Third Party Vendor Risks Flashcards
Define Third-party Vendor Risks
Potential security and operational challenges from external collaborators
Scope:
Encompasses vendors, suppliers, or service providers
Risks:
Impact on integrity, data security, and overall business continuity
Common Threat Vectors and Attack Surfaces
Threat Vectors
Paths attackers use to gain access
Attack Surfaces
Points where an unauthorized user can try to enter
3 Types of Vulnerabilities
1: Hardware Vulnerabilities
Components with vulnerabilities
2: Software Vulnerabilities
Applications with hidden backdoors
3: Operational Vulnerabilities
Lack of cybersecurity protocols
Vendor Assessments
Evaluation
Pre-partnership assessment
Penetration Testing - testing vendor security
Audit Rights - right to audit vendors
Evidence Collection - internal and external audit
evidence
Vendor Selection and Monitoring
Importance - meticulous selection process
Vigilance - Ongoing monitoring of vendor performance
Contracts and Agreements
Basic Contracts - forming relationships
Nuanced Agreements - SLAs, MOUs, NDAs for specific
safeguards
Supply chain risks - hardware manufactures
Products like routers and switches are composed of
many components from various suppliers
Component tampering or untrustworthy vendors can
introduce vulnerabilities
Rigorous supply chain assessments needed to trace
origins and component integrity
Trusted foundry programs ensure secure
manufacturing
Supply chain risks - Secondary/Aftermarket Sources
Risk of acquiring counterfeit or tampered devices
Devices may contain malware or vulnerabilities
Budget-friendly but high-risk option
Supply chain risks - Software Developers/Providers
Software developers and software providers are
integral cogs in the supply chain
However, software can introduce vulnerabilities
Check for proper licensing, authenticity, known
vulnerabilities, and malware
Open-source software allows source code review
Proprietary software can be scanned for vulnerabilities
Supply chain risks - Service Providers/MSPs
Managed Service Providers
Organizations that provide a range of technology
services and support to businesses and other clients
Supply chain risks - Security challenges with Software-as-a-Service (SaaS) providers and considerations
Data confidentiality and integrity concerns
Assess provider’s cybersecurity protocols and support
for security incidents
Vendor selection should consider due diligence,
historical performance, and commitment to security
Considerations
Evaluate data security measures
Ensure confidentiality and integrity
Assess cybersecurity protocols
Response to a security breach
Define Supply Chain Attacks
An attack that targets a weaker link in the supply chain
to gain access to a primary target
Exploit vulnerabilities in suppliers or service providers
to access more secure systems
CHIPS Act of 2022
U.S. federal statute providing funding to boost
semiconductor research and manufacturing in the U.S.
Aims to reduce reliance on foreign made
semiconductors, strengthen the domestic supply chain,
and enhance security
What are Semiconductors
Essential components in a wide range of products, from smartphones and cars to medical devices and defense systems
4 ways of Safeguarding Against Supply Chain Attacks
1: Vendor Due Diligence
Rigorous evaluation of vendor cybersecurity and supply
chain practices
2: Regular Monitoring & Audits
Continuous monitoring and periodic audits of supply
chains to detect suspicious activities
3: Education and Collaboration
Sharing threat information and best practices within
the industry
Collaborating with organizations and industry groups
for joint defense
4: Incorporating Contractual Safeguards
Embedding cybersecurity clauses in contracts with
suppliers or service providers
Ensuring adherence to security standards with legal
repercussions for non-compliance
Define Vendor Assessments
Process to evaluate the security, reliability, and
performance of external entities
Crucial due to interconnectivity and potential impact on
multiple businesses
Entities in Vendor Assessment
Managed Service Providers (MSPs)
Manage IT services on behalf of organizations
Penetration Testing of Suppliers
Validates supplier’s cybersecurity practices and potential risks to your organization
Right-to-Audit Clause
Contract provision allowing organizations to evaluate
vendor’s internal processes for compliance
Ensures transparency and adherence to standards
Independent Assessments
Evaluations conducted by third-party entities without a
stake in the organization or vendor
Provides a neutral perspective on adherence to security
or performance standards
Supply Chain Analysis
Assessment of an entire vendor supply chain for
security and reliability
Ensures integrity of the vendor’s entire supply chain,
including sources of parts or products
Vendor Selection Process includes
Evaluating financial stability
Operational history
Client testimonials
On-the-ground practices to ensure cultural alignment
Check for conflicts of interest that could bias the
selection process
Vendor Questionnaires
Vendor questionnaires provide insights into operations,
capabilities, and compliance
Standardized criteria for fair and informed decision-
making
Rules of Engagement
Guidelines for interaction between organization and
vendors
Cover communication protocols, data sharing, and
negotiation boundaries
Ensure productive and compliant interactions
Vendor Monitoring
Mechanism used to ensure that the chosen vendor still
aligns with organizational needs and standards
Performance reviews assess deliverables against
agreed-upon standards and objectives
Feedback loops
Involve a two-way communication channel where both the organization and the vendor share feedback