Why do we do Vendor Security Reviews?

Recently I was involved in a conversation with some internal departments (HR, Legalfinance, etc) about them wanting to change out a front end vendor for a solution we use. The new vendor was going to send the data to the same 3rd party backend solution.

Someone mentioned to the department that IT security may want to review the vendor. They reached out to me and gave me the high-level back story and were unsure of what further information I might need. They also didn’t understand the “why” for this security review.

What a Golden opportunity!

My attempts to get departments to engage with IT and Security on the front side of projects vs just a checkbox for compliance at the end were starting to make progress! I have people asking questions, and mentioning to each other in passing to keep IT security in mind regarding their projects. Maybe those awareness campaigns are starting to pay off after all? And while it may be obvious to like-minded security professionals like you and me, it’s not always at the forefront of other people’s minds, and what a great opportunity to teach and train fellow users!

I initiated conversations with the department and the potential vendor and explained why we do these kinds of audits for any new potential vendor and why we are working to audit our current portfolio of vendors if we don’t already have this info on file.

Some of the highlights from the emails and meetings are as follows:

  • I introduced them to our Audit checklist for 3rd party applications/vendors.
    The checklist includes some items such as:
    • What business problem does this solve?
    • How does it integrate into our environment? SSO? Email? Other business processes? Etc.
    • What kind of data is stored or collected? Where is it stored? How is it stored?
    • How is it transmitted?
    • Has legal reviewed the contract language?
    • Is this solution site-specific? Regional? Or Global?
    • Do they have 3rd party audits available (ISO, SOC, etc)?
    • Do they have insurance?
    • Do they or we require any non-disclosure agreements in this situation?
    • (There are some great vendor review templates available on the web to help you build your checklist if you don’t have one.)
  • I explain the importance of IT security in all industries in 2019 and the future.
  • I explain the relations to federal regulations (SEC, HIPPA, SOX, etc) and privacy laws (GDPR, CCPA, etc).
  • I explain the importance of us doing our due diligence for our internal employees as well as our customers.

Below are some excerpts of my emails back and forth explaining some of these concepts.

Attached is the 3rd party Application Security Review document that legal and IT use a starting point when evaluating products and agreements that (Insert your company name here) wants to use or already is using.
……..

The SOC2 / ISO27001 audits mentioned in the checklist are very useful in evaluating a current or potential company in their commitment to customer protection and data privacy. These go much further than just security rhetoric on an “about us” section of a vendor website as they are the results of a third-party audit.
…….

This kind of review is also very helpful as GDPR, Brazil’s LGPD, California’s CCPA, and other future data privacy laws are becoming more prevalent and companies are beginning to be fined for lack of effort on data privacy and security.
……..

Our goal is not to impede the business, but to empower it to use these tools and vendors securely by making sure we do our due diligence in vetting, architecting solutions, and partnering with appropriate vendors to accomplish our goals. I hope that gives more background on what we are attempting to do.
……

In Conclusion, you should always be evangelizing IT Security. Whether your security program is robust or in its infancy. Many people may just not know about the reasons for these kinds of reviews or understand them. And anytime you can get general business users to better understand the why behind business processes, you are more likely to get buy-in and participation. And ultimately, that is what we are here to do. Increase productivity and efficiency so the business can prosper. Hopefully, you can take some of these ideas and apply them to your environment and teach others why security is important. Especially the more we all dive into SaaS type solutions.

This article was originally published on Peerlyst at:
https://www.peerlyst.com/posts/why-do-we-do-vendor-security-reviews-derek-creason