What are the three main benefits of involving security in the procurement process for third-parties?

As part of their due diligence, security will carry out an exercise to analyse the risk introduced to your organisation by a third-party vendor. This assessment evaluates the vendor to identify security risks the relationship your business could be exposed to, as well as risks associated with privacy, reputational damage and business continuity.

Risk assessments can take various forms: from the technical (penetration tests, technical audit and vulnerability scans) to more qualitative methods such as questionnaires and a review of the third party’s security certifications, processes and reports. Security ownership of the assessments can help ensure that not only the right methods are used, but that third parties are also benchmarked against up-to-date industry best practices.

While the importance of getting things in writing is common knowledge, third-party contracts often contain vague security requirements – or none at all. It’s not enough to simply hold a vendor to ‘keeping your data safe’; involving security in procurement will ensure a detailed security plan is laid out in black and white.

That’s not to say you need to demand a virtual Fort Knox. Security expectations should simply be aligned to your own organisation’s (as well as any external regulations), and so it’s important to grant a vendor visibility of all the relevant policies which will enable them to provide the necessary evidence of compliance.

This principle extends to security processes: How is application security monitored within your business, who is accountable and are you following your own rules? All these questions need to be answered before a vendor is upheld to a monitoring process in the procurement contract.

For the most critical third-parties – those where a data breach would result in disastrous business disruption – a comprehensive Security Assurance Plan should be defined and agreed upon in the contract.

What are key elements for a Security Assurance Plan?

Ultimately, the contract can be as detailed as it needs to be when it comes to security. It might include the need for specific access control within an application, defined as an (often overlooked) non-functional security requirement. Where development or customisation is involved, it’s important to agree on strict governance around any sensitive data shared with the vendor during the development process.

How can organisations protect sensitive sample data shared with a vendor for the purposes of software development?

Source: Considerations for Sensitive Data within Machine Learning Datasets (Link)

Risk, simply put, is contagious. Data breaches might not originate via one of your direct vendors, and instead through a third party’s own supplier network. If not properly defended against, an attack on data assets can spread through an entire ecosystem of interlinked organisations with disastrous consequences.

Where procurement teams might stop at evaluating risk associated with the supplier, a security team will take the extra step of examining the fourth party risk landscape. A vendor should provide visibility of all its own suppliers, as well as convincing evidence these are vetted to a level of rigour in line with your own organisation’s approach.

Read the next article in this series “In the wake of a data breech, what’s the 3 important steps to avoid a repeat and establish long term data security?”