1. Do third-party vendors have a bullseye on their backs?

    Because there are so many different kinds of third parties, identifying whether they do or don’t have the right infrastructure or security protocols can be a challenge. As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreemen in order to best evaluate their contracts.

    Read Full Article

    1. They need to have a handle around what their most valued data assets are within their business.
    2. They need a roadĀ map to say this is what we should and should not trust with our third parties.
    3. They need to understand to whom they are providing access, and they need to be aware of the rules and regulations that govern that.
    4. What is in my value chain? is a question that will drive design and development, planning, sourcing mode, quality, delivery, sustainability, and end of life.
    5. A clear architecture converges all on the same domain areas which include security domains, governance security, security in operations and asset management, security in incident management, security in service management, security in logistics and storage, security in the physical environment, and personnel security.
    6. You can have contractors in working on any service you are contracting out for, and that causes a bit of a risk.
    7. A lot of what we see is inadvertent and accidental.
    8. It turned out that a contractor working at the supplier with the winning bid had backed up his whole laptop without realizing it, which made public all of the private information he had about the bank.
    9. It's not just about supply chain, though.
    10. Contracts shift risk but they do not employ security.
    11. There is no one size fits all when it comes to third parties, but enterprises have the ability to define the amount of risk they have and match it to the amount of due diligence to that risk.
    12. Security language is needed in the contract to hold them accountable, and we do see instances where the appropriate controls are not communicated and the right level of expectation is not given to that provider.
  2. Authors