 

Special Concerns About Cloud Environments  

You should be especially vigilant about responses from vendors that provide solutions based on a cloud-vendor’s infrastructure. Many organizations don’t fully understand the shared responsibilities inherent to working with cloud providers. 

Vendors need to understand that your risk assessment includes their controls, not just the controls at the cloud provider. For example, a vendor may just say, “Our hosting provider is AWS, and they have a SOC 2®.” That’s not good enough. While the cloud provider’s controls are certainly relevant, they don’t cover all of your concerns. We have seen plenty of vendors using insecure workloads because of misconfiguration or other issues. 

This problem may even pop up when you ask about physical security. The vendor may dodge this question by stating, “We are not allowed access to AWS datacenters.” That’s probably true. But to assess the vendor’s risk posture, you need to know about the physical security controls employed at the vendor’s facilities. 

For advice on customizing a program for your specific situation, contact us to talk to a consultant today.