ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Addressing Vendor Security Risk

Addressing Vendor Security Risk

Dipti Patel, CISA, CISM, ISO 27001 LA, ITIL V3
| Published: 7/13/2015 9:27 AM | Permalink | Email this Post | Comments (3)

No one could ever imagine that vendor connectivity would be exploited and go unnoticed for several months causing numerous attacks on enterprises that have state-of-the-art security. Very few risk management programs would have taken account of such a risk, which is not only large-impact but also hard to predict—what philosopher-epistemologist Nassim Nicholas Taleb calls “black swans,” in reference to the fact that Europeans once knew that all swans were white—until explorers in Australia discovered black swans.

The question then arises:  What should have been done to prevent, or at least detect, such an attack? The buck typically passes on to risk management teams who ideally should have projected such risk factors for treatment. Conventionally, enterprises have introduced their IT vendors after the security due diligence process. It is vital that the same processes are exercised for all vendors, regardless of the services they provide. The most desirable outcome of such an exercise will be an understanding of the security risk that an enterprise would face in day-to-day business.

This process may face challenges, including:

  • Lack of a clearly defined vendor management policy that establishes security in outsourced services;
  • Unavailability of vendors and vendor information at a central location;
  • Unclear/undefined responsibilities in vendor contracts for security processes and audits;
  • Absence of a periodic review mechanism.

A well-defined vendor security policy that provides executive oversight, a vendor stratification strategy, assessment types, a reporting mechanism and the required resources will pave the way for effective vendor governance from a security standpoint.

In the world of cybersecurity, professionals often say “100% security is a myth.” This may be true, but a certain degree of governance, monitoring and management can surely help in analyzing and addressing security risk factors that arise as a result of outsourcing.

Read Dipti Patel’s recent Journal article:
Vendor Risk Management Demystified,” ISACA Journal, volume 4, 2015.


Vendor Risk

Thank you for his article, it has certainly helped me to understand better the risks associated with vendor connectivity to business systems.
CyberPro980 at 7/15/2015 9:23 AM

Key Point

One of the most important things that can be done is to screen vendors prior to engaging with a pre-contract risk assessment.
GregZimmerman at 7/30/2015 6:59 PM

Re: Key Point

Yes Greg, that's the first step. An initial assessment with a pre-defined analysis criteria will help define how critical that vendor/ services is. Accordingly, organization would invest into resources to assess and monitor security.
Dipti A. Patel at 7/31/2015 8:23 PM