Security Due Diligence

Written By Tandi McCarthy

Are you a small to medium size business that wants to get ahead of the risk of supply chains that is causing damage to businesses? Read on

COLLATERAL DAMAGE

how to lower the risk to your business

As a SMB it's important to be efficient with the limited resources available. A goal is to limit your overhead costs, while still getting the technical capability that is required to run a successful business. 

Tech services are outsourced - but information security risks and issues are still your responsibility and can severely impact your business. Here is a practical way to gain comfort that third parties who are carrying out key operations for your business do it in a way that minimises that risk. It's called a Security due diligence process and it will help minimise the damage if one of your third parties has a significant security incident (not confined to just cyber attacks, security incidents can also be events such as process failures, policy breaches and non-malicious behaviour).

Follow this guide to implementing a security due diligence process or get in touch with Governix for support in doing so.

Security Due Diligence process

Just like you are held to standards by your customers, so should your providers be held to your standards. Don’t ever feel awkward in asking them to explain their practices and provide evidence to verify them. The awkwardness can be minimised if the discussion is structured and templated, so having a process and more specifically a questionnaire is a straightforward approach to security due diligence.

When you establish a service provider contract or sign up for a technology subscription, due diligence requires questions to be answered. Questions answered by both the business and the third party. This enables risk based decisions to be made on what third parties are best for your business to partner with. These questions should also be required for an existing partner to answer, every 2-3 years. So start the due diligence assessment clock now!

Here are the categories of questions that will help establish a third parties security profile and your expectations on them. 

Internal questions: 

These questions are in addition to any Procurement questions your business usually asks.

What is the information being created, processed or stored by the service or tool and how important is it?

Is the service or tool likely to be part of your BCP (business continuity plan) due to having an important business impact if it is not available?

Is the service or tool likely to be in scope for regulatory or compliance obligations? One example may be PCI compliance. Regulatory examples are usually industry specific to your business. 

Is there any reason for discomfort from the business by bringing in a third party? 

Categories of Vendor questions:

They represent a high level topic question and there are many sub-questions that need to be asked for full context.

Security policy and frameworks 

Certification or standards compliance (e.g. SOC type II or ISO 27k)

Service availability needs and backup restore needs

BCP, DR and organisation resilience

Personnel security

Privacy and their data management protocols

Connections and integrations to your current business systems

Access control

Logging and monitoring

Data encryption

Change management or configuration management including versioning, lifespan,patching and upgrades

API management

Software Bill of Materials (SBOM) -important if they are a software supplier

Application security such as SDLC procedure, baselines, vulnerability management. 

Datacentre security

Identity & Access Management

Infrastructure and Virtualisation security

Threat and vulnerability management plus incident response procedures

Ongoing operational monitoring

It is important to maintain a relationship with your providers, some refer to this as a partnership. Meet regularly with them and require a [monthly] service report on their performance. 

There are some key items that you should frequently check in on:

  • Access 

  • Sub-contractors

  • Business context changes

These conversations and information requests are much easier if there is a good relationship built with the provider and their key staff.

Summary

  1. Create a template questionnaire.

  2. Ask questions to the business and the third party early in the procurement process 

  3. Establish what risks the answers to the questionnaire present to your organisation, formally register them and manage them.

  4. Implement ongoing operational relationship management

  5. Review due diligence at identified timeframes (for example every 2-3 years)


Whilst this seems like a short list, it can become significant effort for businesses, with creation of templates, back and forth discussions and sub-tasks such as implementing run books, access processes and operational maintenance. 

The detail acquired in this process is vital for your IT and Security teams (who could also be third parties!) as they manage the response if any of your third parties have a major incident. 

Your Executive and Board also require assurance on your supply chain being managed. Then when the worst happens and you are collateral damage from one of your third parties incidents, they can look to you for the answers and be grateful you have minimised impact.

Check out other services Governix provides such as Business Continuity planning which support your business in managing its cyber risk, alongside security due diligence.


Minimise collateral damage when your third parties are hit with a cyber attack!

Tandi McCarthy
Next

INFORMATION IS AN ASSET