An ounce of due-diligence goes far
Not all enterprises can afford to be so nonchalant when it comes to third-party risks, especially those that work in heavily regulated industries such as healthcare, payment processing, financial services, and others.
"You absolutely have to look at the security of your third party partners," says Eric Cowperthwaite, former system director, enterprise security risk management and CISO at Providence Health and Services. "You don't have to look at everyone at first, but you have to at least start with looking at those partners who could create the most risk for your organization.
"When trying to determine whether they were a high or a low risk, one of the primary tools we used was a really simple questionnaire that asked a set of questions that we thought were important things that would indicate a mature program was in place, such as having a designated security officer, a corporate security policy. Did they install antivirus on their computers?" says Cowperthwaite. Should the vendor fail any of those questions, then they'd earn themselves a much more thorough vetting, he explains.
Beyond questionnaires, the next step CISOs can take is to implement security controls to ensure more secure access to protected systems: does the vendor employ strong, two-factor authentication, do they monitor and log user activity, and encrypt their network traffic.
PCI DSS sets sights on third-party risks
The Payment Card Industry Data Security Council is taking steps to bolster third-party security. In the most recent version of the PCI Data Security Standard (PCI DSS), new requirements were added that aim to reduce third-party payment card risks from outsourced providers, including having security requirements detailed in contractual agreements between businesses that accept credit card payments that rely on outsourced payment processing.
Additionally, the PCI council's Third Party Security Assurance SIG is currently finalizing an information supplement, Third Party Security Assurance. However, the supplement, already past due for release, is now scheduled to be released sometime this quarter.
Sign up for CIO Asia eNewsletters.